By default all files are published from package directory with
npm publish .
even if they are not tracked by Git. Untracked files can be random temporary files that aren't covered by .gitignore or .npmignore and may include sensitive data.
Is there a way to avoid untracked files from being accidentally published?
I think you need to try publish-please as replacement:
As it claimed, it will do a lot of validations before publishing to the registry.
Check that there are no untracked files in the working tree.