Preflight Checklist
Issue Summary
The extension ships with a .env file at the extension root containing GH_TOKEN, VSCE_PAT, and OVSX_PAT. These appear to be publishing credentials that were accidentally included in the packaged extension.
This gets flagged by security scanners (e.g., Kolide) and exposes the tokens to anyone who installs the extension.
Reproduction Repository
https://github.com/prettier/prettier-vscode/
Steps to Reproduce
Kolide flagged the file on my work laptop.
- Navigate to .vscode/extensions/rvest.vs-code-prettier-eslint-6.0.0/.env
- Are these values that you intended to be public?
Expected Behavior
Software env files should remain private
Actual Behavior
The env file is publicly available
Operating System
macOS
IDE
VSCode
IDE Version
1.125.1
Prettier Extension Version
12.4.0
Prettier Version
3.6.2
Prettier Extension Logs
I am not sure how to get these. It is not a bug on my local machine.
Prettier Configuration
Preflight Checklist
Issue Summary
The extension ships with a .env file at the extension root containing GH_TOKEN, VSCE_PAT, and OVSX_PAT. These appear to be publishing credentials that were accidentally included in the packaged extension.
This gets flagged by security scanners (e.g., Kolide) and exposes the tokens to anyone who installs the extension.
Reproduction Repository
https://github.com/prettier/prettier-vscode/
Steps to Reproduce
Kolide flagged the file on my work laptop.
Expected Behavior
Software env files should remain private
Actual Behavior
The env file is publicly available
Operating System
macOS
IDE
VSCode
IDE Version
1.125.1
Prettier Extension Version
12.4.0
Prettier Version
3.6.2
Prettier Extension Logs
Prettier Configuration