Whitelist files to include in npm package

[MatthiasKunnen]

npm-run-all2@8.0.4 currently contains the following files:

├── bin
│   └── ...
├── CHANGELOG.md
├── docs
│   ├── node-api.md
│   ├── npm-run-all.md
│   ├── run-p.md
│   └── run-s.md
├── eslint.config.js
├── .gitattributes
├── .github
│   ├── dependabot.yml
│   ├── FUNDING.yml
│   └── workflows
│       ├── codeql.yml
│       ├── release.yml
│       └── test.yml
├── jsdoc.json
├── .knip.jsonc
├── lib
│   └── ...
├── LICENSE
├── package.json
├── README.md
├── scripts
│   └── make-slink.js
├── test
│   ├── aggregate-output.js
│   ├── argument-placeholders.js
│   ├── common.js
│   ├── config.js
│   ├── fail.js
│   ├── lib
│   │   ├── buffer-stream.js
│   │   ├── spawn-with-kill.js
│   │   └── util.js
│   ├── mixed.js
│   ├── package-config.js
│   ├── parallel.js
│   ├── pattern.js
│   ├── print-label.js
│   ├── print-name.js
│   ├── sequential.js
│   └── yarn.js
└── test-workspace
    ├── no-package-json
    │   └── dummy.txt
    ├── no-scripts
    │   └── package.json
    ├── package.json
    └── tasks
        ├── abort.js
        ├── append1.js
        ├── append2.js
        ├── config1.js
        ├── config2.js
        ├── dump.js
        ├── echo.js
        ├── error.js
        ├── .eslintrc.json
        ├── output-with-delay.js
        ├── package-config1.js
        ├── package-config2.js
        ├── stderr.js
        ├── stdin.js
        └── stdout.js

Quite a few of these files are not necessary. This PR excplicitly whitelists all the files that will be included in the npm package.

README.md and LICENSE are included by default. Test using npm pack.

Output of `npm pack` after this change

$ npm pack     
npm notice 
npm notice 📦  npm-run-all2@8.1.0-beta.0
npm notice === Tarball Contents === 
npm notice 1.1kB  LICENSE                              
npm notice 3.4kB  README.md                            
npm notice 1.4kB  bin/common/bootstrap.js              
npm notice 6.4kB  bin/common/parse-cli-args.js         
npm notice 881B   bin/common/version.js                
npm notice 3.2kB  bin/npm-run-all/help.js              
npm notice 413B   bin/npm-run-all/index.js             
npm notice 2.2kB  bin/npm-run-all/main.js              
npm notice 2.6kB  bin/run-p/help.js                    
npm notice 407B   bin/run-p/index.js                   
npm notice 2.0kB  bin/run-p/main.js                    
npm notice 2.2kB  bin/run-s/help.js                    
npm notice 407B   bin/run-s/index.js                   
npm notice 1.9kB  bin/run-s/main.js                    
npm notice 501B   lib/cjs.cjs                          
npm notice 1.5kB  lib/create-header.js                 
npm notice 3.2kB  lib/create-prefix-transform-stream.js
npm notice 10.1kB lib/esm.mjs                          
npm notice 3.8kB  lib/match-tasks.js                   
npm notice 1.4kB  lib/npm-run-all-error.js             
npm notice 976B   lib/read-package-json.js             
npm notice 8.6kB  lib/run-task.js                      
npm notice 5.3kB  lib/run-tasks.js                     
npm notice 1.8kB  lib/spawn-posix.js                   
npm notice 1.5kB  lib/spawn-win32.js                   
npm notice 744B   lib/spawn.js                         
npm notice 2.6kB  package.json                         
npm notice === Tarball Details === 
npm notice name:          npm-run-all2                            
npm notice version:       8.1.0-beta.0                            
npm notice filename:      npm-run-all2-8.1.0-beta.0.tgz           
npm notice package size:  17.0 kB                                 
npm notice unpacked size: 70.3 kB                                 
npm notice shasum:        4bc4233b31ce9595a687ff86d9d5bae4b8a93133
npm notice integrity:     sha512-ZIIprBGcWJuBv[...]26aecrVNYHTag==
npm notice total files:   27                                      
npm notice 
npm-run-all2-8.1.0-beta.0.tgz

[bcomnes]

I started including everything after substack nuked his github as a hedge against myself doing the same thing, but I don't think I care that much anymore.

[bcomnes]

Will review with the next major release that we are sitting on.

[MatthiasKunnen]

I started including everything after substack nuked his github as a hedge against myself doing the same thing, but I don't think I care that much anymore.

ah, I see, you include everything in the package so that if the repo is removed, people can continue working of the package contents. I understand the intent, commendable.

My reasoning for keeping packages as small as possible is both for bandwidth/storage preservation and, regretfully, related to attack vectors in supply chain attacks. Bad actors including malware in test files that are unexpectly still run is something that requires attention unfortunately. Smaller packages lead to a smaller effort required to verify code and less places where things can be hidden.

It's a shame that these goals are mutually exclusive.

I wish smaller dependency trees and vendoring were more commonplace in the JS ecosystem. Fighting against supply chain attacks in the JavaScript world takes substantially more effort compared to Go for example.

[bcomnes]

Yeah maybe github or npm-v2 can fix this someday. I’ll review and make sure this works and include in the next major before end of year.