njwt icon indicating copy to clipboard operation
njwt copied to clipboard
verified publisher icon jwtk

Obvious Fix: Added "files" property to only include index.js / index.d.js / properties.json in npm package

Open MattSidor opened this issue 4 years ago • 2 comments

My project uses a CI/CD security scanning tool for our node apps. This tool flagged the encryption keys in the test/ folder of this library and would not allow us to publish the app. Our workaround was to rm -rf node_modules/njwt/test after npm install as part of our build step in the pipeline.

The security scanner is naive to the context of the encryption keys in test/ and cannot see that those files won't actually be used by the apps that import this library.

However, since the test/ files are not necessary to be included for consumers of this library, I believe the best solution is to only declare the files that are necessary. npm allows us to do this via the files property of package.json: https://docs.npmjs.com/cli/v6/configuring-npm/package-json#files

This PR updates the files property of package.json to only include index.js, index.d.ts, and properties.json.

These other files from the library will always be included as part of the npm package, regardless of settings:

  • package.json
  • README.md
  • CHANGELOG.md
  • LICENSE

MattSidor avatar Nov 10 '21 17:11 MattSidor

@MattSidor can you also include properties.json into list?

oleksandrpravosudko-okta avatar Dec 03 '21 08:12 oleksandrpravosudko-okta

@oleksandrpravosudko-okta Yes! I've updated my PR. Thanks for catching that.

MattSidor avatar Dec 03 '21 20:12 MattSidor