chore: implement OWASP recommendation for package #163
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Last week I had a security incident in which I uploaded something to NPM that should not have been uploaded. Because we had both a .gitignore AND an .npmingore file, the .gitignore was actually ignored. When reviewing the OWASP guidelines, I saw the recommendation that it is better to work with an explicit whitelist, instead of a blacklist (https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html#1-avoid-publishing-secrets-to-the-npm-registry).
I've removed the .npmignore and added the files to the
files
property of the package.json. This prevents us from leaking information accidentally.