Impact
When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the package-lock.yml file.
Patches
The bug has been fixed in dbt-core v1.7.3.
Mitigations
Remove any git URLs with plaintext secrets from package-lock.yml file(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.
jtcohen6 Finder
martynydbt Coordinator
Impact
When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with the PAT in plaintext to the
package-lock.ymlfile.Patches
The bug has been fixed in dbt-core v1.7.3.
Mitigations
Remove any git URLs with plaintext secrets from
package-lock.ymlfile(s) on servers, workstations, or in source control. Rotate any tokens that have been written to version-controlled files.