New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unwanted files are committed to the repository #2598
Comments
^^ We also faced this situation today, where a Google Cloud Platform service account keyfile has been committed and pushed to |
We are also experiencing this, I don't see a valid reason why these files should be added to git after release. Maybe this one helps, we could add the "-u" flag to only add modified pathes, but do not add "new" files generated during build process: In the meantime we have to downgrade lerna, as this is is a breaking change for us. |
Agreed this isn't great, and posted in the original PR with my comment before noticing this. I mentioned that I hoped someone wouldn't have sensitive info published into their repo/package but it looks like it's already happened! @sunlanterns @evocateur |
@simllll Unfortunately using the "-u" flag doesn't solve the original issue this change was for as it would mean that lerna wouldn't correctly add any new packages you may have created between the last release and the current one. As for the actual code solution - It seems correct to me that if you have any files that show up in your repo that you don't want pushed/published they should be gitignored, and then lerna should respect the gitignore. This way it's a defined config you're relying on and not just a side-effect of the way lerna happens to do things. As for the versioning/release documentation, I'm not a proper maintainer, just a contributor, so @evocateur made the decisions there, and might have some explanation for why it was released the way it was. |
I'm seeing comments about this being broken for days. This was merged 4 days ago and only released yesterday. Why would someone work directly off of master / auto updating without checking merges for breaking changes. Seems more likely to keep the |
Version 3.22.0 was published 3 days ago (Sun May 24 2020 23:05:55 GMT+0000 (UTC))
Because some people may (wrongly?) believe that lerna uses semver and minor change should not introduce breaking changes?
I would agree with this one, especially if there would be some notice about possible consequences
Not sure, that I understand this part, @ediabal |
@cy6erskunk I was mistaken with the timeline with the release & I agree that it would have been best to follow semantic versioning. The last part you have me quoted for is to try to get your Overall this wouldn't be an issue if |
@sunlanterns I tried to read all related threads, but I still don't get it, why should lerna be responsible to add build artifacts? E.g. you have a simple typescript project, but also some plain .js files in it... Now tsc builds type defs and translates ts files to js files. Perfectly fine, this is what I want to deploy, but I definitely do not want these files to get checked in. I see .gitignore to protect general things to not get checked in,but making hundrets of exceptions for all ts files that are compiled to js files and still letting other "plain" js files "be committed" doesn't sound like a very good plan. There are a lot of other scenarios too, e.g. like people said before: adding credentials, temporary files etc..it's a build pipeline we are talking about. Isn't it like it should be the general approach to not auto add all build artifacts and as it is mentioned in the original bug issue that the opposite (of checking in all build artifacts) is a very special case? |
@simllll To further explain, the basic use case that wasn't working was:
When you add all current files instead with git, it automatically works around the files you've already added to your .gitignore as intended. Hopefully that explanation makes sense. To be honest, I don't understand how you wouldn't get frustrated with not adding all your build artifacts to .gitignore - after lerna has finished wouldn't you have to go delete all those extra files so that you don't commit them to your git repo as you continue to work? |
Thanks @sunlanterns for explaining your scenario. I guess I need to set this up in a demo to see the whole picture, your build is building artifacts that you want to deploy, but these artifacts are "complete" packages (they have their own package.json's). You still ignore these artifacts through gitignore, but lerna wasn't able to publish these packages somehow.
What I'm still struggling with, is the gitignore approach: Back to the original issue, can you confirm my two points above? If I understand correctly it would be sufficient if we find a way to let lerna publish these newly created packages without any error message (e.g. maybe https://codeclimber.net.nz/archive/2016/12/19/ignoring-files-on-git-but-just-for-a-while-with-assume-unchanged/) |
@ediabal well, we do have fixed versions in
Once again, I do agree, that it is a great idea to have a proper In my opinion, adding an option to the
@sunlanterns One would not be frustrated with not adding the build artifacts (or even build environment stuff), which are only generated/used in CI, especially when a clean environment is created for every build. |
@simllll
@cy6erskunk But I really do believe that if you have "files I don't want merged to github" the correct solution is to add them to the gitignore since that's it's express purpose. |
@sunlanterns I don't disagree with you on the matter of |
I very much agree with @cy6erskunk comment, in my case there are workarounds to get a "more" valid npmignore, but it's a lot of effort and several changes are needed to get this running. And there are only "workarounds" because typescript allows me to define some stuff. There are other build tools out there which do not do that though in this fashion. Committing (and especially the side effect of it: adding unversioned files) still doesn't seem as a valid default for me. Thank you for your thoughts how we could solve it @sunlanterns ! I looked into several ways, unfortunately I couldn't find any easy & any kind of bullet proof fix. Last approach I tried was that I basically modify the gitignore during "lerna build" and dynamically get untracked files (via git status), commit this .gitignore file and try to overcome with this somehow.. but still this is hacky and super unreliable. In the end I probobaly would need to run "assume untracked" manually too. It just doesn't feel right. Anyway, regarding your last point: |
@simllll I also agree there should be an easier way for you to add these files to |
I had a couple of directories in my repo that were not meant to be committed. Lerna committed them. This is an obvious security risk that should not need explanation. |
@evocateur this is a major security incident that needs intervention by a maintainer. Note that we have also reported this to npm. |
@evocateur to extend on this, the suggestions to explicitly exclude files in .gitignore are impractical and outright unrealistic. They would require any and every file that could possibly be created or moved to the working directory knowingly or unknowingly by me or by any program that I run to be added to .gitignore, or else they WILL get published without prompt for review or confirmation. The lack of sensitivity to the severity of this issue is very surprising to me. People have their private credentials published without their knowledge as we speak. |
Is there any progress on this? I just ran into similar troubles in another "older" project, there are Gulpfile tasks that create files, with a random chunk in it (based on the filecontent, it uses "usemin" and other optimizations tasks), they lie in the same folder than the original file though, and therefore it's basically impossible to find a valid gitignore rule. Had to downgrade lerna there too to get things running again. |
I'm familiar with a project that leaked secrets due to this bug. For whatever it's worth, I think that leaks caused by this bug are going to be under-reported. Developers don't want to draw attention to them. |
@openjck thanks for reporting and agreed, people don't go advertising that their credentials have leaked. |
The lack of attention to this issue is rather disheartening. Let me try tagging all of the maintainers @evocateur @gigabo @hzoo @ndelangen @xtuc |
I'd appreciate some empathy as a burnt-out maintainer that attempted to solve an issue for a random stranger on the internet and made a mistake. Very close to quitting for real (instead of burnout-induced intentionally-ignoring) thanks to all of your "helpful" comments in this thread. But don't let me stop you from feeling entitled to my volunteer labor, by all means please continue to attack me. @sunlanterns Thank you for being patient, more patient than I have energy for right now, in explaining the fact (that I agree with wholeheartedly) that a properly-specified I just cannot believe people can't be bothered to add files containing secrets to their bloody ignore files, as if Lerna made a contract with them read their minds and always do the right thing. Just boggling. Yes, I probably should have put this behavior behind a flag, but there wasn't exactly a lot of activity on the PR beyond the original author, and it seemed fine to me at the time. That's why I felt it didn't merit a major. SemVer isn't the law. It's a convention implemented by humans. Humans can make mistakes. |
I feel you @evocateur, I know how it feels. Nobody is attacking anyone. You sound like a capable individual so I'm sure you understand that people get a bit freaked out when they unexpectedly have their secrets published and then feel helpless when nobody responds for two weeks. While I wholeheartedly believe that the only safe security policy to publishing is to whitelist all safe files and not blacklist all unsafe files (practicality issues aside, like you said, humans can make mistakes, and gitignore is for git which involves a multi-step stage, commit and push process), this isn't something you need to solve personally. If you feel close to burnout then by all means take time for yourself and pass the torch to maintain this repo to someone else! We're certainly grateful for this tool and for all your efforts. Having over 40 thousand repos that use lerna requires a certain level of responsiveness to security issues, and I'm sure you know of people who are qualified and happy to help out. So again, thanks for your contributions and let's see what consensus can be reached here! |
Released as v3.22.1. Thanks all for your patience. |
Thanks @evocateur, appreciate the quick turn around in the end! As for making this the new default in the next major release, it may be worth asking the community for their vote on the preferred default behaviour. Cheers! |
Unwanted files are committed to a repository after updating Lerna to version
3.22.0
(which contains the change added in #2445).At least this change does not feel like a minor one, it definitely should be explicitly documented, not only in that PR description.
Expected Behavior
If temporary files are generated during build, they should not be committed back to the repository.
At least this beahviour should not be default, but rather enabled with a switch.
Current Behavior
All untracked files are committed by default.
Possible Solution
Gitignore all the stuff would work, but it should not be.
Steps to Reproduce (for bugs)
Your Environment
lerna --version
The text was updated successfully, but these errors were encountered: