For some of us, we can only make public projects now. Here are some tips to help make sure your secrets don’t leak when someone remixes your project.
.git
is copied to remixes
The .git
directory has historical versions of your project, and it’s used in the Rewind feature. For users comfortable with using Git from the command line, they can also set configuration options and add remote repository URLs to push and pull from.
In some experiments, I confirmed that remixing a project copies over the entire .git
directory.
This means we should be very careful when working on a public project.
- Never type anything sensitive into a file that can be automatically committed, because Glitch may commit it for you, and that will put a copy into
.git
which will remain even if you edit it out of the file later. - If you use Git, e.g. from the command line, make sure nothing sensitive is in your configuration.
- If you add a remote, make sure not to put any sensitive credentials in the URL. Note that Glitch’s own read-write project Git URL contains a token that grants permission to write (for private projects, permission to read as well).
node_modules
is copied to remixes
We have known that node_modules
is ephemeral, which makes it not suitable for storing application state in general, but it has still been useful as a cache. But because it is copied on remix, make sure your app and your app’s dependencies don’t write anything into node_modules
unless it’s completely public.
Try it out: secret word hunt
I’ve made a sample project for you to try this out. Remix it and see if you can find up to three secret words in your copy!