trufflehog pre-commit hook scans web/node_modules #14

New issue

Open

opened 2026-05-23 20:55:22 +00:00 by coilysiren · 0 comments

coilysiren commented 2026-05-23 20:55:22 +00:00

Owner

Copy link

Originally filed by @coilysiren on 2026-05-21T08:57:29Z - https://github.com/coilysiren/repo-recall/issues/232

Symptom

The trufflehog pre-commit hook scans web/node_modules/ and fails on benign example URIs and README tokens shipped inside @types/node and json5. It surfaced while committing #228 right after make web-install populated web/node_modules/ - 11 unverified results, 94 MB / 9349 chunks scanned, all from third-party node deps.

Why it matters

node_modules is gitignored, so nothing from it can ever be committed. Scanning it is pure noise: it slows the hook and the false positives train operators to ignore trufflehog output. Workaround today is rm -rf web/node_modules before every commit, which is silly.

Fix

Scope the trufflehog hook to tracked / staged files, or add an exclude for node_modules/ (and likely dist/, target/). Check .pre-commit-config.yaml for the hook's args / exclude pattern.

_Originally filed by @coilysiren on 2026-05-21T08:57:29Z - [https://github.com/coilysiren/repo-recall/issues/232](https://github.com/coilysiren/repo-recall/issues/232)_ **Symptom** The `trufflehog` pre-commit hook scans `web/node_modules/` and fails on benign example URIs and README tokens shipped inside `@types/node` and `json5`. It surfaced while committing #228 right after `make web-install` populated `web/node_modules/` - 11 unverified results, 94 MB / 9349 chunks scanned, all from third-party node deps. **Why it matters** `node_modules` is gitignored, so nothing from it can ever be committed. Scanning it is pure noise: it slows the hook and the false positives train operators to ignore trufflehog output. Workaround today is `rm -rf web/node_modules` before every commit, which is silly. **Fix** Scope the trufflehog hook to tracked / staged files, or add an exclude for `node_modules/` (and likely `dist/`, `target/`). Check `.pre-commit-config.yaml` for the hook's `args` / `exclude` pattern.

coilysiren added the

P2

label 2026-05-31 01:55:06 +00:00

coilysiren added

P3

and removed

P2

labels 2026-05-31 07:01:19 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

action-required-mine

mcp-app-rewrite

v0.45.0

v0.44.0

v0.43.0

v0.42.2

v0.42.1

v0.42.0

v0.41.1

v0.41.0

v0.40.7

v0.40.6

v0.40.5

v0.40.4

v0.40.3

v0.40.2

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.0

v0.34.0

v0.33.1

v0.33.0

v0.32.3

v0.32.2

v0.32.1

v0.32.0

v0.31.1

v0.31.0

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.56

v0.29.55

v0.29.54

v0.29.53

v0.29.52

v0.29.51

v0.29.50

v0.29.49

v0.29.48

v0.29.47

v0.29.46

v0.29.45

v0.29.44

v0.29.43

v0.29.42

v0.29.41

v0.29.40

v0.29.39

v0.29.38

v0.29.37

v0.29.36

v0.29.35

v0.29.34

v0.29.33

v0.29.32

v0.29.31

v0.29.30

v0.29.29

v0.29.28

v0.29.27

v0.29.26

v0.29.25

v0.29.24

v0.29.23

v0.29.22

v0.29.21

v0.29.20

v0.29.19

v0.29.18

v0.29.17

v0.29.16

v0.29.15

v0.29.14

v0.29.13

v0.29.12

v0.29.11

v0.29.10

v0.29.9

v0.29.8

v0.29.7

v0.29.6

v0.29.5

v0.29.4

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.36

v0.28.35

v0.28.34

v0.28.33

v0.28.32

v0.28.31

v0.28.30

v0.28.29

v0.28.28

v0.28.27

v0.28.26

v0.28.25

v0.28.24

v0.28.23

v0.28.22

v0.28.21

v0.28.20

v0.28.19

v0.28.18

v0.28.17

v0.28.16

v0.28.15

v0.28.14

v0.28.13

v0.28.12

v0.28.11

v0.28.10

v0.28.9

v0.28.8

v0.28.7

v0.28.6

v0.28.5

v0.28.4

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27.0

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.0

v0.23.1

v0.23.0

v0.22.3

v0.22.2

v0.22.1

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.0

v0.14.1

v0.14.0

v0.13.15

v0.13.14

v0.13.13

v0.13.12

v0.13.11

v0.13.10

v0.13.9

v0.13.8

v0.13.7

v0.13.6

v0.13.5

v0.13.4

v0.13.3

v0.13.2

v0.13.1

v0.13.0

v0.12.9

v0.12.8

v0.12.7

v0.12.6

v0.12.5

v0.12.4

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.1

v0.6.0

v0.5.0

v0.4.0

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.0

v0.1.6

v0.1.5

v0.1.4

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

  

P0

now / blocking / urgent

  

P1

next / important

  

P2

backlog / will do

  

P3

someday / low

  

P4

icebox / frozen / reopen if it becomes real

No labels

P0

P1

P2

P3

P4

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

coilyco-flight-deck/repo-recall#14

No description provided.