Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

how can it upload a .env when its there in .gitignore? even if you go and remove the entry of .env from .gitignore, it doesn't start getting tracked right?

but yeah there should be some commit hook that rejects a commit like this for obvious non starters like a .env or credentials.yaml or something (UNLESS the dev explicitly goes and toggles that setting to be off)



Evidently they simply aren't respecting the .gitignore when choosing which file contents to post to their servers, https://forum.cursor.com/t/env-file-question/60165/9

Regardless of whether it actually makes a commit with the secret, it's still being leaked.


This is not about Git, this is about their `.env` contents being sent to an external server for tab complete, even if that file is explicitly marked as "do not use the AI here".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: