Without a files allowlist or .npmignore, running npm publish sends your entire repository — test fixtures, CI configs, editor settings, source TypeScript, internal tooling, and potentially .env.example files — to every consumer who installs your package. ISO 25010 confidentiality is directly impacted: internal implementation details that weren't meant to be public are now permanently embedded in a versioned npm release. SLSA L2 requires artifact provenance; publishing unpredicted files breaks that guarantee. Bloated packages also slow installs for all downstream users.
High because the absence of a `files` allowlist exposes internal source code, test fixtures, and configuration files to all npm consumers permanently, with no way to remove them from published versions.
Add a files allowlist to package.json restricting publication to only built output and essential metadata.
{
"files": [
"dist",
"README.md",
"LICENSE"
]
}
Verify what gets published before releasing: npm pack --dry-run prints every file that would be included. Anything outside dist/, README.md, and LICENSE should raise a question. The files allowlist is safer than .npmignore — new directories are excluded by default rather than accidentally included.
ID: sdk-package-quality.package-config.files-field
Severity: high
What to look for: Enumerate all files that would be published by npm pack. For each, classify whether it should be included (dist, types) or excluded (tests, fixtures, source). check package.json for the files array, which controls what gets included when the package is published to npm. Without it, everything not in .npmignore or .gitignore gets published — including test files, source code, config files, and documentation that consumers don't need. Look for:
files array in package.json.npmignore file with appropriate exclusionsfiles array actually covers the build output (dist/, lib/, etc.)README.md and LICENSE are included (they're always included by default)Pass criteria: The files field is present in package.json and restricts published contents to build output, type declarations, and essential metadata. OR a well-configured .npmignore excludes source code, tests, and development files — at least 1 files array entry must be configured to prevent publishing test fixtures and source files. Report: "X files in package, Y explicitly included via files field."
Fail criteria: No files field and no .npmignore. The entire repo (minus .gitignore patterns) will be published, including test files, CI config, editor config, and source code.
Skip (N/A) when: Python package (uses pyproject.toml [tool.setuptools.packages] or MANIFEST.in), Rust crate (uses Cargo.toml include/exclude), Go module (no publish artifact — source is the distribution). For these ecosystems, check the equivalent mechanism.
Cross-reference: The minimal-deps check verifies that published dependencies are also minimal.
Detail on fail: "No files field in package.json and no .npmignore. Running 'npm pack --dry-run' would include src/, tests/, .github/, tsconfig.json, and other development files. This bloats install size and exposes internal code."
Remediation: The files field is an allowlist — only listed paths get published. This is safer than .npmignore (a denylist) because new files are excluded by default.
// package.json:
{
"files": [
"dist",
"README.md",
"LICENSE"
]
}
Verify what gets published before releasing: npm pack --dry-run shows exactly what files would be included. Aim for the smallest possible publish footprint.