YesYouKen’s MetaNest
YesYouKen’s MetaNest/
TIFU: I used .npmignore
About MeApps
Search (⌘ + P/K)
TIFU: I used .npmignore
TIFU: I used .npmignore

TIFU: I used .npmignore

Published
August 24, 2024
Tags
TIFU - Today I F***ked Up
Author

How .npmignore Led to a Security Nightmare

Today, I learned the hard way that even the smallest oversight can lead to catastrophic consequences. It all started when I decided to use .npmignore to manage which files should be excluded from my npm package. Little did I know, this would result in an accidental leak of sensitive information.

The Setup

I was working on a new project and wanted to make sure that only the necessary files were included in my npm package. So, I created a .npmignore file to exclude things like my node_modules directory, .env files, and other development artifacts. Feeling pretty confident, I published my package to the npm repository.

The Mistake

What I didn’t realize was that my .npmignore file was not configured correctly. Instead of excluding my .env file, which contained API keys and other secrets, I accidentally included it. This meant that when I published my package, all my secrets were exposed to the public.

The Fallout

I quickly realized my mistake when I saw an alert that my API keys is publicly visible. Panic set in as I scrambled to check the resources my api keys could access and revoke all the compromised keys. I had to go through the tedious process of updating my secrets across multiple services..

Lessons Learned

  1. Double-check your .npmignore file: Make sure you are excluding all sensitive files before publishing.
  1. Use files in package.json instead see
  1. Use environment variables: Store sensitive information in environment variables rather than in files.
    1. If you use .env like me because you are lazy look into using mozialla/sops
  1. Automate security checks: Implement automated security checks to catch issues before they make it to production.
  1. Review before you publish: Always review the contents of your package before hitting the publish button.

Conclusion

Using .npmignore carelessly can lead to serious security issues. Always take the time to review your configuration and understand what’s being included in your package. This experience taught me the importance of vigilance and thoroughness when it comes to managing sensitive information.
Copyright 2024 Kenneth Tan