deps: update @npmcli/redact@3.0.0

Author: reggi

node_modules/.gitignore

@@ -194,6 +194,11 @@
 !/npm-pick-manifest
 !/npm-profile
 !/npm-registry-fetch
+!/npm-registry-fetch/node_modules/
+/npm-registry-fetch/node_modules/*
+!/npm-registry-fetch/node_modules/@npmcli/
+/npm-registry-fetch/node_modules/@npmcli/*
+!/npm-registry-fetch/node_modules/@npmcli/redact
 !/npm-user-validate
 !/p-map
 !/package-json-from-dist

node_modules/@npmcli/redact/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/redact",
-  "version": "2.0.1",
+  "version": "3.0.0",
   "description": "Redact sensitive npm information from output",
   "main": "lib/index.js",
   "exports": {
@@ -10,12 +10,13 @@
   },
   "scripts": {
     "test": "tap",
-    "lint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\"",
+    "lint": "npm run eslint",
     "postlint": "template-oss-check",
     "template-oss-apply": "template-oss-apply --force",
-    "lintfix": "npm run lint -- --fix",
+    "lintfix": "npm run eslint -- --fix",
     "snap": "tap",
-    "posttest": "npm run lint"
+    "posttest": "npm run lint",
+    "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\""
   },
   "keywords": [],
   "author": "GitHub Inc.",
@@ -26,11 +27,11 @@
   ],
   "repository": {
     "type": "git",
-    "url": "https://github.com/npm/redact.git"
+    "url": "git+https://github.com/npm/redact.git"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.21.3",
+    "version": "4.23.3",
     "publish": true
   },
   "tap": {
@@ -41,11 +42,11 @@
     "timeout": 120
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^4.0.2",
-    "@npmcli/template-oss": "4.21.3",
+    "@npmcli/eslint-config": "^5.0.0",
+    "@npmcli/template-oss": "4.23.3",
     "tap": "^16.3.10"
   },
   "engines": {
-    "node": "^16.14.0 || >=18.0.0"
+    "node": "^18.17.0 || >=20.5.0"
   }
 }

node_modules/npm-registry-fetch/node_modules/@npmcli/redact/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 npm
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

node_modules/npm-registry-fetch/node_modules/@npmcli/redact/lib/deep-map.js

@@ -0,0 +1,78 @@
+function filterError (input) {
+  return {
+    errorType: input.name,
+    message: input.message,
+    stack: input.stack,
+    ...(input.code ? { code: input.code } : {}),
+    ...(input.statusCode ? { statusCode: input.statusCode } : {}),
+  }
+}
+
+const deepMap = (input, handler = v => v, path = ['$'], seen = new Set([input])) => {
+  // this is in an effort to maintain bole's error logging behavior
+  if (path.join('.') === '$' && input instanceof Error) {
+    return deepMap({ err: filterError(input) }, handler, path, seen)
+  }
+  if (input instanceof Error) {
+    return deepMap(filterError(input), handler, path, seen)
+  }
+  if (input instanceof Buffer) {
+    return `[unable to log instanceof buffer]`
+  }
+  if (input instanceof Uint8Array) {
+    return `[unable to log instanceof Uint8Array]`
+  }
+
+  if (Array.isArray(input)) {
+    const result = []
+    for (let i = 0; i < input.length; i++) {
+      const element = input[i]
+      const elementPath = [...path, i]
+      if (element instanceof Object) {
+        if (!seen.has(element)) { // avoid getting stuck in circular reference
+          seen.add(element)
+          result.push(deepMap(handler(element, elementPath), handler, elementPath, seen))
+        }
+      } else {
+        result.push(handler(element, elementPath))
+      }
+    }
+    return result
+  }
+
+  if (input === null) {
+    return null
+  } else if (typeof input === 'object' || typeof input === 'function') {
+    const result = {}
+
+    for (const propertyName of Object.getOwnPropertyNames(input)) {
+    // skip logging internal properties
+      if (propertyName.startsWith('_')) {
+        continue
+      }
+
+      try {
+        const property = input[propertyName]
+        const propertyPath = [...path, propertyName]
+        if (property instanceof Object) {
+          if (!seen.has(property)) { // avoid getting stuck in circular reference
+            seen.add(property)
+            result[propertyName] = deepMap(
+              handler(property, propertyPath), handler, propertyPath, seen
+            )
+          }
+        } else {
+          result[propertyName] = handler(property, propertyPath)
+        }
+      } catch (err) {
+      // a getter may throw an error
+        result[propertyName] = `[error getting value: ${err.message}]`
+      }
+    }
+    return result
+  }
+
+  return handler(input, path)
+}
+
+module.exports = { deepMap }

node_modules/npm-registry-fetch/node_modules/@npmcli/redact/lib/index.js

@@ -0,0 +1,44 @@
+const matchers = require('./matchers')
+const { redactUrlPassword } = require('./utils')
+
+const REPLACE = '***'
+
+const redact = (value) => {
+  if (typeof value !== 'string' || !value) {
+    return value
+  }
+  return redactUrlPassword(value, REPLACE)
+    .replace(matchers.NPM_SECRET.pattern, `npm_${REPLACE}`)
+    .replace(matchers.UUID.pattern, REPLACE)
+}
+
+// split on \s|= similar to how nopt parses options
+const splitAndRedact = (str) => {
+  // stateful regex, don't move out of this scope
+  const splitChars = /[\s=]/g
+
+  let match = null
+  let result = ''
+  let index = 0
+  while (match = splitChars.exec(str)) {
+    result += redact(str.slice(index, match.index)) + match[0]
+    index = splitChars.lastIndex
+  }
+
+  return result + redact(str.slice(index))
+}
+
+// replaces auth info in an array of arguments or in a strings
+const redactLog = (arg) => {
+  if (typeof arg === 'string') {
+    return splitAndRedact(arg)
+  } else if (Array.isArray(arg)) {
+    return arg.map((a) => typeof a === 'string' ? splitAndRedact(a) : a)
+  }
+  return arg
+}
+
+module.exports = {
+  redact,
+  redactLog,
+}

node_modules/npm-registry-fetch/node_modules/@npmcli/redact/lib/matchers.js

@@ -0,0 +1,81 @@
+const TYPE_REGEX = 'regex'
+const TYPE_URL = 'url'
+const TYPE_PATH = 'path'
+
+const NPM_SECRET = {
+  type: TYPE_REGEX,
+  pattern: /\b(npms?_)[a-zA-Z0-9]{36,48}\b/gi,
+  replacement: `[REDACTED_NPM_SECRET]`,
+}
+
+const AUTH_HEADER = {
+  type: TYPE_REGEX,
+  pattern: /\b(Basic\s+|Bearer\s+)[\w+=\-.]+\b/gi,
+  replacement: `[REDACTED_AUTH_HEADER]`,
+}
+
+const JSON_WEB_TOKEN = {
+  type: TYPE_REGEX,
+  pattern: /\b[A-Za-z0-9-_]{10,}(?!\.\d+\.)\.[A-Za-z0-9-_]{3,}\.[A-Za-z0-9-_]{20,}\b/gi,
+  replacement: `[REDACTED_JSON_WEB_TOKEN]`,
+}
+
+const UUID = {
+  type: TYPE_REGEX,
+  pattern: /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/gi,
+  replacement: `[REDACTED_UUID]`,
+}
+
+const URL_MATCHER = {
+  type: TYPE_REGEX,
+  pattern: /(?:https?|ftp):\/\/[^\s/"$.?#].[^\s"]*/gi,
+  replacement: '[REDACTED_URL]',
+}
+
+const DEEP_HEADER_AUTHORIZATION = {
+  type: TYPE_PATH,
+  predicate: ({ path }) => path.endsWith('.headers.authorization'),
+  replacement: '[REDACTED_HEADER_AUTHORIZATION]',
+}
+
+const DEEP_HEADER_SET_COOKIE = {
+  type: TYPE_PATH,
+  predicate: ({ path }) => path.endsWith('.headers.set-cookie'),
+  replacement: '[REDACTED_HEADER_SET_COOKIE]',
+}
+
+const REWRITE_REQUEST = {
+  type: TYPE_PATH,
+  predicate: ({ path }) => path.endsWith('.request'),
+  replacement: (input) => ({
+    method: input?.method,
+    path: input?.path,
+    headers: input?.headers,
+    url: input?.url,
+  }),
+}
+
+const REWRITE_RESPONSE = {
+  type: TYPE_PATH,
+  predicate: ({ path }) => path.endsWith('.response'),
+  replacement: (input) => ({
+    data: input?.data,
+    status: input?.status,
+    headers: input?.headers,
+  }),
+}
+
+module.exports = {
+  TYPE_REGEX,
+  TYPE_URL,
+  TYPE_PATH,
+  NPM_SECRET,
+  AUTH_HEADER,
+  JSON_WEB_TOKEN,
+  UUID,
+  URL_MATCHER,
+  DEEP_HEADER_AUTHORIZATION,
+  DEEP_HEADER_SET_COOKIE,
+  REWRITE_REQUEST,
+  REWRITE_RESPONSE,
+}

node_modules/npm-registry-fetch/node_modules/@npmcli/redact/lib/server.js

@@ -0,0 +1,34 @@
+const {
+  AUTH_HEADER,
+  JSON_WEB_TOKEN,
+  NPM_SECRET,
+  DEEP_HEADER_AUTHORIZATION,
+  DEEP_HEADER_SET_COOKIE,
+  REWRITE_REQUEST,
+  REWRITE_RESPONSE,
+} = require('./matchers')
+
+const {
+  redactUrlMatcher,
+  redactUrlPasswordMatcher,
+  redactMatchers,
+} = require('./utils')
+
+const { deepMap } = require('./deep-map')
+
+const _redact = redactMatchers(
+  NPM_SECRET,
+  AUTH_HEADER,
+  JSON_WEB_TOKEN,
+  DEEP_HEADER_AUTHORIZATION,
+  DEEP_HEADER_SET_COOKIE,
+  REWRITE_REQUEST,
+  REWRITE_RESPONSE,
+  redactUrlMatcher(
+    redactUrlPasswordMatcher()
+  )
+)
+
+const redact = (input) => deepMap(input, (value, path) => _redact(value, { path }))
+
+module.exports = { redact }

package.json

@@ -58,7 +58,7 @@
     "@npmcli/map-workspaces": "^4.0.1",
     "@npmcli/package-json": "^6.0.1",
     "@npmcli/promise-spawn": "^8.0.1",
-    "@npmcli/redact": "^2.0.1",
+    "@npmcli/redact": "^3.0.0",
     "@npmcli/run-script": "^8.1.0",
     "@sigstore/tuf": "^2.3.4",
     "abbrev": "^2.0.0",

workspaces/arborist/package.json

@@ -12,7 +12,7 @@
     "@npmcli/node-gyp": "^3.0.0",
     "@npmcli/package-json": "^6.0.1",
     "@npmcli/query": "^3.1.0",
-    "@npmcli/redact": "^2.0.0",
+    "@npmcli/redact": "^3.0.0",
     "@npmcli/run-script": "^8.1.0",
     "bin-links": "^4.0.4",
     "cacache": "^18.0.3",