fix(config): be more aggressive about hiding protected values (#7504)

Err on the side of not displaying things even if they're not valid config
npm · May 10, 2024 · db62910 · db62910
1 parent bdd2aae
commit db62910
Show file tree

Hide file tree

Showing 3 changed files with 214 additions and 169 deletions.
diff --git a/lib/commands/config.js b/lib/commands/config.js
@@ -9,15 +9,33 @@ const { log, output } = require('proc-log')
 const BaseCommand = require('../base-cmd.js')
 
 // These are the configs that we can nerf-dart. Not all of them currently even
-// *have* config definitions so we have to explicitly validate them here
+// *have* config definitions so we have to explicitly validate them here.
+// This is used to validate during "npm config set"
 const nerfDarts = [
   '_auth',
   '_authToken',
-  'username',
   '_password',
+  'certfile',
   'email',
+  'keyfile',
+  'username',
+]
+// These are the config values to swap with "protected".  It does not catch
+// every single sensitive thing a user may put in the npmrc file but it gets
+// the common ones.  This is distinct from nerfDarts because that is used to
+// validate valid configs during "npm config set", and folks may have old
+// invalid entries lying around in a config file that we still want to protect
+// when running "npm config list"
+// This is a more general list of values to consider protected.  You can not
+// "npm config get" them, and they will not display during "npm config list"
+const protected = [
+  'auth',
+  'authToken',
   'certfile',
+  'email',
   'keyfile',
+  'password',
+  'username',
 ]
 
 // take an array of `[key, value, k2=v2, k3, v3, ...]` and turn into
@@ -40,10 +58,21 @@ const publicVar = k => {
   if (k.startsWith('_')) {
     return false
   }
-  // //localhost:8080/:_password
-  if (k.startsWith('//') && k.includes(':_')) {
+  if (protected.includes(k)) {
     return false
   }
+  // //localhost:8080/:_password
+  if (k.startsWith('//')) {
+    if (k.includes(':_')) {
+      return false
+    }
+    // //registry:_authToken or //registry:authToken
+    for (const p of protected) {
+      if (k.endsWith(`:${p}`) || k.endsWith(`:_${p}`)) {
+        return false
+      }
+    }
+  }
   return true
 }
 
@@ -320,7 +349,7 @@ ${defData}
         const src = this.npm.config.find(k)
         const overridden = src !== where
         msg.push((overridden ? '; ' : '') +
-          `${k} = ${v} ${overridden ? `; overridden by ${src}` : ''}`)
+          `${k} = ${v}${overridden ? ` ; overridden by ${src}` : ''}`)
       }
       msg.push('')
     }