-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security concerns with the GH_TOKEN #7747
Comments
For everyone who is interested, this is currently the only way to use 2 different tokens:
.env
package.json
Attention: This key can read any repositoriers in your account as this is an personal access token. |
@mleister97 I'm concerned about the exposure of token in client side code, even if it's a read only token. You explicitly set the token inside your client basically. Doesn't matter if it's in an env variable or not, the final bundle will still contain the token. So anyone can go through the file and find the token, right? I can't think of any workaround either... Is there really no other way to do it? |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days. |
This issue was closed because it has been stalled for 30 days with no activity. |
I would really like to draw attention to this issue & reopen it again
#5688
Currently, it is not possible to use different keys/tokens for publishing and reading private repositories, except by manually modifying the token using the setFeedURL function. For security reasons, I kindly request you to reopen the issue.
The text was updated successfully, but these errors were encountered: