This bug is amazing =D (forgive me, I’ve always been weirdly excited about twisty corner cases!) npm publish ignores .git folders by default but forces all files named readme to be included… And that forced include overrides the exclude. And then there was once a remote branch named readme… and that goes in the .git folder, gets included in the publish, which then permanently borks your npm install, because of EISGIT, which in turn is a restriction that’s afaik entirely vestigial, copied forward from earlier versions of npm without clear insight into why you’d want that restriction in the first place.
I suspect this potential was introduced with the tar rewrite. It never happened before, because no one publishing before had a git repo with a remote ref like that, either through luck, or by following the setup guide which recommends using a separate copy of the repo for publication.
This is gonna be brutal to fix though, ’cause there’s no facility for the existing version to fix itself in this scenario. Would have to fallback to some npx-able thing that removes the .git folder, and communicating that is gonna be rough.