Open
Description
A text-based lockfile (bun.lock) was recently added to Bun (to replace the previously used binary bun.lockb file). It can be created with bun install --save-text-lockfile. (Currently only the nightly builds have this feature.)
The plain-text file contains many checksums, and trufflehog mistakenly detects some checksums as access tokens.
This is a line from bun.lock that triggers a false positive:
"@oxlint/linux-x64-gnu": ["@oxlint/[email protected]", "", { "os": "linux", "cpu": "x64" }, "sha512-e/KSj4fg5EFdK/bJLJjGRzaw2KZdYgr2mTt3k9HF9YIGl0UnBoX5h+q0hJ9scDTNNailT8qytvOjuiUhyJpAPA=="],
It says q0hJ9scDTNNailT8qytvOjuiUhyJpAPA (part of the checksum) is a Box access token.