Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bun will print private package token if set it ~/.npmrc #14867

Closed
jay-aye-see-kay opened this issue Oct 28, 2024 · 2 comments · Fixed by #14919
Closed

Bun will print private package token if set it ~/.npmrc #14867

jay-aye-see-kay opened this issue Oct 28, 2024 · 2 comments · Fixed by #14919
Assignees
@dylan-conway
Labels
bug Something isn't working bun install Something that relates to the npm-compatible client

Comments

@jay-aye-see-kay
Copy link

What version of Bun is running?

1.1.31

What platform is your computer?

Darwin 23.6.0 arm64 arm

What steps can reproduce the bug?

# put a private package token in your global npmrc file
echo "//npm.pkg.github.com/:_authToken=<your_token>" >> ~/.npmrc

# the add any package (or run bun install)
bun add typescript

# Bun will then print the `<your_token>` as part of the error message

What is the expected behavior?

Bun should not print secrets unexpectedly.

What do you see instead?

1 | //npm.pkg.github.com/:_authToken=<your_token>
                                    ^
warn: The following .npmrc registry option was not applied:

 //npm.pkg.github.com/:_authToken=<your_token>

Because we couldn't find the registry: npm.pkg.github.com/.
  at /Users/jack/.npmrc:1:34
bun add v1.1.31 (e448c4cc)

installed typescript@5.6.3 with binaries:
- tsc
- tsserver

[6.00ms] done

This is a bug because <your_token> is a private token that may have considerable access (i.e. if it's a github package registry token, it could have access to a lot of your github account, it would be bad practice but it's easy to do).

If you're in a public space, or screen sharing you would not expect to have this command print a secret, hopefully you notice and cancel the token quickly.

Additional information

Related issue: #14433 (I opened a separate issue because printing credentials is a security risk, cause is the same, effect is very different - it's easy to merge issues if you prefer)
Issue introduced here (I think): #13990
@jay-aye-see-kay jay-aye-see-kay added bug Something isn't working needs triage labels Oct 28, 2024
@jay-aye-see-kay
Copy link
Author

For additional context; at our company we have private npm packages hosted on github's package registry, all developers put a token in their global npmrc file and each project that needs private packages has a .npmrc with the setting @cultureamp:registry=https://npm.pkg.github.com/.

For now I'll just stick to using pnpm for package management when using bun, as bun has otherwise been flawless software and very enjoyable to use - thanks.

@Jarred-Sumner
Copy link
Collaborator

We will fix this

@nektro nektro added the bun install Something that relates to the npm-compatible client label Oct 28, 2024
@dylan-conway dylan-conway mentioned this issue Oct 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dylan-conway dylan-conway

Labels
bug Something isn't working bun install Something that relates to the npm-compatible client
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Redact secrets in bunfig.toml and npmrc logs oven-sh/bun
4 participants
@Jarred-Sumner @nektro @jay-aye-see-kay @dylan-conway