@netlify/build 32.1.4 → 33.0.0

package/lib/core/build.d.ts

@@ -32,7 +32,7 @@ export declare const startBuild: (flags: Partial<BuildFlags>) => {
     };
 };
 export declare const execBuild: any;
-export declare const runAndReportBuild: ({ pluginsOptions, netlifyConfig, defaultConfig, configOpts, siteInfo, configPath, outputConfigPath, headersPath, redirectsPath, packagePath, buildDir, repositoryRoot, nodePath, packageJson, userNodeVersion, childEnv, context, branch, buildbotServerSocket, constants, dry, mode, api, token, errorMonitor, deployId, errorParams, logs, debug, systemLog, systemLogFile, verbose, timers, sendStatus, saveConfig, testOpts, featureFlags, timeline, devCommand, quiet, integrations, explicitSecretKeys, edgeFunctionsBootstrapURL, eventHandlers, }: {
+export declare const runAndReportBuild: ({ pluginsOptions, netlifyConfig, defaultConfig, configOpts, siteInfo, configPath, outputConfigPath, headersPath, redirectsPath, packagePath, buildDir, repositoryRoot, nodePath, packageJson, userNodeVersion, childEnv, context, branch, buildbotServerSocket, constants, dry, mode, api, token, errorMonitor, deployId, errorParams, logs, debug, systemLog, systemLogFile, verbose, timers, sendStatus, saveConfig, testOpts, featureFlags, timeline, devCommand, quiet, integrations, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, eventHandlers, }: {
     pluginsOptions: any;
     netlifyConfig: any;
     defaultConfig: any;
@@ -75,6 +75,7 @@ export declare const runAndReportBuild: ({ pluginsOptions, netlifyConfig, defaul
     quiet: any;
     integrations: any;
     explicitSecretKeys: any;
+    enhancedSecretScan: any;
     edgeFunctionsBootstrapURL: any;
     eventHandlers: any;
 }) => Promise<{

package/lib/core/build.js

@@ -33,7 +33,7 @@ export const startBuild = function (flags) {
     const errorMonitor = startErrorMonitor({ flags: { debug, systemLogFile, ...flagsA }, logs, bugsnagKey });
     return { ...flagsA, debug, systemLogFile, errorMonitor, logs, timers };
 };
-const tExecBuild = async function ({ config, defaultConfig, cachedConfig, cachedConfigPath, outputConfigPath, cwd, packagePath, repositoryRoot, apiHost, token, siteId, accountId, context, branch, baseRelDir, env: envOpt, debug, systemLogFile, verbose, nodePath, functionsDistDir, edgeFunctionsDistDir, cacheDir, dry, mode, offline, deployId, buildId, testOpts, errorMonitor, errorParams, logs, timers, buildbotServerSocket, sendStatus, saveConfig, featureFlags, timeline, devCommand, quiet, framework, explicitSecretKeys, edgeFunctionsBootstrapURL, eventHandlers, }) {
+const tExecBuild = async function ({ config, defaultConfig, cachedConfig, cachedConfigPath, outputConfigPath, cwd, packagePath, repositoryRoot, apiHost, token, siteId, accountId, context, branch, baseRelDir, env: envOpt, debug, systemLogFile, verbose, nodePath, functionsDistDir, edgeFunctionsDistDir, cacheDir, dry, mode, offline, deployId, buildId, testOpts, errorMonitor, errorParams, logs, timers, buildbotServerSocket, sendStatus, saveConfig, featureFlags, timeline, devCommand, quiet, framework, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, eventHandlers, }) {
     const configOpts = getConfigOpts({
         config,
         defaultConfig,
@@ -139,6 +139,7 @@ const tExecBuild = async function ({ config, defaultConfig, cachedConfig, cached
         quiet,
         integrations,
         explicitSecretKeys,
+        enhancedSecretScan,
         edgeFunctionsBootstrapURL,
         eventHandlers,
     });
@@ -155,7 +156,7 @@ const tExecBuild = async function ({ config, defaultConfig, cachedConfig, cached
 };
 export const execBuild = measureDuration(tExecBuild, 'total', { parentTag: 'build_site' });
 // Runs a build then report any plugin statuses
-export const runAndReportBuild = async function ({ pluginsOptions, netlifyConfig, defaultConfig, configOpts, siteInfo, configPath, outputConfigPath, headersPath, redirectsPath, packagePath, buildDir, repositoryRoot, nodePath, packageJson, userNodeVersion, childEnv, context, branch, buildbotServerSocket, constants, dry, mode, api, token, errorMonitor, deployId, errorParams, logs, debug, systemLog, systemLogFile, verbose, timers, sendStatus, saveConfig, testOpts, featureFlags, timeline, devCommand, quiet, integrations, explicitSecretKeys, edgeFunctionsBootstrapURL, eventHandlers, }) {
+export const runAndReportBuild = async function ({ pluginsOptions, netlifyConfig, defaultConfig, configOpts, siteInfo, configPath, outputConfigPath, headersPath, redirectsPath, packagePath, buildDir, repositoryRoot, nodePath, packageJson, userNodeVersion, childEnv, context, branch, buildbotServerSocket, constants, dry, mode, api, token, errorMonitor, deployId, errorParams, logs, debug, systemLog, systemLogFile, verbose, timers, sendStatus, saveConfig, testOpts, featureFlags, timeline, devCommand, quiet, integrations, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, eventHandlers, }) {
     try {
         const { stepsCount, netlifyConfig: netlifyConfigA, statuses, pluginsOptions: pluginsOptionsA, failedPlugins, timers: timersA, configMutations, metrics, } = await initAndRunBuild({
             pluginsOptions,
@@ -200,6 +201,7 @@ export const runAndReportBuild = async function ({ pluginsOptions, netlifyConfig
             quiet,
             integrations,
             explicitSecretKeys,
+            enhancedSecretScan,
             edgeFunctionsBootstrapURL,
             eventHandlers,
         });
@@ -262,7 +264,7 @@ export const runAndReportBuild = async function ({ pluginsOptions, netlifyConfig
     }
 };
 // Initialize plugin processes then runs a build
-const initAndRunBuild = async function ({ pluginsOptions, netlifyConfig, defaultConfig, configOpts, siteInfo, configPath, outputConfigPath, headersPath, redirectsPath, buildDir, packagePath, repositoryRoot, nodePath, packageJson, userNodeVersion, childEnv, context, branch, dry, mode, api, token, errorMonitor, deployId, errorParams, logs, debug, systemLog, systemLogFile, verbose, sendStatus, saveConfig, timers, testOpts, buildbotServerSocket, constants, featureFlags, timeline, devCommand, quiet, integrations, explicitSecretKeys, edgeFunctionsBootstrapURL, eventHandlers, }) {
+const initAndRunBuild = async function ({ pluginsOptions, netlifyConfig, defaultConfig, configOpts, siteInfo, configPath, outputConfigPath, headersPath, redirectsPath, buildDir, packagePath, repositoryRoot, nodePath, packageJson, userNodeVersion, childEnv, context, branch, dry, mode, api, token, errorMonitor, deployId, errorParams, logs, debug, systemLog, systemLogFile, verbose, sendStatus, saveConfig, timers, testOpts, buildbotServerSocket, constants, featureFlags, timeline, devCommand, quiet, integrations, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, eventHandlers, }) {
     const pluginsEnv = {
         ...childEnv,
         ...getBlobsEnvironmentContext({ api, deployId: deployId, siteId: siteInfo?.id, token }),
@@ -351,6 +353,7 @@ const initAndRunBuild = async function ({ pluginsOptions, netlifyConfig, default
             devCommand,
             quiet,
             explicitSecretKeys,
+            enhancedSecretScan,
             edgeFunctionsBootstrapURL,
             eventHandlers,
         });
@@ -386,7 +389,7 @@ const initAndRunBuild = async function ({ pluginsOptions, netlifyConfig, default
 };
 // Load plugin main files, retrieve their event handlers then runs them,
 // together with the build command
-const runBuild = async function ({ childProcesses, pluginsOptions, netlifyConfig, defaultConfig, configOpts, packageJson, configPath, outputConfigPath, userNodeVersion, headersPath, redirectsPath, buildDir, repositoryRoot, packagePath, nodePath, childEnv, context, branch, dry, buildbotServerSocket, constants, mode, api, errorMonitor, deployId, errorParams, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, timeline, devCommand, quiet, explicitSecretKeys, edgeFunctionsBootstrapURL, eventHandlers, }) {
+const runBuild = async function ({ childProcesses, pluginsOptions, netlifyConfig, defaultConfig, configOpts, packageJson, configPath, outputConfigPath, userNodeVersion, headersPath, redirectsPath, buildDir, repositoryRoot, packagePath, nodePath, childEnv, context, branch, dry, buildbotServerSocket, constants, mode, api, errorMonitor, deployId, errorParams, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, timeline, devCommand, quiet, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, eventHandlers, }) {
     const { pluginsSteps, timers: timersA } = await loadPlugins({
         pluginsOptions,
         childProcesses,
@@ -439,6 +442,7 @@ const runBuild = async function ({ childProcesses, pluginsOptions, netlifyConfig
         quiet,
         userNodeVersion,
         explicitSecretKeys,
+        enhancedSecretScan,
         edgeFunctionsBootstrapURL,
     });
     return {

package/lib/core/flags.d.ts

@@ -182,4 +182,9 @@ export const FLAGS: {
         describe: string;
         hidden: boolean;
     };
+    enhancedSecretScan: {
+        boolean: boolean;
+        hidden: boolean;
+        describe: string;
+    };
 };

package/lib/core/flags.js

@@ -216,4 +216,9 @@ Default: false`,
         describe: 'Env var keys that are marked as secret explicitly.',
         hidden: true,
     },
+    enhancedSecretScan: {
+        boolean: true,
+        hidden: true,
+        describe: 'Scan for potential secrets in all env vars',
+    },
 };

package/lib/log/messages/config.js

@@ -51,6 +51,7 @@ const INTERNAL_FLAGS = [
     'systemLogFile',
     'timeline',
     'explicitSecretKeys',
+    'enhancedSecretScan',
     'edgeFunctionsBootstrapURL',
     'eventHandlers',
 ];

package/lib/log/messages/core_steps.js

@@ -94,10 +94,23 @@ export const logSecretsScanSuccessMessage = function (logs, msg) {
     log(logs, msg, { color: THEME.highlightWords });
 };
 export const logSecretsScanFailBuildMessage = function ({ logs, scanResults, groupedResults }) {
+    const { secretMatches, enhancedSecretMatches } = groupedResults;
     logErrorSubHeader(logs, `Scanning complete. ${scanResults.scannedFilesCount} file(s) scanned. Secrets scanning found ${scanResults.matches.length} instance(s) of secrets in build output or repo code.\n`);
-    Object.keys(groupedResults).forEach((key) => {
+    // Explicit secret matches
+    Object.keys(secretMatches).forEach((key) => {
         logError(logs, `Secret env var "${key}"'s value detected:`);
-        groupedResults[key]
+        secretMatches[key]
+            .sort((a, b) => {
+            return a.file > b.file ? 0 : 1;
+        })
+            .forEach(({ lineNumber, file }) => {
+            logError(logs, `found value at line ${lineNumber} in ${file}`, { indent: true });
+        });
+    });
+    // Likely secret matches from enhanced scan
+    Object.keys(enhancedSecretMatches).forEach((key) => {
+        logError(logs, `Env var "${key}"'s value detected as a likely secret value:`);
+        enhancedSecretMatches[key]
             .sort((a, b) => {
             return a.file > b.file ? 0 : 1;
         })

package/lib/plugins/node_version.d.ts

@@ -15,11 +15,9 @@ export type PluginsOptions = {
  * usually the system's Node.js version.
  * If the user Node version does not satisfy our supported engine range use our own system Node version
  */
-export declare const addPluginsNodeVersion: ({ featureFlags, pluginsOptions, nodePath, userNodeVersion, logs, systemLog, }: {
-    featureFlags: any;
+export declare const addPluginsNodeVersion: ({ pluginsOptions, nodePath, userNodeVersion, logs }: {
     pluginsOptions: any;
     nodePath: any;
     userNodeVersion: any;
     logs: any;
-    systemLog: any;
 }) => Promise<any[]>;

package/lib/plugins/node_version.js

@@ -1,15 +1,12 @@
-import { dirname } from 'path';
 import { execPath, version as currentVersion } from 'process';
 import semver from 'semver';
 import link from 'terminal-link';
 import { logWarning, logWarningSubHeader } from '../log/logger.js';
-import { getPackageJson } from '../utils/package.js';
 /**
  * This node version is minimum required to run the plugins code.
  * If the users preferred Node.js version is below that we have to fall back to the system node version
  */
-const MINIMUM_REQUIRED_NODE_VERSION = '^14.14.0 || >=16.0.0';
-const UPCOMING_MINIMUM_REQUIRED_NODE_VERSION = '>=18.14.0';
+const MINIMUM_REQUIRED_NODE_VERSION = '>=18.14.0';
 /**
  * Local plugins and `package.json`-installed plugins use user's preferred Node.js version if higher than our minimum
  * supported version. Else default to the system Node version.
@@ -17,19 +14,17 @@ const UPCOMING_MINIMUM_REQUIRED_NODE_VERSION = '>=18.14.0';
  * usually the system's Node.js version.
  * If the user Node version does not satisfy our supported engine range use our own system Node version
  */
-export const addPluginsNodeVersion = function ({ featureFlags, pluginsOptions, nodePath, userNodeVersion, logs, systemLog, }) {
+export const addPluginsNodeVersion = function ({ pluginsOptions, nodePath, userNodeVersion, logs }) {
     const currentNodeVersion = semver.clean(currentVersion);
     return Promise.all(pluginsOptions.map((pluginOptions) => addPluginNodeVersion({
-        featureFlags,
         pluginOptions,
         currentNodeVersion,
         userNodeVersion,
         nodePath,
         logs,
-        systemLog,
     })));
 };
-const addPluginNodeVersion = async function ({ featureFlags, pluginOptions, pluginOptions: { loadedFrom, packageName, pluginPath }, currentNodeVersion, userNodeVersion, nodePath, logs, systemLog, }) {
+const addPluginNodeVersion = async function ({ pluginOptions, pluginOptions: { loadedFrom, packageName }, currentNodeVersion, userNodeVersion, nodePath, logs, }) {
     const systemNode = { ...pluginOptions, nodePath: execPath, nodeVersion: currentNodeVersion };
     const userNode = { ...pluginOptions, nodePath, nodeVersion: userNodeVersion };
     const isLocalPlugin = loadedFrom === 'local' || loadedFrom === 'package.json';
@@ -37,33 +32,12 @@ const addPluginNodeVersion = async function ({ featureFlags, pluginOptions, plug
     if (isUIOrAutoInstalledPlugin) {
         return systemNode;
     }
-    if (featureFlags.build_warn_upcoming_system_version_change &&
-        !semver.satisfies(userNodeVersion, UPCOMING_MINIMUM_REQUIRED_NODE_VERSION)) {
-        if (pluginPath) {
-            const pluginDir = dirname(pluginPath);
-            const { packageJson: pluginPackageJson } = await getPackageJson(pluginDir);
-            // Ensure Node.js version is compatible with plugin's `engines.node`
-            const pluginNodeVersionRange = pluginPackageJson?.engines?.node;
-            if (!pluginNodeVersionRange) {
-                systemLog(`plugin "${packageName}" does not specify node support range`);
-            }
-            else if (semver.satisfies('22.0.0', pluginNodeVersionRange)) {
-                systemLog(`plugin "${packageName}" node support range includes v22`);
-            }
-            else {
-                systemLog(`plugin "${packageName}" node support range does NOT include v22`);
-            }
-        }
-        else {
-            systemLog(`plugin "${packageName}" pluginPath not available`);
-        }
-    }
     if (semver.satisfies(userNodeVersion, MINIMUM_REQUIRED_NODE_VERSION)) {
         return userNode;
     }
     logWarningSubHeader(logs, `Warning: ${packageName} will be executed with Node.js version ${currentNodeVersion}`);
     logWarning(logs, `  The plugin cannot be executed with your defined Node.js version ${userNodeVersion}
 
-  Read more about our minimum required version in our ${link('forums announcement', 'https://answers.netlify.com/t/build-plugins-dropping-support-for-node-js-12/79421')}`);
+  Read more about our minimum required version in our ${link('forums announcement', 'https://answers.netlify.com/t/build-plugins-end-of-support-for-node-js-14-node-js-16/136405')}`);
     return systemNode;
 };

package/lib/plugins/resolve.js

@@ -15,12 +15,10 @@ export const resolvePluginsPath = async function ({ pluginsOptions, siteInfo, bu
     const autoPluginsDir = getAutoPluginsDir(buildDir, packagePath);
     const pluginsOptionsA = await Promise.all(pluginsOptions.map((pluginOptions) => resolvePluginPath({ pluginOptions, buildDir, packagePath, autoPluginsDir })));
     const pluginsOptionsB = await addPluginsNodeVersion({
-        featureFlags,
         pluginsOptions: pluginsOptionsA,
         nodePath,
         userNodeVersion,
         logs,
-        systemLog,
     });
     const pluginsOptionsC = await addPinnedVersions({ pluginsOptions: pluginsOptionsB, api, siteInfo, sendStatus });
     const pluginsOptionsD = await addExpectedVersions({

package/lib/plugins_core/secrets_scanning/index.js

@@ -3,9 +3,9 @@ import { addErrorInfo } from '../../error/info.js';
 import { log } from '../../log/logger.js';
 import { logSecretsScanFailBuildMessage, logSecretsScanSkipMessage, logSecretsScanSuccessMessage, } from '../../log/messages/core_steps.js';
 import { reportValidations } from '../../status/validations.js';
-import { getFilePathsToScan, getSecretKeysToScanFor, groupScanResultsByKey, isSecretsScanningEnabled, scanFilesForKeyValues, } from './utils.js';
+import { getFilePathsToScan, getNonSecretKeysToScanFor, getSecretKeysToScanFor, groupScanResultsByKeyAndScanType, isSecretsScanningEnabled, scanFilesForKeyValues, } from './utils.js';
 const tracer = trace.getTracer('secrets-scanning');
-const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecretKeys, systemLog, deployId, api, }) {
+const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecretKeys, enhancedSecretScan, systemLog, deployId, api, }) {
     const stepResults = {};
     const passedSecretKeys = (explicitSecretKeys || '').split(',');
     const envVars = netlifyConfig.build.environment;
@@ -21,9 +21,14 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
     if (envVars['SECRETS_SCAN_OMIT_PATHS'] !== undefined) {
         log(logs, `SECRETS_SCAN_OMIT_PATHS override option set to: ${envVars['SECRETS_SCAN_OMIT_PATHS']}\n`);
     }
-    const keysToSearchFor = getSecretKeysToScanFor(envVars, passedSecretKeys);
+    const explicitSecretKeysToScanFor = getSecretKeysToScanFor(envVars, passedSecretKeys);
+    const potentialSecretKeysToScanFor = enhancedSecretScan ? getNonSecretKeysToScanFor(envVars, passedSecretKeys) : [];
+    const keysToSearchFor = explicitSecretKeysToScanFor.concat(potentialSecretKeysToScanFor);
     if (keysToSearchFor.length === 0) {
-        logSecretsScanSkipMessage(logs, 'Secrets scanning skipped because no env vars marked as secret are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.');
+        const msg = enhancedSecretScan
+            ? 'Secrets scanning skipped because no env vars are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.'
+            : 'Secrets scanning skipped because no env vars marked as secret are set to non-empty/non-trivial values or they are all omitted with SECRETS_SCAN_OMIT_KEYS env var setting.';
+        logSecretsScanSkipMessage(logs, msg);
         return stepResults;
     }
     // buildDir is the repository root or the base folder
@@ -35,6 +40,8 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
         return stepResults;
     }
     let scanResults;
+    let secretMatches;
+    let enhancedSecretMatches;
     await tracer.startActiveSpan('scanning-files', { attributes: { keysToSearchFor, totalFiles: filePaths.length } }, async (span) => {
         scanResults = await scanFilesForKeyValues({
             env: envVars,
@@ -42,9 +49,13 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
             base: buildDir,
             filePaths,
         });
+        secretMatches = scanResults.matches.filter((match) => explicitSecretKeysToScanFor.includes(match.key));
+        enhancedSecretMatches = scanResults.matches.filter((match) => potentialSecretKeysToScanFor.includes(match.key));
         const attributesForLogsAndSpan = {
-            secretsScanFoundSecrets: scanResults.matches.length > 0,
-            secretsScanMatchesCount: scanResults.matches.length,
+            secretsScanFoundSecrets: secretMatches.length > 0,
+            enhancedSecretsScanFoundSecrets: enhancedSecretMatches.length > 0,
+            secretsScanMatchesCount: secretMatches.length,
+            enhancedSecretsScanMatchesCount: enhancedSecretMatches.length,
             secretsFilesCount: scanResults.scannedFilesCount,
             keysToSearchFor,
         };
@@ -55,7 +66,8 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
     if (deployId !== '0') {
         const secretScanResult = {
             scannedFilesCount: scanResults?.scannedFilesCount ?? 0,
-            secretsScanMatches: scanResults?.matches ?? [],
+            secretsScanMatches: secretMatches ?? [],
+            enhancedSecretsScanMatches: enhancedSecretMatches ?? [],
         };
         reportValidations({ api, secretScanResult, deployId, systemLog });
     }
@@ -65,15 +77,22 @@ const coreStep = async function ({ buildDir, logs, netlifyConfig, explicitSecret
     }
     // at this point we have found matching secrets
     // Output the results and fail the build
-    logSecretsScanFailBuildMessage({ logs, scanResults, groupedResults: groupScanResultsByKey(scanResults) });
+    logSecretsScanFailBuildMessage({
+        logs,
+        scanResults,
+        groupedResults: groupScanResultsByKeyAndScanType(scanResults, potentialSecretKeysToScanFor),
+    });
     const error = new Error(`Secrets scanning found secrets in build.`);
     addErrorInfo(error, { type: 'secretScanningFoundSecrets' });
     throw error;
 };
-// We run this core step if the build was run with explicit secret keys. This
-// is passed from BB to build so only accounts that are allowed to have explicit
-// secrets and actually have them will have them.
-const hasExplicitSecretsKeys = function ({ explicitSecretKeys }) {
+// We run this core step if the build was run with explicit secret keys or if enhanced secret scanning is enabled.
+// This is passed from BB to build so only accounts that are allowed to have explicit
+// secrets and actually have them / have enhanced secret scanning enabled will have them.
+const hasExplicitSecretsKeysOrEnhancedScanningEnabled = function ({ explicitSecretKeys, enhancedSecretScan, }) {
+    if (enhancedSecretScan) {
+        return true;
+    }
     if (typeof explicitSecretKeys !== 'string') {
         return false;
     }
@@ -85,5 +104,5 @@ export const scanForSecrets = {
     coreStepId: 'secrets_scanning',
     coreStepName: 'Secrets scanning',
     coreStepDescription: () => 'Scanning for secrets in code and build output.',
-    condition: hasExplicitSecretsKeys,
+    condition: hasExplicitSecretsKeysOrEnhancedScanningEnabled,
 };

package/lib/plugins_core/secrets_scanning/utils.d.ts

@@ -16,6 +16,7 @@ interface MatchResult {
 export type SecretScanResult = {
     scannedFilesCount: number;
     secretsScanMatches: MatchResult[];
+    enhancedSecretsScanMatches: MatchResult[];
 };
 /**
  * Determine if the user disabled scanning via env var
@@ -36,6 +37,16 @@ export declare function isSecretsScanningEnabled(env: Record<string, unknown>):
  * @returns string[]
  */
 export declare function getSecretKeysToScanFor(env: Record<string, unknown>, secretKeys: string[]): string[];
+/**
+ * given the explicit secret keys and env vars, return the list of non-secret keys which should be scanned in the enhanced secret scan
+ * (i.e. any that look very likely to be secrets).
+ * This will also filter out keys passed in the SECRETS_SCAN_OMIT_KEYS env var.
+ *
+ * @param env env vars list
+ * @param secretKeys
+ * @returns string[]
+ */
+export declare function getNonSecretKeysToScanFor(env: Record<string, unknown>, secretKeys: string[]): string[];
 /**
  * Given the env and base directory, find all file paths to scan. It will look at the
  * env vars to decide if it should omit certain paths.
@@ -59,13 +70,21 @@ export declare function getFilePathsToScan({ env, base }: {
 export declare function scanFilesForKeyValues({ env, keys, filePaths, base }: ScanArgs): Promise<ScanResults>;
 /**
  * ScanResults are all of the finds for all keys and their disparate locations. Scanning is
- * async in streams so order can change a lot. This function groups the results into an object
- * where the keys are the env var keys and the values are all match results for that key
+ * async in streams so order can change a lot. Some matches are the result of an env var explictly being marked as secret,
+ * while others are part of the enhanced secret scan.
+ *
+ * This function groups the results into an object where the results are separate into the secretMatches and enhancedSecretMatches,
+ * their value being an object where the keys are the env var keys and the values are all match results for that key.
  *
  * @param scanResults
  * @returns
  */
-export declare function groupScanResultsByKey(scanResults: ScanResults): {
-    [key: string]: MatchResult[];
+export declare function groupScanResultsByKeyAndScanType(scanResults: ScanResults, enhancedScanKeys?: string[]): {
+    secretMatches: {
+        [key: string]: MatchResult[];
+    };
+    enhancedSecretMatches: {
+        [key: string]: MatchResult[];
+    };
 };
 export {};

package/lib/plugins_core/secrets_scanning/utils.js

@@ -14,6 +14,40 @@ export function isSecretsScanningEnabled(env) {
     }
     return true;
 }
+function filterOmittedKeys(env, envKeys = []) {
+    if (typeof env.SECRETS_SCAN_OMIT_KEYS !== 'string') {
+        return envKeys;
+    }
+    const omitKeys = env.SECRETS_SCAN_OMIT_KEYS.split(',')
+        .map((s) => s.trim())
+        .filter(Boolean);
+    return envKeys.filter((key) => !omitKeys.includes(key));
+}
+/**
+ * Trivial values are values that are:
+ *  - empty or short strings
+ *  - string forms of booleans
+ *  - booleans
+ *  - numbers or objects with fewer than 4 chars
+ */
+function isValueTrivial(val) {
+    if (typeof val === 'string') {
+        // string forms of booleans
+        if (val === 'true' || val === 'false') {
+            return true;
+        }
+        // trivial values are empty or short strings
+        return val.trim().length < 4;
+    }
+    if (typeof val === 'boolean') {
+        // booleans are always considered trivial
+        return true;
+    }
+    if (typeof val === 'number' || typeof val === 'object') {
+        return JSON.stringify(val).length < 4;
+    }
+    return !val;
+}
 /**
  * given the explicit secret keys and env vars, return the list of secret keys which have non-empty or non-trivial values. This
  * will also filter out keys passed in the SECRETS_SCAN_OMIT_KEYS env var.
@@ -27,34 +61,52 @@ export function isSecretsScanningEnabled(env) {
  * @returns string[]
  */
 export function getSecretKeysToScanFor(env, secretKeys) {
-    let omitKeys = [];
-    if (typeof env.SECRETS_SCAN_OMIT_KEYS === 'string') {
-        omitKeys = env.SECRETS_SCAN_OMIT_KEYS.split(',')
-            .map((s) => s.trim())
-            .filter(Boolean);
-    }
-    return secretKeys.filter((key) => {
-        if (omitKeys.includes(key)) {
-            return false;
-        }
+    const filteredSecretKeys = filterOmittedKeys(env, secretKeys);
+    return filteredSecretKeys.filter((key) => !isValueTrivial(env[key]));
+}
+/**
+ * given the explicit secret keys and env vars, return the list of non-secret keys which should be scanned in the enhanced secret scan
+ * (i.e. any that look very likely to be secrets).
+ * This will also filter out keys passed in the SECRETS_SCAN_OMIT_KEYS env var.
+ *
+ * @param env env vars list
+ * @param secretKeys
+ * @returns string[]
+ */
+export function getNonSecretKeysToScanFor(env, secretKeys) {
+    const nonSecretKeys = Object.keys(env).filter((key) => !secretKeys.includes(key));
+    const filteredNonSecretKeys = filterOmittedKeys(env, nonSecretKeys);
+    const nonSecretKeysToScanFor = filteredNonSecretKeys.filter((key) => {
         const val = env[key];
-        if (typeof val === 'string') {
-            // string forms of booleans
-            if (val === 'true' || val === 'false') {
-                return false;
-            }
-            // non-trivial/non-empty values only
-            return val.trim().length > 4;
-        }
-        else if (typeof val === 'boolean') {
-            // booleans are trivial values
+        if (isValueTrivial(val)) {
             return false;
         }
-        else if (typeof val === 'number' || typeof val === 'object') {
-            return JSON.stringify(val).length > 4;
-        }
-        return !!val;
+        return isLikelySecretValue(val);
     });
+    return nonSecretKeysToScanFor;
+}
+const AWS_PREFIXES = ['aws_', 'asia'];
+const SLACK_PREFIXES = ['xoxb-', 'xwfp-', 'xoxb-', 'xoxp-', 'xapp-'];
+const LIKELY_SECRET_PREFIXES = ['pk_', 'sk_', 'pat_', 'db_', 'github_pat_', ...AWS_PREFIXES, ...SLACK_PREFIXES];
+const LIKELY_SECRET_MIN_LENGTH = 16;
+/**
+ * When the enhanced secret scan is run, we check any env vars _not_ marked as secret if they are highly likely to be secret values.
+ * For now, this means the value is a string of at least 16 chars and starts with one of the known prefixes.
+ *
+ * @param val env var value
+ * @returns boolean
+ */
+function isLikelySecretValue(val) {
+    if (typeof val !== 'string') {
+        return false;
+    }
+    if (val.length < LIKELY_SECRET_MIN_LENGTH) {
+        return false;
+    }
+    if (LIKELY_SECRET_PREFIXES.some((prefix) => val.toLowerCase().startsWith(prefix))) {
+        return true;
+    }
+    return false;
 }
 /**
  * Given the env and base directory, find all file paths to scan. It will look at the
@@ -262,41 +314,58 @@ const searchStream = (basePath, file, keyValues) => {
 };
 /**
  * ScanResults are all of the finds for all keys and their disparate locations. Scanning is
- * async in streams so order can change a lot. This function groups the results into an object
- * where the keys are the env var keys and the values are all match results for that key
+ * async in streams so order can change a lot. Some matches are the result of an env var explictly being marked as secret,
+ * while others are part of the enhanced secret scan.
+ *
+ * This function groups the results into an object where the results are separate into the secretMatches and enhancedSecretMatches,
+ * their value being an object where the keys are the env var keys and the values are all match results for that key.
  *
  * @param scanResults
  * @returns
  */
-export function groupScanResultsByKey(scanResults) {
-    const matchesByKeys = {};
+export function groupScanResultsByKeyAndScanType(scanResults, enhancedScanKeys = []) {
+    const secretMatchesByKeys = {};
+    const enhancedSecretMatchesByKeys = {};
     scanResults.matches.forEach((matchResult) => {
-        if (!matchesByKeys[matchResult.key]) {
-            matchesByKeys[matchResult.key] = [];
+        const isEnhancedCheck = enhancedScanKeys.includes(matchResult.key);
+        if (isEnhancedCheck) {
+            if (!enhancedSecretMatchesByKeys[matchResult.key]) {
+                enhancedSecretMatchesByKeys[matchResult.key] = [];
+            }
+            enhancedSecretMatchesByKeys[matchResult.key].push(matchResult);
+        }
+        else {
+            if (!secretMatchesByKeys[matchResult.key]) {
+                secretMatchesByKeys[matchResult.key] = [];
+            }
+            secretMatchesByKeys[matchResult.key].push(matchResult);
         }
-        matchesByKeys[matchResult.key].push(matchResult);
     });
     // sort results to get a consistent output and logically ordered match results
-    Object.keys(matchesByKeys).forEach((key) => {
-        matchesByKeys[key].sort((a, b) => {
-            // sort by file name first
-            if (a.file > b.file) {
-                return 1;
-            }
-            // sort by line number second
-            if (a.file === b.file) {
-                if (a.lineNumber > b.lineNumber) {
+    const sortMatches = (matchesByKeys) => {
+        Object.keys(matchesByKeys).forEach((key) => {
+            matchesByKeys[key].sort((a, b) => {
+                // sort by file name first
+                if (a.file > b.file) {
                     return 1;
                 }
-                if (a.lineNumber === b.lineNumber) {
-                    return 0;
+                // sort by line number second
+                if (a.file === b.file) {
+                    if (a.lineNumber > b.lineNumber) {
+                        return 1;
+                    }
+                    if (a.lineNumber === b.lineNumber) {
+                        return 0;
+                    }
+                    return -1;
                 }
                 return -1;
-            }
-            return -1;
+            });
         });
-    });
-    return matchesByKeys;
+    };
+    sortMatches(secretMatchesByKeys);
+    sortMatches(enhancedSecretMatchesByKeys);
+    return { secretMatches: secretMatchesByKeys, enhancedSecretMatches: enhancedSecretMatchesByKeys };
 }
 function isMultiLineVal(v) {
     return typeof v === 'string' && v.includes('\n');

package/lib/plugins_core/types.d.ts

@@ -25,6 +25,7 @@ export type CoreStepFunctionArgs = {
     featureFlags?: Record<string, any>;
     netlifyConfig: NetlifyConfig;
     explicitSecretKeys: $TSFixme;
+    enhancedSecretScan: boolean;
     buildbotServerSocket: $TSFixme;
     api: DynamicMethods;
 };

package/lib/steps/core_step.d.ts

@@ -1,4 +1,4 @@
-export declare const fireCoreStep: ({ coreStep, coreStepId, coreStepName, configPath, outputConfigPath, buildDir, repositoryRoot, packagePath, constants, buildbotServerSocket, events, logs, quiet, nodePath, childEnv, context, branch, envChanges, errorParams, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, featureFlags, debug, systemLog, saveConfig, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, deployId, outputFlusher, api, }: {
+export declare const fireCoreStep: ({ coreStep, coreStepId, coreStepName, configPath, outputConfigPath, buildDir, repositoryRoot, packagePath, constants, buildbotServerSocket, events, logs, quiet, nodePath, childEnv, context, branch, envChanges, errorParams, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, featureFlags, debug, systemLog, saveConfig, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, deployId, outputFlusher, api, }: {
     coreStep: any;
     coreStepId: any;
     coreStepName: any;
@@ -30,6 +30,7 @@ export declare const fireCoreStep: ({ coreStep, coreStepId, coreStepName, config
     saveConfig: any;
     userNodeVersion: any;
     explicitSecretKeys: any;
+    enhancedSecretScan: any;
     edgeFunctionsBootstrapURL: any;
     deployId: any;
     outputFlusher: any;

package/lib/steps/core_step.js

@@ -3,7 +3,7 @@ import { addErrorInfo, isBuildError } from '../error/info.js';
 import { addOutputFlusher } from '../log/logger.js';
 import { updateNetlifyConfig, listConfigSideFiles } from './update_config.js';
 // Fire a core step
-export const fireCoreStep = async function ({ coreStep, coreStepId, coreStepName, configPath, outputConfigPath, buildDir, repositoryRoot, packagePath, constants, buildbotServerSocket, events, logs, quiet, nodePath, childEnv, context, branch, envChanges, errorParams, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, featureFlags, debug, systemLog, saveConfig, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, deployId, outputFlusher, api, }) {
+export const fireCoreStep = async function ({ coreStep, coreStepId, coreStepName, configPath, outputConfigPath, buildDir, repositoryRoot, packagePath, constants, buildbotServerSocket, events, logs, quiet, nodePath, childEnv, context, branch, envChanges, errorParams, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, featureFlags, debug, systemLog, saveConfig, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, deployId, outputFlusher, api, }) {
     const logsA = outputFlusher ? addOutputFlusher(logs, outputFlusher) : logs;
     try {
         const configSideFiles = await listConfigSideFiles([headersPath, redirectsPath]);
@@ -35,6 +35,7 @@ export const fireCoreStep = async function ({ coreStep, coreStepId, coreStepName
             saveConfig,
             userNodeVersion,
             explicitSecretKeys,
+            enhancedSecretScan,
             edgeFunctionsBootstrapURL,
             deployId,
         });

package/lib/steps/run_step.d.ts

@@ -1,4 +1,4 @@
-export declare const runStep: ({ event, childProcess, packageName, coreStep, coreStepId, coreStepName, coreStepDescription, coreStepQuiet, pluginPackageJson, loadedFrom, origin, condition, configPath, outputConfigPath, buildDir, packagePath, repositoryRoot, nodePath, index, childEnv, context, branch, envChanges, constants, steps, buildbotServerSocket, events, mode, api, errorMonitor, deployId, errorParams, error, failedPlugins, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, extensionMetadata, }: {
+export declare const runStep: ({ event, childProcess, packageName, coreStep, coreStepId, coreStepName, coreStepDescription, coreStepQuiet, pluginPackageJson, loadedFrom, origin, condition, configPath, outputConfigPath, buildDir, packagePath, repositoryRoot, nodePath, index, childEnv, context, branch, envChanges, constants, steps, buildbotServerSocket, events, mode, api, errorMonitor, deployId, errorParams, error, failedPlugins, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, extensionMetadata, }: {
     event: any;
     childProcess: any;
     packageName: any;
@@ -50,6 +50,7 @@ export declare const runStep: ({ event, childProcess, packageName, coreStep, cor
     quiet: any;
     userNodeVersion: any;
     explicitSecretKeys: any;
+    enhancedSecretScan: any;
     edgeFunctionsBootstrapURL: any;
     extensionMetadata: any;
 }) => Promise<{}>;

package/lib/steps/run_step.js

@@ -11,7 +11,7 @@ import { firePluginStep } from './plugin.js';
 import { getStepReturn } from './return.js';
 const tracer = trace.getTracer('steps');
 // Run a step (core, build command or plugin)
-export const runStep = async function ({ event, childProcess, packageName, coreStep, coreStepId, coreStepName, coreStepDescription, coreStepQuiet, pluginPackageJson, loadedFrom, origin, condition, configPath, outputConfigPath, buildDir, packagePath, repositoryRoot, nodePath, index, childEnv, context, branch, envChanges, constants, steps, buildbotServerSocket, events, mode, api, errorMonitor, deployId, errorParams, error, failedPlugins, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, extensionMetadata, }) {
+export const runStep = async function ({ event, childProcess, packageName, coreStep, coreStepId, coreStepName, coreStepDescription, coreStepQuiet, pluginPackageJson, loadedFrom, origin, condition, configPath, outputConfigPath, buildDir, packagePath, repositoryRoot, nodePath, index, childEnv, context, branch, envChanges, constants, steps, buildbotServerSocket, events, mode, api, errorMonitor, deployId, errorParams, error, failedPlugins, configOpts, netlifyConfig, defaultConfig, configMutations, headersPath, redirectsPath, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, extensionMetadata, }) {
     // Add relevant attributes to the upcoming span context
     const attributes = {
         'build.execution.step.name': coreStepName,
@@ -45,6 +45,7 @@ export const runStep = async function ({ event, childProcess, packageName, coreS
             buildDir,
             saveConfig,
             explicitSecretKeys,
+            enhancedSecretScan,
             deployId,
             featureFlags,
         });
@@ -104,6 +105,7 @@ export const runStep = async function ({ event, childProcess, packageName, coreS
             featureFlags,
             userNodeVersion,
             explicitSecretKeys,
+            enhancedSecretScan,
             edgeFunctionsBootstrapURL,
             deployId,
             api,
@@ -170,7 +172,7 @@ export const runStep = async function ({ event, childProcess, packageName, coreS
 // or available. However, one might be created by a build plugin, in which case,
 // those core plugins should be triggered. We use a dynamic `condition()` to
 // model this behavior.
-const shouldRunStep = async function ({ event, packageName, error, packagePath, failedPlugins, netlifyConfig, condition, constants, buildbotServerSocket, buildDir, saveConfig, explicitSecretKeys, deployId, featureFlags = {}, }) {
+const shouldRunStep = async function ({ event, packageName, error, packagePath, failedPlugins, netlifyConfig, condition, constants, buildbotServerSocket, buildDir, saveConfig, explicitSecretKeys, enhancedSecretScan, deployId, featureFlags = {}, }) {
     if (failedPlugins.includes(packageName) ||
         (condition !== undefined &&
             !(await condition({
@@ -181,6 +183,7 @@ const shouldRunStep = async function ({ event, packageName, error, packagePath,
                 netlifyConfig,
                 saveConfig,
                 explicitSecretKeys,
+                enhancedSecretScan,
                 deployId,
                 featureFlags,
             })))) {
@@ -199,7 +202,7 @@ const getFireStep = function (packageName, coreStepId, event) {
     const parentTag = normalizeTagName(packageName);
     return measureDuration(tFireStep, event, { parentTag, category: 'pluginEvent' });
 };
-const tFireStep = function ({ defaultConfig, event, childProcess, packageName, pluginPackageJson, loadedFrom, outputFlusher, origin, coreStep, coreStepId, coreStepName, configPath, outputConfigPath, buildDir, repositoryRoot, packagePath, nodePath, childEnv, context, branch, envChanges, constants, steps, buildbotServerSocket, events, error, logs, debug, quiet, systemLog, verbose, saveConfig, errorParams, configOpts, netlifyConfig, configMutations, headersPath, redirectsPath, featureFlags, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, deployId, extensionMetadata, api, }) {
+const tFireStep = function ({ defaultConfig, event, childProcess, packageName, pluginPackageJson, loadedFrom, outputFlusher, origin, coreStep, coreStepId, coreStepName, configPath, outputConfigPath, buildDir, repositoryRoot, packagePath, nodePath, childEnv, context, branch, envChanges, constants, steps, buildbotServerSocket, events, error, logs, debug, quiet, systemLog, verbose, saveConfig, errorParams, configOpts, netlifyConfig, configMutations, headersPath, redirectsPath, featureFlags, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, deployId, extensionMetadata, api, }) {
     if (coreStep !== undefined) {
         return fireCoreStep({
             coreStep,
@@ -234,6 +237,7 @@ const tFireStep = function ({ defaultConfig, event, childProcess, packageName, p
             saveConfig,
             userNodeVersion,
             explicitSecretKeys,
+            enhancedSecretScan,
             edgeFunctionsBootstrapURL,
             deployId,
             api,

package/lib/steps/run_steps.d.ts

@@ -1,4 +1,4 @@
-export function runSteps({ defaultConfig, steps, buildbotServerSocket, events, configPath, outputConfigPath, headersPath, redirectsPath, buildDir, packagePath, repositoryRoot, nodePath, childEnv, context, branch, constants, mode, api, errorMonitor, deployId, errorParams, netlifyConfig, configOpts, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, }: {
+export function runSteps({ defaultConfig, steps, buildbotServerSocket, events, configPath, outputConfigPath, headersPath, redirectsPath, buildDir, packagePath, repositoryRoot, nodePath, childEnv, context, branch, constants, mode, api, errorMonitor, deployId, errorParams, netlifyConfig, configOpts, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, }: {
     defaultConfig: any;
     steps: any;
     buildbotServerSocket: any;
@@ -33,6 +33,7 @@ export function runSteps({ defaultConfig, steps, buildbotServerSocket, events, c
     quiet: any;
     userNodeVersion: any;
     explicitSecretKeys: any;
+    enhancedSecretScan: any;
     edgeFunctionsBootstrapURL: any;
 }): Promise<{
     stepsCount: number;

package/lib/steps/run_steps.js

@@ -7,7 +7,7 @@ import { runStep } from './run_step.js';
 // list of `failedPlugins` (that ran `utils.build.failPlugin()`).
 // If an error arises, runs `onError` events.
 // Runs `onEnd` events at the end, whether an error was thrown or not.
-export const runSteps = async function ({ defaultConfig, steps, buildbotServerSocket, events, configPath, outputConfigPath, headersPath, redirectsPath, buildDir, packagePath, repositoryRoot, nodePath, childEnv, context, branch, constants, mode, api, errorMonitor, deployId, errorParams, netlifyConfig, configOpts, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, edgeFunctionsBootstrapURL, }) {
+export const runSteps = async function ({ defaultConfig, steps, buildbotServerSocket, events, configPath, outputConfigPath, headersPath, redirectsPath, buildDir, packagePath, repositoryRoot, nodePath, childEnv, context, branch, constants, mode, api, errorMonitor, deployId, errorParams, netlifyConfig, configOpts, logs, debug, systemLog, verbose, saveConfig, timers, testOpts, featureFlags, quiet, userNodeVersion, explicitSecretKeys, enhancedSecretScan, edgeFunctionsBootstrapURL, }) {
     const { index: stepsCount, error: errorA, netlifyConfig: netlifyConfigC, statuses: statusesB, failedPlugins: failedPluginsA, timers: timersC, configMutations: configMutationsB, metrics: metricsC, } = await pReduce(steps, async ({ index, error, failedPlugins, envChanges, netlifyConfig: netlifyConfigA, configMutations, headersPath: headersPathA, redirectsPath: redirectsPathA, statuses, timers: timersA, metrics: metricsA, }, { event, childProcess, packageName, extensionMetadata, coreStep, coreStepId, coreStepName, coreStepDescription, pluginPackageJson, loadedFrom, origin, condition, quiet: coreStepQuiet, }) => {
         const { newIndex = index, newError = error, failedPlugin = [], newEnvChanges = {}, netlifyConfig: netlifyConfigB = netlifyConfigA, configMutations: configMutationsA = configMutations, headersPath: headersPathB = headersPathA, redirectsPath: redirectsPathB = redirectsPathA, newStatus, timers: timersB = timersA, metrics: metricsB = [], } = await runStep({
             event,
@@ -62,6 +62,7 @@ export const runSteps = async function ({ defaultConfig, steps, buildbotServerSo
             quiet,
             userNodeVersion,
             explicitSecretKeys,
+            enhancedSecretScan,
             edgeFunctionsBootstrapURL,
         });
         const statusesA = addStatus({ newStatus, statuses, event, packageName, pluginPackageJson });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@netlify/build",
-  "version": "32.1.4",
+  "version": "33.0.0",
   "description": "Netlify build module",
   "type": "module",
   "exports": "./lib/index.js",
@@ -68,16 +68,16 @@
   "dependencies": {
     "@bugsnag/js": "^7.0.0",
     "@netlify/blobs": "^8.2.0",
-    "@netlify/cache-utils": "^5.2.0",
-    "@netlify/config": "^22.2.0",
-    "@netlify/edge-bundler": "13.0.3",
-    "@netlify/framework-info": "^9.9.3",
-    "@netlify/functions-utils": "^5.3.18",
-    "@netlify/git-utils": "^5.2.0",
-    "@netlify/opentelemetry-utils": "^1.3.1",
+    "@netlify/cache-utils": "^6.0.0",
+    "@netlify/config": "^23.0.0",
+    "@netlify/edge-bundler": "14.0.0",
+    "@netlify/framework-info": "^10.0.0",
+    "@netlify/functions-utils": "^6.0.0",
+    "@netlify/git-utils": "^6.0.0",
+    "@netlify/opentelemetry-utils": "^2.0.0",
     "@netlify/plugins-list": "^6.80.0",
-    "@netlify/run-utils": "^5.2.0",
-    "@netlify/zip-it-and-ship-it": "10.1.1",
+    "@netlify/run-utils": "^6.0.0",
+    "@netlify/zip-it-and-ship-it": "11.0.0",
     "@sindresorhus/slugify": "^2.0.0",
     "ansi-escapes": "^6.0.0",
     "chalk": "^5.0.0",
@@ -126,7 +126,7 @@
     "yargs": "^17.6.0"
   },
   "devDependencies": {
-    "@netlify/nock-udp": "^4.0.0",
+    "@netlify/nock-udp": "^5.0.0",
     "@opentelemetry/api": "~1.8.0",
     "@opentelemetry/sdk-trace-base": "~1.24.0",
     "@types/node": "^14.18.53",
@@ -148,7 +148,7 @@
     "yarn": "^1.22.22"
   },
   "peerDependencies": {
-    "@netlify/opentelemetry-sdk-setup": "^1.1.0",
+    "@netlify/opentelemetry-sdk-setup": "^2.0.0",
     "@opentelemetry/api": "~1.8.0"
   },
   "peerDependenciesMeta": {
@@ -157,7 +157,7 @@
     }
   },
   "engines": {
-    "node": "^14.16.0 || >=16.0.0"
+    "node": ">=18.14.0"
   },
-  "gitHead": "03eae326c598d4d31b28fe8f20038c5d9508f772"
+  "gitHead": "f879acfe2bb508728578f9483c99bcdf372a2e83"
 }