Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[8.0.0] published npm package contains unused files (tests; repo config)

See original GitHub issue

Node Version: node v14.16.1 (npm v6.14.12)
Platform: Fedora 33
Compiler: Irrelevant
Module: Irrelevant

Published npm package contains repo configuration/scripts, “test” folder, etc. May want to use the “files” field in package.json and specify only the actually used files/folders.

$ tree node_modules/node-gyp/ -a
node_modules/node-gyp/
├── addon.gypi
├── bin
│   └── node-gyp.js
├── CHANGELOG.md
├── CONTRIBUTING.md
├── .github
│   ├── ISSUE_TEMPLATE.md
│   ├── PULL_REQUEST_TEMPLATE.md
│   └── workflows
│       └── tests.yml
├── gyp
│   ├── AUTHORS
│   ├── CHANGELOG.md
│   ├── CODE_OF_CONDUCT.md
│   ├── CONTRIBUTING.md
│   ├── data
│   │   └── win
│   │       └── large-pdb-shim.cc
│   ├── .flake8
│   ├── .github
│   │   └── workflows
│   │       ├── node-gyp.yml
│   │       ├── nodejs-windows.yml
│   │       ├── Python_tests.yml
│   │       └── release-please.yml
│   ├── gyp
│   ├── gyp.bat
│   ├── gyp_main.py
│   ├── LICENSE
│   ├── pylib
│   │   └── gyp
│   │       ├── common.py
│   │       ├── common_test.py
│   │       ├── easy_xml.py
│   │       ├── easy_xml_test.py
│   │       ├── flock_tool.py
│   │       ├── generator
│   │       │   ├── analyzer.py
│   │       │   ├── android.py
│   │       │   ├── cmake.py
│   │       │   ├── compile_commands_json.py
│   │       │   ├── dump_dependency_json.py
│   │       │   ├── eclipse.py
│   │       │   ├── gypd.py
│   │       │   ├── gypsh.py
│   │       │   ├── __init__.py
│   │       │   ├── make.py
│   │       │   ├── msvs.py
│   │       │   ├── msvs_test.py
│   │       │   ├── ninja.py
│   │       │   ├── ninja_test.py
│   │       │   ├── xcode.py
│   │       │   └── xcode_test.py
│   │       ├── __init__.py
│   │       ├── input.py
│   │       ├── input_test.py
│   │       ├── mac_tool.py
│   │       ├── msvs_emulation.py
│   │       ├── MSVSNew.py
│   │       ├── MSVSProject.py
│   │       ├── MSVSSettings.py
│   │       ├── MSVSSettings_test.py
│   │       ├── MSVSToolFile.py
│   │       ├── MSVSUserFile.py
│   │       ├── MSVSUtil.py
│   │       ├── MSVSVersion.py
│   │       ├── ninja_syntax.py
│   │       ├── simple_copy.py
│   │       ├── win_tool.py
│   │       ├── xcode_emulation.py
│   │       ├── xcode_ninja.py
│   │       ├── xcodeproj_file.py
│   │       └── xml_fix.py
│   ├── README.md
│   ├── requirements_dev.txt
│   ├── setup.py
│   ├── test_gyp.py
│   └── tools
│       ├── emacs
│       │   ├── gyp.el
│       │   ├── gyp-tests.el
│       │   ├── README
│       │   ├── run-unit-tests.sh
│       │   └── testdata
│       │       ├── media.gyp
│       │       └── media.gyp.fontified
│       ├── graphviz.py
│       ├── pretty_gyp.py
│       ├── pretty_sln.py
│       ├── pretty_vcproj.py
│       ├── README
│       └── Xcode
│           ├── README
│           └── Specifications
│               ├── gyp.pbfilespec
│               └── gyp.xclangspec
├── lib
│   ├── build.js
│   ├── clean.js
│   ├── configure.js
│   ├── find-node-directory.js
│   ├── find-python.js
│   ├── Find-VisualStudio.cs
│   ├── find-visualstudio.js
│   ├── install.js
│   ├── list.js
│   ├── node-gyp.js
│   ├── process-release.js
│   ├── rebuild.js
│   ├── remove.js
│   └── util.js
├── LICENSE
├── macOS_Catalina_acid_test.sh
├── macOS_Catalina.md
├── package.json
├── README.md
├── src
│   └── win_delay_load_hook.cc
├── test
│   ├── common.js
│   ├── fixtures
│   │   ├── ca-bundle.crt
│   │   ├── ca.crt
│   │   ├── server.crt
│   │   ├── server.key
│   │   ├── test-charmap.py
│   │   ├── VS_2017_BuildTools_minimal.txt
│   │   ├── VS_2017_Community_workload.txt
│   │   ├── VS_2017_Express.txt
│   │   ├── VS_2017_Unusable.txt
│   │   ├── VS_2019_BuildTools_minimal.txt
│   │   ├── VS_2019_Community_workload.txt
│   │   └── VS_2019_Preview.txt
│   ├── process-exec-sync.js
│   ├── simple-proxy.js
│   ├── test-addon.js
│   ├── test-configure-python.js
│   ├── test-download.js
│   ├── test-find-accessible-sync.js
│   ├── test-find-node-directory.js
│   ├── test-find-python.js
│   ├── test-find-visualstudio.js
│   ├── test-install.js
│   ├── test-options.js
│   └── test-process-release.js
└── update-gyp.py

20 directories, 126 files

Issue Analytics

State:
Created 2 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

5reactions

rvaggcommented, May 20, 2021

Here’s my take: Tests etc. represent part of the documentation and are components of the complete project which we occasionally snapshot and publish as a version to npm. On that basis, packages in npm should include stand-alone snapshots of a project. I know this is not a view held by everyone who publises to npm and some want to obsessively remove everything except that which touches the execution path–which is arguably reasonable in a world of trivial dependencies that bloat our development folders. I just think maybe the problem of needless dependency tree bloat should be tackled with greater priority. So I’m personally not in favour of removing things from a publish unless we’re dealing with unreasonably large items. 2Mb is not unreasonable for us to be able to ship a complete snapshot of the package. If we have extraneous things in the repo then we should be able to add them to .gitignore.

Re server.key, if this is a critical problem for you then perhaps you could help out by contributing a change that shuffles it out of view of low quality auto-audits? Either generate it as required for tests, or maybe more practically, embed it as a string in a test file that can be extracted and removed on each run? Alternatively find a better auditor that isn’t upset by test fixtures?

0reactions

david-golightly-leapyearcommented, May 20, 2021

This is more than a space-saving move. An automated security audit tool found and flagged the presence of https://github.com/nodejs/node-gyp/blob/master/test/fixtures/server.key which, although probably harmless, creates noise for the auditor and makes for an awkward conversation. Is there an estimated time to remove these files from the build?

Top Results From Across the Web

npm-publish - npm Docs

Description. Publishes a package to the registry so that it can be installed by name. By default npm will publish to the public...

lerna/CHANGELOG.md at main - GitHub

dragon: Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.

Semantic Release publishing on package.json - Stack Overflow

I assume when you build locally, you have a build folder with package.json and a cjs folder, but only the file itself is...

Supported hooks - pre-commit

check-json - checks json files for parseable syntax. check-shebang-scripts-are-executable - ensures that (non-binary) files with a shebang are executable.

Node.js v19.3.0 Documentation

calls() and will throw an error for functions that have not been called the expected number of times. import assert from 'node:assert'; //...