fix: use @npmcli/redact for log redactions

Closes #7314

Author: lukekarrys

DEPENDENCIES.md

@@ -127,6 +127,7 @@ graph LR;
   npm-->npmcli-mock-registry["@npmcli/mock-registry"];
   npm-->npmcli-package-json["@npmcli/package-json"];
   npm-->npmcli-promise-spawn["@npmcli/promise-spawn"];
+  npm-->npmcli-redact["@npmcli/redact"];
   npm-->npmcli-run-script["@npmcli/run-script"];
   npm-->npmcli-smoke-tests["@npmcli/smoke-tests"];
   npm-->npmcli-template-oss["@npmcli/template-oss"];
@@ -541,6 +542,7 @@ graph LR;
   npm-->npmcli-mock-registry["@npmcli/mock-registry"];
   npm-->npmcli-package-json["@npmcli/package-json"];
   npm-->npmcli-promise-spawn["@npmcli/promise-spawn"];
+  npm-->npmcli-redact["@npmcli/redact"];
   npm-->npmcli-run-script["@npmcli/run-script"];
   npm-->npmcli-smoke-tests["@npmcli/smoke-tests"];
   npm-->npmcli-template-oss["@npmcli/template-oss"];
@@ -831,4 +833,4 @@ packages higher up the chain.
  - @npmcli/git, make-fetch-happen, @npmcli/config
  - @npmcli/installed-package-contents, @npmcli/map-workspaces, cacache, npm-pick-manifest, read-package-json, promzard
  - @npmcli/docs, @npmcli/fs, npm-bundled, read-package-json-fast, unique-filename, npm-install-checks, npm-package-arg, normalize-package-data, npm-packlist, bin-links, nopt, npmlog, parse-conflict-json, @npmcli/mock-globals, read
- - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, npm-normalize-package-bin, @npmcli/name-from-folder, json-parse-even-better-errors, fs-minipass, ssri, unique-slug, @npmcli/promise-spawn, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/node-gyp, @npmcli/agent, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, are-we-there-yet, gauge, minify-registry-metadata, ini, @npmcli/disparity-colors, mute-stream, npm-audit-report, npm-user-validate
+ - @npmcli/eslint-config, @npmcli/template-oss, ignore-walk, semver, npm-normalize-package-bin, @npmcli/name-from-folder, json-parse-even-better-errors, fs-minipass, ssri, unique-slug, @npmcli/promise-spawn, hosted-git-info, proc-log, validate-npm-package-name, @npmcli/node-gyp, @npmcli/agent, minipass-fetch, @npmcli/query, cmd-shim, read-cmd-shim, write-file-atomic, abbrev, are-we-there-yet, gauge, minify-registry-metadata, ini, @npmcli/disparity-colors, mute-stream, @npmcli/redact, npm-audit-report, npm-user-validate

lib/commands/adduser.js

@@ -1,5 +1,5 @@
 const log = require('../utils/log-shim.js')
-const replaceInfo = require('../utils/replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 const auth = require('../utils/auth.js')
 
 const BaseCommand = require('../base-command.js')

lib/commands/login.js

@@ -1,5 +1,5 @@
 const log = require('../utils/log-shim.js')
-const replaceInfo = require('../utils/replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 const auth = require('../utils/auth.js')
 
 const BaseCommand = require('../base-command.js')

lib/commands/publish.js

@@ -6,7 +6,7 @@ const runScript = require('@npmcli/run-script')
 const pacote = require('pacote')
 const npa = require('npm-package-arg')
 const npmFetch = require('npm-registry-fetch')
-const replaceInfo = require('../utils/replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 
 const otplease = require('../utils/otplease.js')
 const { getContents, logTar } = require('../utils/tar.js')

lib/npm.js

@@ -12,7 +12,7 @@ const LogFile = require('./utils/log-file.js')
 const Timers = require('./utils/timers.js')
 const Display = require('./utils/display.js')
 const log = require('./utils/log-shim')
-const replaceInfo = require('./utils/replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 const updateNotifier = require('./utils/update-notifier.js')
 const pkg = require('../package.json')
 const { deref } = require('./utils/cmd-list.js')

lib/utils/audit-error.js

@@ -1,5 +1,5 @@
 const log = require('./log-shim')
-const replaceInfo = require('./replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 
 // print an error or just nothing if the audit report has an error
 // this is called by the audit command, and by the reify-output util

lib/utils/error-message.js

@@ -1,7 +1,7 @@
 const { format } = require('util')
 const { resolve } = require('path')
 const nameValidator = require('validate-npm-package-name')
-const replaceInfo = require('./replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 const { report } = require('./explain-eresolve.js')
 const log = require('./log-shim')
 

lib/utils/exit-handler.js

@@ -3,7 +3,7 @@ const fs = require('fs')
 
 const log = require('./log-shim.js')
 const errorMessage = require('./error-message.js')
-const replaceInfo = require('./replace-info.js')
+const { redactLog: replaceInfo } = require('@npmcli/redact')
 
 let npm = null // set by the cli
 let exitHandlerCalled = false

lib/utils/replace-info.js

@@ -33,6 +33,7 @@
 !/@npmcli/package-json
 !/@npmcli/promise-spawn
 !/@npmcli/query
+!/@npmcli/redact
 !/@npmcli/run-script
 !/@pkgjs/
 /@pkgjs/*

node_modules/.gitignore

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 npm
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

node_modules/@npmcli/redact/LICENSE

@@ -0,0 +1,59 @@
+const { URL } = require('url')
+
+const REPLACE = '***'
+const TOKEN_REGEX = /\bnpm_[a-zA-Z0-9]{36}\b/g
+const GUID_REGEX = /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/g
+
+const redact = (value) => {
+  if (typeof value !== 'string' || !value) {
+    return value
+  }
+
+  let urlValue
+  try {
+    urlValue = new URL(value)
+  } catch {
+    // If it's not a URL then we can ignore all errors
+  }
+
+  if (urlValue?.password) {
+    urlValue.password = REPLACE
+    value = urlValue.toString()
+  }
+
+  return value
+    .replace(TOKEN_REGEX, `npm_${REPLACE}`)
+    .replace(GUID_REGEX, REPLACE)
+}
+
+// split on \s|= similar to how nopt parses options
+const splitAndRedact = (str) => {
+  // stateful regex, don't move out of this scope
+  const splitChars = /[\s=]/g
+
+  let match = null
+  let result = ''
+  let index = 0
+  while (match = splitChars.exec(str)) {
+    result += redact(str.slice(index, match.index)) + match[0]
+    index = splitChars.lastIndex
+  }
+
+  return result + redact(str.slice(index))
+}
+
+// replaces auth info in an array of arguments or in a strings
+const redactLog = (arg) => {
+  if (typeof arg === 'string') {
+    return splitAndRedact(arg)
+  } else if (Array.isArray(arg)) {
+    return arg.map((a) => typeof a === 'string' ? splitAndRedact(a) : a)
+  }
+
+  return arg
+}
+
+module.exports = {
+  redact,
+  redactLog,
+}

node_modules/@npmcli/redact/lib/index.js

@@ -0,0 +1,45 @@
+{
+  "name": "@npmcli/redact",
+  "version": "1.1.0",
+  "description": "Redact sensitive npm information from output",
+  "main": "lib/index.js",
+  "scripts": {
+    "test": "tap",
+    "lint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
+    "postlint": "template-oss-check",
+    "template-oss-apply": "template-oss-apply --force",
+    "lintfix": "npm run lint -- --fix",
+    "snap": "tap",
+    "posttest": "npm run lint"
+  },
+  "keywords": [],
+  "author": "GitHub Inc.",
+  "license": "ISC",
+  "files": [
+    "bin/",
+    "lib/"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/npm/redact.git"
+  },
+  "templateOSS": {
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "version": "4.21.3",
+    "publish": true
+  },
+  "tap": {
+    "nyc-arg": [
+      "--exclude",
+      "tap-snapshots/**"
+    ]
+  },
+  "devDependencies": {
+    "@npmcli/eslint-config": "^4.0.2",
+    "@npmcli/template-oss": "4.21.3",
+    "tap": "^16.3.10"
+  },
+  "engines": {
+    "node": "^16.14.0 || >=18.0.0"
+  }
+}

node_modules/@npmcli/redact/package.json

@@ -15,6 +15,7 @@
         "@npmcli/map-workspaces",
         "@npmcli/package-json",
         "@npmcli/promise-spawn",
+        "@npmcli/redact",
         "@npmcli/run-script",
         "@sigstore/tuf",
         "abbrev",
@@ -95,6 +96,7 @@
         "@npmcli/map-workspaces": "^3.0.4",
         "@npmcli/package-json": "^5.0.0",
         "@npmcli/promise-spawn": "^7.0.1",
+        "@npmcli/redact": "^1.1.0",
         "@npmcli/run-script": "^7.0.4",
         "@sigstore/tuf": "^2.3.2",
         "abbrev": "^2.0.0",
@@ -1904,6 +1906,15 @@
         "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
       }
     },
+    "node_modules/@npmcli/redact": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/redact/-/redact-1.1.0.tgz",
+      "integrity": "sha512-PfnWuOkQgu7gCbnSsAisaX7hKOdZ4wSAhAzH3/ph5dSGau52kCRrMMGbiSQLwyTZpgldkZ49b0brkOr1AzGBHQ==",
+      "inBundle": true,
+      "engines": {
+        "node": "^16.14.0 || >=18.0.0"
+      }
+    },
     "node_modules/@npmcli/run-script": {
       "version": "7.0.4",
       "resolved": "https://registry.npmjs.org/@npmcli/run-script/-/run-script-7.0.4.tgz",

package-lock.json

@@ -58,6 +58,7 @@
     "@npmcli/map-workspaces": "^3.0.4",
     "@npmcli/package-json": "^5.0.0",
     "@npmcli/promise-spawn": "^7.0.1",
+    "@npmcli/redact": "^1.1.0",
     "@npmcli/run-script": "^7.0.4",
     "@sigstore/tuf": "^2.3.2",
     "abbrev": "^2.0.0",
@@ -130,6 +131,7 @@
     "@npmcli/map-workspaces",
     "@npmcli/package-json",
     "@npmcli/promise-spawn",
+    "@npmcli/redact",
     "@npmcli/run-script",
     "@sigstore/tuf",
     "abbrev",