DEV Community

Florian
Florian

Posted on

What Really Belongs in a Git Repository? (Asking for a Friend)

#programming #git #vue #javascript

GIT

You’d think by now we’d all agree on what goes into a Git repository. But alas — I still get pull requests containing .env, .p12, and even node_modules. So let’s settle this like adults (with a healthy dose of sarcasm and too much coffee).

🔐 Self-Signed Certificates

Ah yes, the good old cert.pem. Nothing screams "I'm new here" like committing private keys to a public repo.

Rule of thumb:

If it can be used to impersonate your server, decrypt traffic, or ruin your weekend — don’t commit it.

Exception:

If you’re building a fully fake local environment and your cert.pem is literally useless outside of localhost:3000, fine. But at least .gitignore the real ones.

📦 .env Files

Your .env file is like your toothbrush. Vital, personal, and not something you share with the internet.

Yes, I know:

But it’s just the development config!

Cool. Then use .env.example, strip out the secrets, and let your teammates fill in the blanks like grown-ups.

Exception:

Some people commit .env files with public/default values (e.g., PORT=3000). That's okay-ish — if you enjoy living on the edge. Just don’t cry when your database password ends up on GitHub’s trending page.

📁 node_modules, vendor, and other sins

This isn’t 2005. We have package managers now.

Don’t commit your dependencies.

Exception:

If you’re on a remote island with no internet and you're building a Docker image that needs offline builds. Even then, maybe ask yourself: Should I even be coding right now?

🛠️ Build Artifacts

Dist folders. Compiled binaries. Webpack outputs. You name it.

Don’t. Do. It.

Unless you're managing a release branch explicitly for deployment or versioning static artifacts.

Even then:

  • Tag your releases.
  • Upload the assets elsewhere.
  • Sleep better at night.

✅ What Should Be in Git?

  • Your source code (yep).
  • Configuration templates.
  • Docs. Real ones. Not just README.md with TODO in it.
  • Infrastructure as Code (Terraform, Dockerfiles, etc.)
  • Tests. (You do write tests, right?)

🧹 Also, don’t forget these...

Some files aren’t as obvious — but still don’t belong in your Git history unless you enjoy shame-based learning:

  • System/IDE configs: .DS_Store, Thumbs.db, .vscode/, .idea/, .swp
  • Local-only settings: .env.local, .eslintcache, .npmrc, .bash_history
  • Log & debug output: debug.log, *.log, npm-debug.log
  • Database dumps: dump.sql, *.sqlite, backup.db

They may seem harmless — until they become evidence.

TL;DR

If it's secret, generated, or weighs more than your project — don't commit it.

Your Git repo isn’t a trash bin or a backup drive. It's a versioned source of truth, not a confession booth for every debug print and API key you've ever written.

Treat it with respect, and it'll return the favor.

(Unless you rebase force-push on main, in which case: good luck.)

P.S.: If you're working with Vue 3 and want your forms to behave better than your coworkers’ Git hygiene, check out Vorm — a form engine that actually makes sense.

Top comments (0)