From 56ac67bf48cd951d46f03f334743c82accc5083f Mon Sep 17 00:00:00 2001 From: Keeley Hammond Date: Thu, 23 Apr 2026 19:14:08 -0700 Subject: [PATCH] build: restrict npm tarball contents to an explicit allowlist (#51293) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * build: restrict npm tarball contents to an explicit allowlist The npm publish flow runs `npm pack` in a staging temp dir, but `npm/package.json` had no `files` field — so any file that happened to land in that dir was packed into the published tarball. Recent releases (41.2.1+, 40.9.1+, 39.8.8+) shipped a self-referential `.npm-cache/_logs/*-debug-0.log` (npm's own debug log, written into the pack dir before pack finishes reading files) and a stray copy of `SHASUMS256.txt` that duplicates the info already in `checksums.json`. Add an explicit `files` allowlist so only the intended contents are packaged, regardless of staging-dir contamination. `package.json`, `README.md`, and `LICENSE` are auto-included by npm. Fixes #51290. Co-Authored-By: Claude Opus 4.7 (1M context) * build: include LICENSE and README.md in files allowlist These are auto-included by npm regardless, but listing them makes the intended contents of the tarball self-documenting alongside the other entries. Co-Authored-By: Claude Opus 4.7 (1M context) --------- Co-authored-by: Claude Opus 4.7 (1M context) --- npm/package.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/npm/package.json b/npm/package.json index ec6fe63d57..38ac890cff 100644 --- a/npm/package.json +++ b/npm/package.json @@ -5,6 +5,16 @@ "electron": "cli.js", "install-electron": "install.js" }, + "files": [ + "LICENSE", + "README.md", + "abi_version", + "checksums.json", + "cli.js", + "electron.d.ts", + "index.js", + "install.js" + ], "dependencies": { "@electron/get": "^5.0.0", "@types/node": "^24.9.0",