Should You Commit .gitignore?
Yes. The project .gitignore is one of the few files in your repository that earns its place by being shared. It tells Git which paths to leave untracked — build output, dependency folders, local secrets, editor cruft — and that decision needs to be identical for everyone who clones the repo. A .gitignore that only exists on your machine protects only your machine; the moment a teammate or CI runner clones without it, node_modules/, .env, and a hundred megabytes of build artifacts are suddenly fair game to commit.
So the file isn't an afterthought you keep locally. It's project configuration, and like any project configuration it belongs in version control. The interesting question isn't whether to commit it — it's what belongs in the committed file versus the two other ignore mechanisms Git gives you. This guide covers all three, what goes where, and how to fix a repo that already tracked files it shouldn't have.
The short answer
| Question | Answer |
|---|---|
Commit the project .gitignore? |
Yes — always. It's shared project config. |
| Put personal editor/OS noise in it? | No — use your global gitignore instead. |
Commit a global ~/.gitignore? |
No — it's machine-specific and lives outside the repo. |
| Should every repo have one? | Yes — even a one-file script benefits from ignoring .env. |
| The one rule to remember? | Project-wide ignores in Git, personal ignores global. |
What .gitignore actually does
.gitignore is a plain-text list of patterns. Each line names a file, folder, or glob that Git should treat as untracked — it won't show those paths in git status, won't stage them with git add ., and won't nag you to commit them. A typical project file looks like this:
# Dependencies
node_modules/
# Build output
dist/
.next/
build/
# Local environment — secrets live here
.env
.env.local
# Logs and caches
*.log
.cache/
# OS and editor noise that slips through
.DS_Store
Every one of those patterns describes this project's structure: where its dependencies install, where its build lands, what counts as generated or secret. That's exactly why it has to be committed. If the rule "don't track dist/" lives only in your local copy, a collaborator who runs git add . will happily stage the entire build folder — and now your repo carries generated artifacts that conflict on every merge.
A committed .gitignore makes the untracked set a property of the repository, not of whoever happens to be sitting at the keyboard.
The three places Git reads ignore rules
Git doesn't have one ignore list — it has three, and knowing which is which tells you instantly what to commit and what to keep to yourself.
| Mechanism | Path | Scope | Commit it? |
|---|---|---|---|
| Project ignore | ./.gitignore (any folder) |
This repo, everyone who clones it | Yes |
| Global ignore | ~/.config/git/ignore or core.excludesFile |
You, across all your repos | No — it's outside the repo |
| Repo-local exclude | .git/info/exclude |
This repo, only on your machine | No — Git never tracks .git/ |
The project .gitignore is the one this article is about: it's checked into the repo and applies to every clone. You can have more than one — a .gitignore in a subfolder adds rules scoped to that folder, which is handy for monorepos.
The global ignore is for patterns that follow you, not the project. Editor swap files, OS metadata, your personal scratch directory — anything that would be noise in every repo you touch belongs here, set once:
git config --global core.excludesFile ~/.gitignore_global
The repo-local exclude at .git/info/exclude is the rarely-used third option: same syntax as .gitignore, but it lives inside .git/ so it's never committed or shared. Reach for it when you have a one-off file to ignore in this repo that doesn't make sense for teammates — a local debug script, say — but doesn't belong in your global config either.
What belongs in the committed file — and what doesn't
The committed .gitignore should only contain ignores that are true for the project, regardless of who's building it. That splits cleanly into a few categories:
Always commit these patterns:
- Dependencies —
node_modules/,vendor/,.venv/. Reproducible from a lockfile, never tracked. See Should You Commit node_modules?. - Build output —
dist/,build/,.next/,target/. Generated from source, so committing it invites drift and merge conflicts. See Should You Commit the dist Folder?. - Local secrets —
.env,.env.local. Real credentials must never reach history. The structure goes in.env.example; the values stay out. See Environment Variables and .env Files. - Caches and logs —
.cache/,*.log, coverage output. Disposable, machine-specific, and noisy in diffs.
Don't put these in the committed file — push them to your global ignore instead:
- OS metadata —
.DS_Store,Thumbs.db. These are your operating system's litter, not the project's. See Should You Commit .DS_Store?. - Personal editor config — your individual
.vscode/tweaks or JetBrains files, unless the team has agreed to share a project-level set. See Should You Commit the .vscode Directory?. - Your own scratch files — local notes, experiment scripts, anything specific to how you work.
The test is the same one that governs every shared config file: if the rule should hold for the project no matter who's building it, it goes in the committed .gitignore. If it only matters because of your machine, your editor, or your habits, it belongs in your global ignore — out of everyone else's diff.
Why pushing personal noise into the project file backfires
It's tempting to drop .DS_Store straight into the project .gitignore — you're on a Mac, it's annoying, done. But that quietly makes the project file a dumping ground for every contributor's environment. The Windows developer adds Thumbs.db. The Vim user adds *.swp. The next person adds their editor's directory. Within a few months the file is half project rules and half a museum of everyone's local tooling, and nobody can tell which lines are load-bearing.
Keeping personal noise in your global ignore avoids all of it. You ignore .DS_Store once, globally, and it's handled in every repo you'll ever touch — without asking the project to carry your operating system's quirks. The committed .gitignore stays lean and legible: every line in it is a genuine fact about the project.
If you already committed files you meant to ignore
Adding a pattern to .gitignore only stops Git from tracking files it isn't already tracking. If node_modules/ or .env was committed before you ignored it, the ignore rule does nothing — Git keeps tracking what it already knows about. You have to untrack it explicitly.
# Stop tracking a folder but keep it on disk
git rm -r --cached node_modules/
# Then commit the removal
git commit -m "Stop tracking node_modules; rely on .gitignore"
The --cached flag is the important part: it removes the path from Git's index without deleting your local copy. After this commit, the existing .gitignore rule finally takes effect and the folder stays untracked going forward.
One case needs more than git rm --cached: a committed secret. If a real .env or API key ever landed in a commit, untracking it leaves the secret sitting in history, retrievable by anyone who clones the repo. Treat that credential as compromised — rotate it at the source first, then scrub history with a tool like git-filter-repo. Removing the line is damage control; the rotated secret is what actually protects you. (For where secrets should live instead, see Secret Management Providers.)
The bottom line
Commit your project .gitignore, always — and commit it early, ideally in the first commit, before there's anything to accidentally track. It's shared configuration in the truest sense: it defines what counts as source versus noise for this repository, and that definition has to be the same for every clone, every teammate, and every CI run. A .gitignore that only exists on one laptop protects exactly one laptop.
Then keep it honest. Project-wide ignores — dependencies, build output, local secrets — go in the committed file. Personal ignores — OS metadata, your editor's droppings, your scratch files — go in your global ignore, where they follow you instead of cluttering everyone else's repo. Get that split right and your .gitignore stays a clean, trustworthy map of what the project does and doesn't track.
See Also
- The Developer's Guide to What Belongs in Your Git Repository — the full committed-vs-ignored reference this series builds on
- Should You Commit node_modules? — the single most important thing your
.gitignoreshould exclude - Should You Commit .DS_Store? — why this belongs in your global ignore, not the project file
- Environment Variables and .env Files: What to Commit — how to ignore secrets while still sharing their structure
- Should You Commit the dist Folder? — build output is generated, so it stays untracked
- Should You Commit .npmrc? — the same config-vs-personal split applied to npm