chore: implement OWASP recommendation for package

[KeesCBakker]

Last week I had a security incident in which I uploaded something to NPM that should not have been uploaded. Because we had both a .gitignore AND an .npmingore file, the .gitignore was actually ignored. When reviewing the OWASP guidelines, I saw the recommendation that it is better to work with an explicit whitelist, instead of a blacklist (https://cheatsheetseries.owasp.org/cheatsheets/NPM_Security_Cheat_Sheet.html#1-avoid-publishing-secrets-to-the-npm-registry).

I've removed the .npmignore and added the files to the files property of the package.json. This prevents us from leaking information accidentally.

[KeesCBakker]

Another good practice to adopt is making use of the files property in package.json, which works as a whitelist and specifies the array of files to be included in the package that is to be created and installed (while the ignore file functions as a blacklist). The files property and an ignore file can both be used together to determine which files should explicitly be included, as well as excluded, from the package. When using both, the former the files property in package.json takes precedence over the ignore file.

[KeesCBakker]

So this fixes #159 in a better way.

[KeesCBakker]

Tree is now:

kz@LP545:/mnt/c/projects/hubot-grafana$ tar tf hubot-grafana-4.1.1.tgz | tree --fromfile .
.
└── package
    ├── CONTRIBUTING.md
    ├── LICENSE
    ├── README.md
    ├── index.js
    ├── package.json
    └── src
        └── grafana.js

2 directories, 6 files
kz@LP545:/mnt/c/projects/hubot-grafana$ 

[KeesCBakker]

@stephenyeargin, how does this work? I just merge it and you take care of the version number?

[stephenyeargin]

Yep. I have on my TODO list to automate releases with GitHub Actions. Currently it uses a package called release-it which handles semantic versioning, sending it to NPM and creating the changelog.

[KeesCBakker]

Ah cool, maybe we can use the same thing Joey uses here: hubot-friends/hubot-slack#21 (comment)