Hello,
Did you find a solution for this?
This doc, which was also helpful, precise:
Keep tokens private
You can avoid committing access tokens in public repositories by storing them as environment variables in your site or team settings.
But I don’t find any way to use the environment variables in the package.json and the guide about env variable doesn’t mention this either.
Thanks!