You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Say package app depends on workspace package ui. ui has a .env file in it used for development. You run pnpm deploy app app-prod --prod. pnpm copies workspace to the virtual store and create necessary links. When copying workspace packages only files specified in files property if present get copied. If .npmignore is present then those files are also ignored.
pnpm respects .npmignore files and filespackage.json properties in both app and ui packages.
Actual behavior:
.env file in ui gets copied.
pnpm respects .npmignore files and filespackage.json properties in app (deployed) package
pnpm does not respect .npmignore files and filespackage.json properties in ui package (workspace dependencies)
This exposes files such as .env storing valuable secrets to, say, Docker image users. This also increases node_modules size since unnecessary source files also get copied.
Additional information:
node -v prints: v14.21.2
Windows, macOS, or Linux?: MacOS
The text was updated successfully, but these errors were encountered:
Could we add an includeOnlyPackageFiles option to the install method that will be passed to the directory-fetcher. We would only set this option to true at pnpm deploy. That way, workspace dependency should also repset the package.json files setting too:
Hi, @zkochan, do you think this way is doable, thanks ~
pnpm version: 7.25.0
Code to reproduce the issue:
https://github.com/yakovlev-alexey/pnpm-workspace-files-prop
Expected behavior:
Say package
app
depends on workspace packageui
.ui
has a.env
file in it used for development. You runpnpm deploy app app-prod --prod
. pnpm copies workspace to the virtual store and create necessary links. When copying workspace packages only files specified infiles
property if present get copied. If.npmignore
is present then those files are also ignored.pnpm respects
.npmignore
files andfiles
package.json
properties in bothapp
andui
packages.Actual behavior:
.env
file inui
gets copied.pnpm respects
.npmignore
files andfiles
package.json
properties inapp
(deployed) packagepnpm does not respect
.npmignore
files andfiles
package.json
properties inui
package (workspace dependencies)This exposes files such as
.env
storing valuable secrets to, say, Docker image users. This also increasesnode_modules
size since unnecessary source files also get copied.Additional information:
node -v
prints: v14.21.2The text was updated successfully, but these errors were encountered: