fix: remove hardcoded API key and use config.js approach #91 NSoC'26#98
fix: remove hardcoded API key and use config.js approach #91 NSoC'26#98PapuliDoley wants to merge 1 commit into
Conversation
|
@PapuliDoley is attempting to deploy a commit to the aditya-ai00's projects Team on Vercel. A member of the Team first needs to authorize it. |
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 30476928 | Triggered | Generic High Entropy Secret | 23c932d | script.js | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
The GitGuardian alert is for the original hardcoded key that existed in the codebase before this fix. This PR is specifically fixing that security issue by removing the hardcoded key and replacing it with the config.js approach. The key in the alert belongs to the original repo and should be revoked by the maintainer. |
|
Hi @PapuliDoley, Thanks for working on this security fix — removing the hardcoded API key is definitely the right approach. However, the GitGuardian check is still failing and detecting a secret in this PR. Even if the key existed earlier, we cannot proceed with merging while a secret is still being flagged. Please make sure that:
Also, I’ll take care of revoking and rotating the existing API key from the repository side. Once the PR passes the security checks and is fully clean, I’ll review it again for merge. Thanks! |
Fixes #91
Problem
The WeatherAPI key was hardcoded directly in "script.js"
Changes Made
already present in the project
~ How It Works Now
Testing
NSoC'26