If a project has both an .npmignore and .gitignore file, npm will only use the .npmignore file.
From the documentation:
Use a
.npmignorefile to keep stuff out of your package. If there’s no.npmignorefile, but there is a.gitignorefile, then npm will ignore the stuff matched by the.gitignorefile. If you want to include something that is excluded by your.gitignorefile, you can create an empty.npmignorefile to override it.
In simpler terms, npm prefers the .npmignore file if it is there, but will fall back to the .gitignore file.
In many cases, both Git and npm can ignore the same files, so it makes sense to just use a .gitignore file on its own. If there’s ever a discrepancy (i.e. npm and Git need to ignore different files), then you need to maintain separate .gitignore and .npmignore files.
More information on what to put in .npmignore files: Should I .npmignore my tests?