Reputation: 183
Publish npm secret key in public repository
i have question about github.
I published npm secret key in public repository and github deleted this key. But i don't understand, someone could see this key and have time to download my packages?
Upvotes: 0
Views: 207
Answers (1)
Reputation: 76804
As the GitHub documentation states, any secrets you push to a repository must be considered to be compromised. There are services which do scan repositories for secrets with the attempt to exploit them immediately.
If you're concerned about whether someone's misused those credentials, you can see if npm has a list of recent actions taken with that token and see if it was used by someone other than you. Barring that, you just have to assume that someone did indeed have the access of that token during the time it was exposed and do appropriate forensics investigations.
Upvotes: 1
Related Questions
- How do I publish a package to npm using an API key?
- Installing public npm packages from the GitHub package registry
- How to install npm package from github registry
- I cannot publish to npm
- Cannot publish npm package to GitHub packages
- github hosted package fails when doing npm publish
- Publishing NPM module to github packages registry from Github Actions?
- Use Github Package Registry without authtoken
- Publish npm package project directly to github repository
- npm publish with private registry (git+ssh)