Clasp push drops oauthScopes

[kwiesmueller]

I got a Gmail Add-on that worked before.
Currently, some users produced weird Missing access token for authorization errors that neither I nor other users could reproduce.
After further investigation, I discovered that I gave the Add-on access to "https://www.googleapis.com/auth/gmail.readonly" (as defined in the appscript.json), but impacted users do not have this permission.

Expected Behavior

Our appscript.json contains this section:

"oauthScopes": [
    "https://www.googleapis.com/auth/gmail.addons.execute",
    "https://www.googleapis.com/auth/gmail.addons.current.message.metadata",
    "https://www.googleapis.com/auth/gmail.readonly",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/script.external_request"
],

When executing a clasp push or clasp push --force the result being sent seems to be:

"oauthScopes": [
    "https://www.googleapis.com/auth/gmail.addons.execute",
    "https://www.googleapis.com/auth/gmail.addons.current.message.metadata",
       
"https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/script.external_request"
],

This is taken from the script.google.com Version History.

Actual Behavior

I expect that the scopes be present as defined in my config (as i think to remember it previously was).

Steps to Reproduce the Problem

1. Send a config with the above oauthScopes section to a project.
2. Inspect the manifest online.

Specifications

• Node version (node -v): 13.7
• Version (clasp -v): 2.3.0
• OS (Mac/Linux/Windows): node:13.7 (base: Debian GNU/Linux 9 (stretch))

[kwiesmueller]

FTR: When i update my manifest locally, i get asked if i want to overwrite it online.
Pressing yes does still drop the field.

[kwiesmueller]

If I edit the manifest online and the do a clasp pull, i get a valid appscript.json into ./dist

[PopGoesTheWza]

@kwiesmueller can you please put up a sample repos on GitHub for me to investigate?