Md Toy Blog

Remove file from git history or npm module

Sun Sep 27 2020 00:00:00 GMT+0000 (Coordinated Universal Time)

It may happen that you committed sensitive data to you git history or even published it to npm.

In order to fix this you need to tackle the problem in two steps:

Remove password file from git

First make sure to have a list where the compromising data is stored:

git log -S <password>


Once you have that list, run the following command by replacing the file name for each file.

git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch src/utils/sendSMS.ts" \
  --prune-empty --tag-name-filter cat -- --all


Here we are deleting every occurrence of the file src/utils/sendSMS.ts from git's history.

If you have many files like that, just run this command for every file.

To also remove from your remote repo run

git push origin --force --all


Make sure to add it to .gitignore

Remove password from npm

If you hit, npm publish you have now a version of your module in, any republish with a different version, even if you removed the files will not have any effect from a security standpoint: your old versions are still on To fix this, you have to move fast (you are allowed to unpublish only if 72h have not yet passed since the npm publishing).

NOTE: assuming you published your version with the compromising files less than 72 hours ago, you can unpublish them

IMPORTANT: tries to incentivize stability, and unpublishing is a bummer for those who are already using your package, so they will penalize you for the unpublication by not allowing any further publish for the next 24 hours. That's why, if you want to have a version that still works without interruption, you need to publish the fixed version before unpublishing the compromising ones.

# publish the fixed version
npm publish

# unpublish the versions with sensitive data
npm unpublish <mypackagename>@<my.compromised.version>

Do the last step for all the previous versions of your package containing sensitive data.