Don't add markdownlint config to NPM package

[jorrit]

Perhaps a "files" key in package.json is a better idea than expanding the "ignore" list again. But I'll leave that to the maintainer.

[codecov]

Codecov Report

Merging #3413 (2cae464) into master (22c569b) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #3413   +/-   ##
=======================================
  Coverage   97.58%   97.58%           
=======================================
  Files         123      123           
  Lines        8957     8957           
  Branches     3271     3271           
=======================================
  Hits         8741     8741           
  Misses        216      216           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ljharb]

The files key is dangerous and should never be used; expanding the ignore list is proper.

[jorrit]

Alright, I didn't know that. Do you have some reference where I can read more about the dangers?

[ljharb]

No - it's just the way it behaves. If you forget to add a file to "npmignore", the worst consequence is "a file nothing cares about ends up in the package" - iow, harmless, and at worst inconvenient. If you forget to add a file to "files", the worst consequence is "downstream users are broken", which can easily cause millions of dollars of person-hours of work.

(Since credentials should never be stored in an in-repo file anyways, "credentials could be leaked" shouldn't ever be a concern)