Skip to content

fix: Exclude .env files from serverless package deployment #518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
d-klotz merged 3 commits into from
Dec 15, 2025
Merged

fix: Exclude .env files from serverless package deployment #518

d-klotz merged 3 commits into from
Dec 15, 2025
+42 −5

Conversation

@seanspeaks
Copy link
Contributor

@seanspeaks seanspeaks commented Dec 12, 2025
edited
Loading

Summary

  • Fix .env files being included in Lambda deployment packages during frigg deploy
  • Add proper file exclusions to prevent accidental secret exposure

Changes

Root Cause Fix

packages/devtools/infrastructure/domains/shared/utilities/base-definition-factory.js

Added .env* exclusion patterns to both skipEsbuildPackageConfig and functionPackageConfig:

'.env',
'.env.*',
'.env.local',
'.env.*.local',
'**/.env',
'**/.env.*',

<!-- GITHUB_RELEASE PR BODY: prerelease-version -->
# Version

Published prerelease version: `v2.0.0-next.62`

<details>
  <summary>Changelog</summary>

  #### 🐛 Bug Fix
  
  - `@friggframework/devtools`
    - fix: Exclude .env files from serverless package deployment [#518](https://github.com/friggframework/frigg/pull/518) ([@claude](https://github.com/claude) [@seanspeaks](https://github.com/seanspeaks))
  - `@friggframework/core`, `@friggframework/devtools`, `@friggframework/eslint-config`, `@friggframework/prettier-config`, `@friggframework/schemas`, `@friggframework/serverless-plugin`, `@friggframework/test`, `@friggframework/ui`
    - chore: remove stale comment and fix step numbering [#516](https://github.com/friggframework/frigg/pull/516) ([@claude](https://github.com/claude) [@seanspeaks](https://github.com/seanspeaks))
  
  #### Authors: 2
  
  - Claude ([@claude](https://github.com/claude))
  - Sean Matthews ([@seanspeaks](https://github.com/seanspeaks))
</details>
<!-- GITHUB_RELEASE PR BODY: prerelease-version -->

@claude
Fix .gitignore to catch all .env file variations
91abacf 
The previous patterns were too specific (e.g., .env.development.local)
and missed common variations like .env.development, .env.production,
and .env.local.local. Updated to use .env.* wildcard pattern.
@claude
Add file exclusions to devtools package to prevent .env leakage
595cc5f 
- Add `files` field to package.json to whitelist only necessary files
- Add .npmignore to explicitly exclude .env files and test directory

This prevents .env files from being accidentally included when the
devtools package is published to npm or bundled for deployment.
@claude
Exclude .env files from serverless package deployment
c4c7e72 
The base-definition-factory.js was missing .env file exclusions in both
skipEsbuildPackageConfig and functionPackageConfig. This caused local
.env files to be included in deployed Lambda packages.

Added exclusion patterns for:
- .env
- .env.*
- .env.local
- .env.*.local
- **/.env
- **/.env.*

This ensures environment files are never deployed to Lambda, preventing
accidental exposure of secrets.
@seanspeaks seanspeaks changed the base branch from main to next December 12, 2025 01:59
@seanspeaks seanspeaks changed the title fix(vpc): Pass normalized management mode to buildSubnets for correct CIDR generation fix: Exclude .env files from serverless package deployment Dec 12, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 12, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
316 Security Hotspots
5.4% Duplication on New Code (required ≤ 3%)
D Reliability Rating on New Code (required ≥ A)
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@seanspeaks seanspeaks added the release Create a release when this pr is merged label Dec 12, 2025
@d-klotz d-klotz merged commit 7dafa19 into next Dec 15, 2025
12 of 26 checks passed
@d-klotz d-klotz deleted the claude/fix-frigg-env-deploy-014RPjyrZmnx4k33iUhiBzdj branch December 15, 2025 14:03
@seanspeaks
Copy link
Contributor Author

seanspeaks commented Dec 15, 2025

🚀 PR was released in v2.0.0-next.62 🚀

@seanspeaks seanspeaks added the prerelease This change is available in a prerelease. label Dec 15, 2025
@seanspeaks seanspeaks mentioned this pull request Dec 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@d-klotz d-klotz d-klotz approved these changes

Assignees

No one assigned

Labels

prerelease This change is available in a prerelease. release Create a release when this pr is merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@seanspeaks @d-klotz @claude