mirror of
https://github.com/electron/electron.git
synced 2026-05-02 03:00:22 -04:00
48401169d9
* build: restrict npm tarball contents to an explicit allowlist The npm publish flow runs `npm pack` in a staging temp dir, but `npm/package.json` had no `files` field — so any file that happened to land in that dir was packed into the published tarball. Recent releases (41.2.1+, 40.9.1+, 39.8.8+) shipped a self-referential `.npm-cache/_logs/*-debug-0.log` (npm's own debug log, written into the pack dir before pack finishes reading files) and a stray copy of `SHASUMS256.txt` that duplicates the info already in `checksums.json`. Add an explicit `files` allowlist so only the intended contents are packaged, regardless of staging-dir contamination. `package.json`, `README.md`, and `LICENSE` are auto-included by npm. Fixes #51290. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Keeley Hammond <vertedinde@electronjs.org> * build: include LICENSE and README.md in files allowlist These are auto-included by npm regardless, but listing them makes the intended contents of the tarball self-documenting alongside the other entries. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Keeley Hammond <vertedinde@electronjs.org> --------- Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com> Co-authored-by: Keeley Hammond <vertedinde@electronjs.org>