Why this is P0
GitHub secret scanning shows 1 open secret alert in this repo as of April 16, 2026.
- Secret type: Google API Key
- Alert:
https://github.com/wcpos/monorepo/security/secret-scanning/1
- Location:
node_modules/@react-native/debugger-frontend/dist/third-party/front_end/models/crux-manager/crux-manager.js
- Commit:
d4a934fb8ec426e17f1033883e048ac0802cc394
- GitHub reports
publicly_leaked: true
What needs doing
- Confirm whether this key is truly owned/used by WCPOS or only vendored third-party code.
- If WCPOS-owned, rotate/revoke it immediately.
- Remove committed
node_modules / vendored dependency blobs containing secrets or public API keys.
- Add/verify ignore rules so generated dependencies are not committed again.
- Re-run secret scanning and resolve/dismiss the alert with evidence.
Suggested order
- Identify whether the key is active and WCPOS-owned.
- Remove the vendored blob from git history going forward (and ideally from current branch state immediately).
- Resolve the GitHub secret-scanning alert.
Notes
The alert appears inside committed node_modules, which strongly suggests this repo is carrying third-party artifacts that should not be in source control.
Why this is P0
GitHub secret scanning shows 1 open secret alert in this repo as of April 16, 2026.
https://github.com/wcpos/monorepo/security/secret-scanning/1node_modules/@react-native/debugger-frontend/dist/third-party/front_end/models/crux-manager/crux-manager.jsd4a934fb8ec426e17f1033883e048ac0802cc394publicly_leaked: trueWhat needs doing
node_modules/ vendored dependency blobs containing secrets or public API keys.Suggested order
Notes
The alert appears inside committed
node_modules, which strongly suggests this repo is carrying third-party artifacts that should not be in source control.