[Security Issue] My secrets was opened via a self built ruby.wasm file

[youchan]

After publishing the ruby.wasm file created by the rbwasm build command (and the rbwasm pack command) on GitHub, my GitHub private access token was leaked.
I believe it was likely embedded through environment variables.
Is it possible for the rbwasm build command and the rbwasm pack command to embed environment variables? If this is indeed the behavior, it seems like a security issue that requires improvement.

[kateinoigakukun]

Thanks a lot for reporting this, and we’re really sorry that 🙇

You’re right, host environment variables could end up embedded in the output, which is definitely not the intended behavior. We’ve prepared a fix here: #609 and will cut a new release as soon as the CI passes.

[youchan]

Thanks for the quick response.

I immediately revoke tokens after github report me leaking tokens. So it is no probrem.