Skip to content

Only include files that are necessary for crates.io #1553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SwishSwushPow wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Only include files that are necessary for crates.io #1553

SwishSwushPow wants to merge 1 commit into from
+1 −1

Conversation

@SwishSwushPow
Copy link

@SwishSwushPow SwishSwushPow commented Dec 8, 2025

Hi everyone 👋

While reviewing dependency updates in our project (trying to assure supply chain safety) I noticed that there are a couple of scripts, tests, benchmarks etc. that are not necessarily required to be published to crates.io. They make it harder to review ndarray when checking the supply chain and I was wondering if it would be possible to remove these items from the published package. That would remove potential vectors for a security vulnerability in the future and it would also shrink the size of ndarray from 309.5KiB to 237.6KiB compressed. :)

The downside of course would be that e.g. the tests couldn't be run from the crate package anymore, but I'm not sure how popular that is.

I've tried to include all the files that are required (licenses) and that make reviewing things a bit easier (readme and release files can give a good context what has changed between versions).

Best regards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SwishSwushPow