fixyoursecret 0.4.0 → 0.4.2

package/CHANGELOG.md

@@ -2,6 +2,25 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.4.2] - 2026-03-26
+
+### Fixed
+- Release automation now forces Trusted Publisher OIDC mode in GitHub Actions by unsetting token auth in publish step.
+- Prevents npm auth-token fallback issues (`E404`) when publishing from tag workflow.
+
+## [0.4.1] - 2026-03-26
+
+### Improved
+- Tightened residual generic-noise filtering for large real-world corpora:
+  - better `.test/.spec` context detection
+  - stronger URL/base64/tutorial-data suppression for generic detector paths
+  - additional non-production placeholder filtering for provider fixtures
+- Reduced quick 500-corpus findings from 117 to 51 while preserving quality gates.
+
+### CI/Release
+- Switched release workflow to Trusted Publisher OIDC mode for npm publish.
+- Kept tag-based automated publish via `.github/workflows/release-publish.yml`.
+
 ## [0.4.0] - 2026-03-26
 
 ### Added

package/README.md

@@ -227,6 +227,10 @@ Workflow file included:
 
 It runs tests, benchmark gate, scan, and uploads SARIF.
 
+Automated npm release workflow:
+- [./.github/workflows/release-publish.yml](./.github/workflows/release-publish.yml)
+- Triggered by pushing version tags like `v0.4.1`
+
 ---
 
 ## Publish

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "fixyoursecret",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "description": "CLI tool to detect leaked secrets, frontend exposure, and generate safe fixes.",
   "type": "module",
   "bin": {
-    "fixyoursecret": "bin/index.js",
-    "secretlint": "bin/index.js"
+    "fixyoursecret": "./bin/index.js",
+    "secretlint": "./bin/index.js"
   },
   "files": [
     "bin/",

package/utils/verifier.js

@@ -74,8 +74,12 @@ export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints
   const lowerSnippet = snippet.toLowerCase();
   const lowerPath = filePath.toLowerCase();
   const value = String(match.value || "");
-  const isNonProdPath = ["/test/", "/tests/", "/__tests__/", "/fixtures/", "/docs/", "/examples/", "/spec/"]
-    .some((segment) => lowerPath.includes(segment));
+  const isNonProdPath = (
+    ["/test/", "/tests/", "/__tests__/", "/fixtures/", "/docs/", "/examples/", "/spec/"]
+      .some((segment) => lowerPath.includes(segment)) ||
+    /\.test\.[a-z0-9]+$/i.test(lowerPath) ||
+    /\.spec\.[a-z0-9]+$/i.test(lowerPath)
+  );
 
   const builtinHints = ["example", "dummy", "fake", "sample", "not_secret", "replace_in_runtime_only", "docs_only"];
   const allHints = [...builtinHints, ...hints.map((h) => String(h).toLowerCase())];
@@ -114,6 +118,7 @@ export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints
   }
 
   if (match.rule === "generic-high-entropy") {
+    if (/(?:https?:\/\/|url:|href=|source:|fileName:|filename:|data:image|base64)/.test(lowerSnippet)) return true;
     const genericNoiseHints = [
       "canvasrenderingcontext2d",
       "axios parameter creator",
@@ -132,11 +137,27 @@ export function shouldSkipAsNonSecret(match, snippet = "", filePath = "", hints
       "anthropiccontext1m",
       "bigint64arraybytes_per_element",
       "claude-sonnet",
-      "gemini-"
+      "gemini-",
+      "oauth/callback?code=",
+      "audio-16khz-16bit",
+      "i18next-browser-languagedetector",
+      "msapplication-square70x70logo",
+      "apps.googleusercontent.com",
+      "downloaded-logs-",
+      "webkiformboundary",
+      "gpt-4o-realtime-preview"
     ];
     if (genericNoiseHints.some((hint) => lowerSnippet.includes(hint))) return true;
   }
 
+  if (
+    match.rule === "private-key-block" &&
+    isNonProdPath &&
+    /(?:example|dummy|placeholder|mock|do not share|xxxxx|\.{3})/.test(lowerSnippet)
+  ) {
+    return true;
+  }
+
   return false;
 }