Yes that’s what most people do, here are some npmignore files for popular Node.js modules:
https://github.com/socketio/socket.io/blob/ab46351a8446516fb4eea3b8333f7c0f18afaac5/.npmignore
Other people allowlist what they want published in their package.json files setting:
https://github.com/senchalabs/connect/blob/master/package.json
https://github.com/strongloop/express/blob/master/package.json