chore: improve npm ignore list

[erisu]

Motivation and Context

Decrease production package size

Description

Drop From Package

• all dot file and folders with .* (.github, .travis.yml, .eslintrc.yml, etc...)
  • .github/
  • .travis.yml
  • .eslintrc.yml
  • .eslintignore
  • .ratignore
• appveyor.yml

BEFORE
npm notice package size: 41.5 kB
npm notice unpacked size: 179.4 kB
npm notice total files: 34

AFTER
npm notice package size: 39.1 kB
npm notice unpacked size: 173.8 kB
npm notice total files: 24

Testing

• npm t

Checklist

• I've run the tests to see all new and existing tests pass

[dpogue]

Just out of curiosity, does this interfere at all with coho's ability to verify archives and licenses if those files are missing from the archive?

[erisu]

It should not have any affect.

The license/header checking process is performed on the git repo and not the content of the npm package. For the releaser, at this stage, the package is not even created yet.

The sha512 and asc file is created against the package not the repo content.

Here is an example on how the asc file is created for the release vote. (E.g. below is for recent cordova-eslint release)

gpg --armor --detach-sig --output ./cordova-eslint-config-1.0.0.tgz.asc ./cordova-eslint-config-1.0.0.tgz

Here is an example on how the sha512 is created for the release vote. (E.g. below is for the recent cordova-eslint release)

gpg --print-md SHA512 ./cordova-eslint-config-1.0.0.tgz

If you were to take the sha512 of the git repo content and package, yes, they would be different, but how the release does it is against the package (tgz).

^^ ABOVE covers the person performing the release ^^

For a person who is voting on the release,

The coho verify-archive is only using the asc and sha512 file that was used against the tgz package.

The coho verify-tags is only compares the git commit hash ref that is given with the tag name.

Example for the Cordova ESLint recent release

$ git rev-parse 918d6a9c90
918d6a9c904c3da7feedbed4063fe4671afcf971