If you're using deprecated Nx self-hosted remote cache packages like @nx/gcs-cache, one immediate mitigation for the CREEP vulnerability is:
- allow PR builds to restore cache artifacts
- allow only trusted branches (
main) to write cache artifacts - enforce this at the GCP IAM layer using Workload Identity Federation conditions