Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(bundling): prevent sensitive keys from being bundled #22413

Merged
merged 1 commit into from Mar 20, 2024
Merged

fix(bundling): prevent sensitive keys from being bundled #22413

merged 1 commit into from Mar 20, 2024

Conversation

jaysoo
Copy link
Member

@jaysoo jaysoo commented Mar 20, 2024

This PR removes NX_CLOUD_ENCRYPTION_KEY and NX_CLOUD_ACCESS_TOKEN from bundled in application code. This could happen if process.env object is used, such as:

const { NX_FOO } = process.env;

The build process swaps out process.env with the object containing all NX_ environment variables, including the secrets. This problem was noted by Payfit and Hasura.

In Nx 19, we will introduce a breaking change to only bundle in vars prefixed with NX_PUBLIC.

Current Behavior

Expected Behavior

Related Issue(s)

Fixes #

@vercel Vercel
Copy link

vercel bot commented Mar 20, 2024
edited

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Updated (UTC)
nx-dev ⬜️ Ignored (Inspect) Visit Preview Mar 20, 2024 4:48pm

@nx-cloud Nx Cloud
Copy link

nx-cloud bot commented Mar 20, 2024
edited

☁️ Nx Cloud Report

CI is running/has finished running commands for commit eb2f58e. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution

✅ Successfully ran 6 targets

Sent with 💌 from NxCloud.

@jaysoo jaysoo marked this pull request as ready for review March 20, 2024 14:27
@jaysoo jaysoo requested review from a team as code owners March 20, 2024 14:27
@jaysoo jaysoo requested a review from mandarini March 20, 2024 14:27
@jaysoo jaysoo force-pushed the fix_sensitive_env_vars branch 3 times, most recently from 5fd72ce to 7e3c019 Compare March 20, 2024 16:31
@jaysoo jaysoo merged commit b7ffb25 into master Mar 20, 2024
6 checks passed
@jaysoo jaysoo deleted the fix_sensitive_env_vars branch March 20, 2024 17:01
FrozenPandaz pushed a commit that referenced this pull request Mar 25, 2024
@jaysoo @FrozenPandaz
fix(bundling): prevent sensitive keys from being bundled (#22413)
002ab58 
(cherry picked from commit b7ffb25)
@github-actions GitHub Actions
Copy link

This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ndcunningham ndcunningham ndcunningham approved these changes

@Coly010 Coly010 Coly010 approved these changes

@mandarini mandarini Awaiting requested review from mandarini mandarini is a code owner automatically assigned from nrwl/nx-storybook-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jaysoo @ndcunningham @Coly010