macOS automatically creates .DS_Store when you open a folder with Finder, the default file manager. The operating system stores some information in binary in this file, for example, the list of files inside the folder.

You cannot read a .DS_Store file just by opening it (binary data), but it's pretty easy to decode. If for some reason, the file gets deployed to a webserver, things can turn nasty:

• it might disclose some information such as the name of some removed files as .DS_Store files are only updated by Finder
• it might also be used to download files recursively from the webserver 🔥

How the heck can you deploy such files on production?

It happens more often than you might think, for example, when you don't ignore .DS_Store files in your project's .gitignore. I see it very frequently, including in public repositories.

The best approach, to me, is to configure it globally on your machine. This way, even if you forget to ignore those files in your particular project, it will be skipped anyway.

The following command will locate your global .gitignore file:

git config --global core.excludesfile  

Open it and verify that .DS_Store files are in the list.

If the ignore file does not exist yet, create a .gitignore file at the root of your home directory and run this:

git config --global core.excludesfile ~/.gitignore

It will set the file as the global ignore file. You can find plenty of templates on the web to get a robust list for various usages.

To list and remove potential existing .DS_Store in your repository:

find . -name .DS_Store -print0 | xargs -0 git rm -f --ignore-unmatch

Be safe.