Is it safe to do `npm login`?

All we know from written docs is that npm saves some kind of authentication info into .npmrc, which is neither .env nor .data.

I tried logging in on a dummy account here Glitch :・゚✧

Empirically I don’t see .npmrc in the editor, and a copy wasn’t present when I tried remixing the project. Does that mean we’re safe?

Might wannna check if other dotfiles get copied on remix
I think they might use git under the hood for project remixes and I think glitch ignores . files and directories because it ignores .vscode

From my experience you should have no problem storing sensitive information in .npmrc. As you have found out yourself, it is not copied when you remix the project, and there are no ways to access it on a public project.

Keep in mind, though, just because a file / directory is hidden in the editor does not mean that it will be excluded from remixes. This includes dot files / directories.

I have tried in the past, but sadly I have not been able to find a list of files / directories that are excluded from remixes, so you will have to manually check when needed. However, if you are interested, some of Glitch’s other block lists are available, via the editor, in the following files:

/etc/gitignore-global
/opt/watcher/build/source/ot-storage.js

3 Likes

That’s a good idea. It would make for a nice community resource.

I rather speculate that they copy the entire project /app drive and node_modules area over, then clean it up a little.

Same. References in other parts of Glitch suggest that it’s in some “scrubber” component that’s not available inside the project container.

Hmmm we can test the hypothesis that they copy using git by adding files to their .gitignore unless their file copier also reads .gitignore. Maybe the entire project container is duplicated but that’s least likely since they would have to also write code to erase .data and scrub .env. The support team also tells people to remix their projects if one of them breaks iirc

Hi there, so I double-checked on this and yes we do prevent .npmrc from being included in the remix. I’ll make sure we get this in the Help Center soon, but the following directories/files are handled the same way and are not copied into remixes:

.bash_history
.bashrc
.config
.data
.git-credentials
.npmrc
.ssh
logs

We don’t delete .env, we just scrub the contents of it. Hope this clarifies things!

6 Likes