Skip to content

Instantly share code, notes, and snippets.

View vctqs1's full-sized avatar

Thu Vo vctqs1

View GitHub Profile
@vctqs1
vctqs1 / nx-remote-cache-poisoning-mitigation.md
Last active June 2, 2026 14:57
Practical Mitigation for Nx CREEP Vulnerability Using GCP IAM Conditions and Branch-Restricted Cache Writes

Practical Mitigation for Nx CREEP (CVE-2025-36852) Using GCP IAM Conditions

TL;DR

If you're using deprecated Nx self-hosted remote cache packages like @nx/gcs-cache, one immediate mitigation for the CREEP vulnerability is:

  • allow PR builds to restore cache artifacts
  • allow only trusted branches (main) to write cache artifacts
  • enforce this at the GCP IAM layer using Workload Identity Federation conditions
#!/bin/bash
# This script cherry-picks the commits from a PR
# Usage: ./cherry_pick_pr.sh <pr-number>
set -e
PR_NUMBER=$1
# Check if PR number is provided
if [ -z "$PR_NUMBER" ]; then
echo "Usage: $0 <pr-number>"

Code size comparison

This comparison between Connect-Web and gRPC-web

We generated code for the proto using protoc-gen-grpc-web and protoc-gen-connect-es. We then bundled a client for the service (see the client's PR) with vite, compressed it as a web server would usually do.

manabuf-syllabus-ts proto