npm - @bobfrankston/npmglobalize - Versions diffs - 1.0.115 → 1.0.116 - Mend

@bobfrankston/npmglobalize 1.0.115 → 1.0.116

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -127,6 +127,16 @@ npmglobalize --fix        # Runs npm audit fix
 npmglobalize --no-fix
 ```
+### 🔑 OAuth Credentials Handling
+`npmglobalize` automatically detects `credentials.json` files and handles them based on OAuth app type:
+- **Desktop/installed apps** (`"installed"` key in JSON): The `client_secret` is just a public app registration ID, not a real secret. Google's own docs state: *"the client_secret is obviously not treated as a secret."* These files are kept in the repo — `!credentials.json` is added to `.gitignore`/`.npmignore` to override any broader ignore patterns.
+- **Web apps** (`"web"` key in JSON): The `client_secret` is a real secret. These files are automatically added to `.gitignore`/`.npmignore` to prevent accidental exposure.
+This distinction also drives the **push protection auto-bypass**: when GitHub blocks a push because it detects an OAuth client secret, `npmglobalize` checks the credential file type. For installed apps, it auto-bypasses (marking as `false_positive`) since the credential is public by design.
 ### 🔄 File Reference Management
 **Default behavior** (restore file: references after publish):

package/lib.js CHANGED Viewed

@@ -1440,30 +1440,51 @@ function parsePushProtection(errorOutput, cwd) {
         return result;
     }
     result.detected = true;
-    // Split on secret-type headers: "—— Secret Type ————..."
-    const blocks = cleaned.split(/\u2014\u2014\s+/).slice(1);
-    for (const block of blocks) {
-        const typeMatch = block.match(/^(.+?)[\s\u2014]+/);
-        const type = typeMatch ? typeMatch[1].trim() : '';
-        if (!type)
-            continue;
-        const pathMatch = block.match(/path:\s+(\S+?)(?::(\d+))?\s/);
-        const file = pathMatch ? pathMatch[1].trim() : '';
-        const urlMatch = block.match(/(https:\/\/github\.com\/\S+\/unblock-secret\/\S+)/);
-        const unblockUrl = urlMatch ? urlMatch[1].trim() : '';
-        if (type && (file || unblockUrl)) {
-            result.secrets.push({ type, file, unblockUrl });
+    // Match secret blocks using a single regex across any dash characters
+    // Pattern: "-- Type Name ---..." then "path: file:line" then "unblock-secret/id" URL
+    // Handles em-dash (—), en-dash (–), and regular dash (-)
+    const secretRegex = /[-\u2014\u2013]{2,}\s+(.+?)\s+[-\u2014\u2013]{2,}[\s\S]*?path:\s+(\S+?)(?::\d+)?\s[\s\S]*?(https:\/\/github\.com\/\S+\/unblock-secret\/\S+)/g;
+    let match;
+    while ((match = secretRegex.exec(cleaned)) !== null) {
+        result.secrets.push({
+            type: match[1].trim(),
+            file: match[2].trim(),
+            unblockUrl: match[3].trim()
+        });
+    }
+    // If regex didn't match (encoding issues), fall back to finding unblock URLs + paths
+    if (result.secrets.length === 0) {
+        const urlRegex = /(https:\/\/github\.com\/\S+\/unblock-secret\/\S+)/g;
+        const pathRegex = /path:\s+(\S+?)(?::\d+)?\s/g;
+        const urls = [];
+        const files = [];
+        let m;
+        while ((m = urlRegex.exec(cleaned)) !== null)
+            urls.push(m[1].trim());
+        while ((m = pathRegex.exec(cleaned)) !== null)
+            files.push(m[1].trim());
+        // Try to detect secret type from text
+        const hasOAuth = cleaned.toLowerCase().includes('oauth');
+        const secretType = hasOAuth ? 'Google OAuth Credential' : 'Secret';
+        for (let i = 0; i < Math.max(urls.length, files.length); i++) {
+            result.secrets.push({
+                type: secretType,
+                file: files[i] || '',
+                unblockUrl: urls[i] || ''
+            });
         }
     }
     // Check if all detected secrets are from Google OAuth installed apps (safe to include)
     if (result.secrets.length > 0) {
         result.allInstalledOAuth = result.secrets.every(s => {
-            if (!s.type.toLowerCase().includes('oauth'))
-                return false;
             if (!s.file)
                 return false;
+            // Check by type name OR by inspecting the actual credential file
             const credType = detectCredentialsTypeFromFile(path.join(cwd, s.file));
-            return credType === 'installed';
+            if (credType === 'installed')
+                return true;
+            // Also match if the type name mentions OAuth (even if file check failed)
+            return s.type.toLowerCase().includes('oauth') && credType !== 'web';
         });
     }
     return result;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bobfrankston/npmglobalize",
-  "version": "1.0.115",
+  "version": "1.0.116",
   "description": "Transform file: dependencies to npm versions for publishing",
   "main": "index.js",
   "type": "module",