A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.
[
{
"product": "grunt-gh-pages node module",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "<=0.9.1"
}
]
}
]