fix: scope client secret diagnostics#252
Open
aidenybai wants to merge 19 commits into
Open
Conversation
Avoid reporting weak secret-name heuristics in config and tooling files, and render framework-specific public env guidance so non-Next.js projects get actionable output.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
🔴 React Review — 0/100 (unchanged) · No new issues Reviewed by react-review for commit 414a840. Configure here. |
Extend the weak client-secret heuristic boundary to common server and tooling paths while keeping exact secret-shape detection active, and move recommendation helpers into focused utilities.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Require rc config filenames to be explicit so normal source files like src.ts still use the weak secret-name heuristic.
Add regression coverage that explicit rc config files remain outside the weak client-secret name heuristic while regular src.ts files still report.
Keep client API helpers covered while making the server-only heuristic exclusions easier to audit.
…-scope-regression
Format the inherited TODO tracker so PR merge-commit checks can pass.
Gate the weak secret-name heuristic on explicit client exposure while keeping high-confidence secret values active everywhere.
Lock down client, server, ambiguous-source, and App Router cases for the client-secret heuristic.
Use detected framework settings to avoid path-only client exposure guesses for app directories and server-owned source roots.
Classify use-server modules as server code so client-path heuristics do not report server action constants.
Cover mixed server-only scopes, server-owned source roots, and additional client entry shapes so the weak secret heuristic stays scoped to bundled client code.
Classify secret exposure from project-relative paths and gate Next-only route heuristics so explicit client signals win over broad server path names.
Avoid weak secret-name diagnostics for UI copy and storage-key prefixes found during evals while preserving client secret fallback coverage.
Bring the PR up to date with main and keep the oxlint output parser changes compatible with the new batched scan retry flow.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4f4db99. Configure here.
Keep camel-case apiKey variables eligible for the weak secret heuristic while retaining UI text and storage prefix suppressions.
…-scope-regression
Keep the new prerelease metadata from main aligned with the repository formatter so CI can pass on the PR merge commit.
Bring the PR up to date with the latest prerelease metadata and keep the changeset state formatted after the merge.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vite.config.tsfalse positive.Test plan
nr buildnr test -- rule-messagesnr typecheckNote
Medium Risk
Changes the
no-secrets-in-client-coderule’s detection heuristics and file classification, which can materially change which projects/files get flagged (potential false negatives/positives). Adds new oxlint settings plumbing (framework/root) that, if mis-set, could affect rule behavior across scans.Overview
Tightens
no-secrets-in-client-codeso the variable-name heuristic only runs for files classified as client-exposed, avoiding noisy reports in config/tooling/test/server contexts while still flagging known secret-value patterns everywhere.Adds framework-aware help text for this rule (e.g.
NEXT_PUBLIC_*vsVITE_*/REACT_APP_*/GATSBY_*) by passingproject.frameworkand a realpathedrootDirectoryinto oxlintsettings, and using them both for recommendation text and file-exposure classification.Introduces new utilities (
classifySecretFileExposure,isInsideServerOnlyScope,getIdentifierTrailingWord, plus expanded security path patterns) and a large regression suite covering these cases across Next.js/Vite/Expo/TanStack and common directory/file naming conventions.Reviewed by Cursor Bugbot for commit 414a840. Bugbot is set up for automated code reviews on this repo. Configure here.