Yeah this was added by accident, luckily we have pretty good management of local development and production testing, so these keys were not production keys

lgtm.

A global .gitignore is one of the first things I install on a new machine - and then I never think of it again.

  $ git config --global core.excludesfile ~/.gitignore

Oh wow, I didn't know a global .gitignore was possible.

TIL.

I mean they launched a YC-funded company that will soon be replaced by a "Usage" dashboard and some admin settings over at OpenAI.

You're not wrong, but surely OpenAI can't do everything and maybe they can stay ahead on features long enough to continue to be higher value?

It's a ritual at my prev workplace. They didn't do anything even after i warned about it. Of course they got hacked..

Lol, has their SB creds. Someone could do a bunch of stuff with that

These appear to be local credentials (supabase init, supabase start), but I'll reach out to the founders now to make sure everything is secure on their Production database/APIs. We are a GitHub secret scanning partner [0], so hopefully this was caught early.

---

For any other founders reading this, it's recommended to add a `SECURITY.md` to your repo before doing a ShowHN/LaunchHN. This can be exposed in your `.well-known` folder (eg: https://supabase.com/.well-known/security.txt). This will help with responsible disclosures.

[0] GitHub secret scanning: https://github.blog/changelog/2022-03-28-supabase-is-now-a-g...

> Do not reveal the problem to others until it has been resolved,

sorry, probably shouldn't have pointed that out. noted for future reference.

aside: big fan of Supabase, Paul! it's a pleasure using it!

This is exactly right, thanks a bunch for checking. Also, thanks for the note! We will add a SECURITY.md