Thanks for summing these up and inviting us to the conversation! We have good answers for some of these, and less-good ones for others. Let me take them point by point: ignore list maintenance: if you want to go with whitelisting instead of blacklist, you can use the files field of package.json. It lets you explicitly list a set of files and/or folders to be included ( see https://www.npmjs.org/do