Skip to content

Security P0: remove vendored Google API key and stop tracking node_modules #323

Description

@kilbot

Why this is P0

GitHub secret scanning shows 1 open secret alert in this repo as of April 16, 2026.

  • Secret type: Google API Key
  • Alert: https://github.com/wcpos/monorepo/security/secret-scanning/1
  • Location: node_modules/@react-native/debugger-frontend/dist/third-party/front_end/models/crux-manager/crux-manager.js
  • Commit: d4a934fb8ec426e17f1033883e048ac0802cc394
  • GitHub reports publicly_leaked: true

What needs doing

  • Confirm whether this key is truly owned/used by WCPOS or only vendored third-party code.
  • If WCPOS-owned, rotate/revoke it immediately.
  • Remove committed node_modules / vendored dependency blobs containing secrets or public API keys.
  • Add/verify ignore rules so generated dependencies are not committed again.
  • Re-run secret scanning and resolve/dismiss the alert with evidence.

Suggested order

  1. Identify whether the key is active and WCPOS-owned.
  2. Remove the vendored blob from git history going forward (and ideally from current branch state immediately).
  3. Resolve the GitHub secret-scanning alert.

Notes

The alert appears inside committed node_modules, which strongly suggests this repo is carrying third-party artifacts that should not be in source control.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority/P0Critical: expedite ahead of all other work

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    In Progress

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions