If you manually create a bundle with npx fusion zip and you have an .npmrc-encrypted file, both the regular .npmrc and the encrypted one gets added to the bundle. I understand this won't be an issue with CI/CD. But it seems like the zip process should protect user where it can. It would also be helpful to generate a warning that the zip file contains an unencrypted .npmrc and point them to the docs to create an encrypted one.
This is a good idea and we'll look to implement this in the future. Thanks!