I agree with lante's short and syntetic answer and SamT's big answer:

• You should not include your tests in your package.
• Your package should only contains production runtime files.
• That will make your package more straightforward and faster to be dowloaded.

My contribution to those answers:

.npmignore is the blacklist way to achieve package file selection. But in a more practical way, you can whitelist files you need to include in your package using the files field in your package.json:

{
  "files": [
    "lib/",
    "index.js"
  ]
}

I think that's simpler, future proof and have better semantics ;)

Don't include your tests. Oftentimes tests are like 5x the size of the actual codebase. As long as your tests are on Github, etc, that's good enough.

But what you absolutely should do is test your NPM package in its published format. Create some smoke tests that reside in the actual codebase, but are not part of the test suite.

You can read about testing your package after tarballing it, here: https://github.com/ORESoftware/r2g

How to test an `npm publish` result, without actually publishing to NPM?

As you probably found, NPM doesn't really state specifically what should go in there, rather they have a list of ignored-by-default files. Many people don't even use it as everything in your .gitignore is ignored in npm by default if .npmignore doesn't exist. Additionally, many files are already ignored by default regardless of settings and some files are always excluded from being ignored, as outlined in the link above.

There is not much official on what always should be there because it is basically a subset of .gitignore, but from what I gather from using node for 5-ish years, here's what I've come up with.

Note: By production I mean any time where your module is used by someone and not to develop on the module itself.

Pre-release cross-compiled sources

• Pros: If you are using a language that cross-compiles into JavaScript, you can precompile before release and not include .coffee files in your package but keep tracking them in your git repository.

Build file leftovers

• Pros: People using things like node-gyp might have object files that get generated during a build that never should go into the package.
• Cons: This should always go into the .gitignore anyway. You must place these things inside here if you are using a .npmignore file already as it overrides .gitignore from npm's point of view.

Tests

• Pros: Less baggage in your production code.
• Cons: You cannot run tests on live environments in the slim chance there is a system-specific failure, such as an out of date version of node running that causes a test to fail.

Continuous integration settings/Meta files

• Pros: Again, less baggage. Things such as .travis.yml are not required for using, testing, or viewing the code.

Non-readme docs and code examples

• Pros: Less baggage. Some people exist in the school-of-thought where if you cannot express at least minimum viable functionality in your Readme, your module is too big.
• Cons: People cannot see exhaustive documentation and code examples on their own file system. They would have to visit the repository (which also requires an internet connection).

Github-pages objects

• Pros: You certainly don't need to litter your releases with CNAME files or placeholder index.htmls if you use your module serves double-duty as a gh-pages repository as well.

bower.json and friends

• Pros: If you decide to build in your dependencies prior to release, you don't need the end-user to install bower then install more things with that. I would, personally, keep that stuff in the package. When I do an npm install, I should only be relying on npm and no other external sources.

Basically, you should ever use it if there is something you wish to keep out of your npm package but not out of your npm repository. It's not a long list of items, but npm would rather build in the functionality than having people stuck with irrelevant objects in their package.

Just to clarify, anytime someone do npm install your-library, npm will download all source files that the repo includes, except files that you include in your .npmignore.

Know that people installing your library will need just your library running, anything else will be not necessary.

For example, when someone installs a library, its probably that he/she doesn't care about your .travis.yml or your .jshintrc files, or even some images, Grunt files, documentation, etc.

.npmignore could let your npm package to have less files, and faster to be downloaded