config.gypi file contains envinroment variables including proxy authentication credentials

[animedbz16]

Essentially, I need to set my http_proxy environment variable in order to connect to the internet via our proxy server to install modules via npm.

I recently noticed that for a specific module there was a build/config.gypi file that appears to actually contain my proxy environment settings, which seems to be a security issue.

Just wanted to follow this up here since this issue may have not been related to the original module where I had opened an issue. More information can be found there:

websockets/ws#400

[Trott]

@nodejs/node-gyp Should this remain open?

[bnoordhuis]

Depends on whether it's harmful. node-gyp doesn't store the http_proxy environment variable, it stores the npm_config_* variables (from .npmrc and the command line) that npm passes to node-gyp. That's used to pass additional build options so that can't be removed.

We could filter specific variables but that might still break some add-ons. You don't normally redistribute config.gypi so I don't really see the harm in leaving it as-is.