publish-please
publish-please copied to clipboard
inikulin
Checking for the sensitive data returns false positives
Hi!
Checking for the sensitive data returns false positives for almost empty repository.
Env
$ node -v
v10.14.1
$ npm -v
6.5.0
How to reproduce? Clone https://github.com/owlcode/publish-please-repro
$ npx publish-please --dry-run
dry mode activated
-------------------------
Running pre-publish script
-------------------------
> [email protected] test /publish-please-repro
> echo "WARN: no test specified" && exit 0
WARN: no test specified
-------------------
👍 👍 👍
Running validations
-------------------------
✓ Checking for the vulnerable dependencies
✓ Checking for the uncommitted changes
✓ Checking for the untracked files
✖ Checking for the sensitive and non-essential data in the npm package
✓ Validating branch
✓ Validating git tag
ERRORS
* Sensitive or non essential data found in npm package: dist/scripts/index.js
Hi @falsyvalues , thank you for your feedback.
scripts folder is flagged has being sensitive data because that kind of folder mainly contains shell scripts, and it is possible that a shell script contains sensitive data.
It would be nice if you could provide the original repo on which you found that problem, so I can check what this folder really contains.
You may apply a workaround: copy the .sensitivedata file of publish-please repo at the root of your project. In this file, remove or adapt the scripts section.
If inside your scripts folder there is only one file called index.js, I agree with you that it should not be flagged as sensitive. In this case I will modify asap the built-in .sensitivedata to handle this use case and I will notify you when a new publish-please release will be published.
Hi @hdorgeval, I can't share original repo but as You may see above it can return false positive for almost empty folders. publish-please-repro contains only one file with console log (In my case it contains we store there only js files). Maybe we could adapt this check? For example examine files inside folder and if all of them are js don't make it as sensitive.
Thanks for hint about .sensitivedata 👍
In my experience a scripts folder containing shell scripts is always a top-level directory. A scripts folder in a subdirectory often contains files meant to be consumed by a browser. I currently have a similar issue as @falsyvalues. I have a subfolder called scripts which contains an index.js file. In my case the contents of the scripts folder are used as template by a site generator. I can share the repository if this helps.
Using .sensitiveData is an option but not a very good one imho because whoever uses it, will miss out on any updates in the original file unless the contents of the original file are copied after each update. A way to exclude some files from the sensitive data check would be better I think.
Hi @nponiros , thank you for the feedback. I fully agree with you. You have the possibility to exclude some files from the sensitive data check by creating a .publishrc file by running this command:
npx publish-please config
Follow the questions and add any exclusion you want to have. Then you could remove the .sensitivedata file.
Thanks for the info @hdorgeval. I didn't know that I can ignore files in the config file. Is this option documented in the README? I had an older config file with "sensitiveData": true and didn't know that I can use an object with an ignore property.