Impact
Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view.
Patches
Fixed in
Workarounds
Do not share Renovate logs with anyone who cannot be trusted with access to the token.
Impact
Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the
http.extraheader=AUTHORIZATIONparameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view.Patches
Fixed in
Workarounds
Do not share Renovate logs with anyone who cannot be trusted with access to the token.