Skip to content

Add an explicit package.json.files allowlist #9

Open
Open
Add an explicit package.json.files allowlist#9
Labels
enhancementNew feature or request
@jabelic

Description

@jabelic
jabelic
opened on Mar 31, 2026

Goal

  • Make npm publish contents explicit by adding files to every repo-managed package.json that is currently missing it.
  • Prevent accidental publish of unwanted files, including unintended source maps.

Background

  • The org-wide packaging policy now requires package.json.files on every repo-managed manifest.
  • npm publish uses files as an allowlist, so relying only on ignore rules is too easy to get wrong.

Scope

  • Add files to the missing repo-managed manifests listed below.
  • Keep each files array minimal and aligned with the actual runtime or distribution surface.
  • Exclude .map files unless this repo intentionally ships source maps and documents why.
  • Update release or verification steps only as much as needed to validate the packed contents.

Out of Scope

  • Broader release automation changes unrelated to files.
  • API or package contract redesign.

Publish Surface

  • Touched repo-managed manifests:
    • package.json
  • Required files changes:
    • Add explicit allowlists for the manifests above.
    • Keep root, workspace, and app manifests explicit even when they are private.
  • Verification plan for packed contents:
    • Run npm pack --dry-run or the package manager equivalent for the affected package(s).
    • Confirm that accidental .map or source-only files are not included.

Acceptance Criteria

  • Every repo-managed package.json listed above defines files.
  • The resulting files entries are minimal and do not include accidental .map files by default.
  • Packed contents were checked for the affected package(s), or the existing release verification was updated to cover this.
  • The change fits in one small, reviewable PR.

PR Plan

  • Expected GitHub Pull Request count: 1
  • Keep the change focused on package.json, any minimal verification updates, and related docs/tests only.

Proposed Plan

  1. Inspect the current manifest and release surface.
  2. Add files to the missing repo-managed manifests.
  3. Verify the packed contents and trim anything unnecessary before opening the PR.

Notes

  • This issue is part of the org-wide package.json.files rollout.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions