Cursor uploads .env file with secrets despite .gitignore and .cursorignore

From the recent changelog:<p><pre><code> Ignore files: Improved .cursorignore behavior to more consistently exclude files </code></pre> I don&#x27;t think I&#x27;m crazy to think that a .ignore file should result in perfectly consistent ignoring...

how can it upload a .env when its there in .gitignore? even if you go and remove the entry of .env from .gitignore, it doesn&#x27;t start getting tracked right?<p>but yeah there should be some commit hook that rejects a commit like this for obvious non starters like a .env or credentials.yaml or something (UNLESS the dev explicitly goes and toggles that setting to be off)

This is the biggest concern I&#x27;ve with Cursor. In fact, even though I use Cursor often, I won&#x27;t use it on any repository with secrets or personal information. (Based on this news, I&#x27;m happy I went that route.)<p>If the Cursor team is reading, I&#x27;d recommend that you give real-time visibility into exactly what&#x27;s indexed and uploaded and have more rigorous testing and documented guarantees around .cursorignore. That would go a long way toward making people like myself feel better about the product.

I think using a secret manager like <a href="https:&#x2F;&#x2F;onboardbase.com" rel="nofollow">https:&#x2F;&#x2F;onboardbase.com</a> solves this easily. .envs are never in the codebase.

pro-tip: don&#x27;t use .env files. They&#x27;re a hack anyway.

Encrypting your .env file with dotenvx, or something similar, can help mitigate this need for trust.

not good.