Bower should hide credentials in URLs in the default output

[ankon]

It is possible that bower gets to work with package URLs of various types, and there is various levels of name->URL resolutions happening. Bower helpfully logs the URLs it finally attempts to work with, for example:

bower polymer#^1.0.0                     cached git://github.com/Polymer/polymer.git#1.2.4
bower polymer#^1.0.0                   validate 1.2.4 against git://github.com/Polymer/polymer.git#^1.0.0

There is a problem though when invoking bower like this:

$ bower install https://${SECRET}@repository/etc/foobar

This will leak the value of ${SECRET} into the output of bower.

The specific case where this happens:

1. open-source component with a travis build
2. the travis build depends on a private component (a travis-specific build tool)
3. bower is used to install that component using above syntax
4. anyone that knows the component can check the travis logs (they are open), and gain the secret from bower's output

The quick & working approach for me is to use bower -s when installing this specific component, but I think it would be great if bower could be "foot-shooting safe" by default here.

[benmann]

I kind of feel like we shouldn't change the default behavior here. Mainly because there might also be situations where you want to output the private parts of said URLs. Even if it is just to revalidate the URL manually or by piping the output (bower install > logs.txt) and doing your thing with that. Basically this is the perfect use-case for silent as you already pointed out and a very special case as well.

[ankon]

Given the potential for foot-shooting here, could this at least be spelled out very loudly in the documentation?

The other option which I have seen in other tools is to have an explicit "anti-silent" flag, for example --show-credentials, so that the user must explicitly agree to doing that. Of course, you're right in that this is a change in the default behavior, and so could break scripts relying on the current behavior. But, that is something that a suitable semver bump would be able to prevent IMHO.

[faceleg]

Agree with @benmann and would like to add that with the suggestions he has made, there seems little benefit to be gained from adding such a feature when weighed against the edge cases and additional complexity it would add.

[juanbzpy]

Should we add a comment about it in the documentation?

[benmann]

@thinkxl That's a good idea I think. Maybe a simple note in the section about --silent here would be enough. Something along the lines "silent is also useful if you have private components that might leak credentials to your CI environment"...

[altyaper]

As @benallfree and @ankon suggested, I did a PR and now there is a note below the --silent option referring to this topic.

[benmann]

Thx for the PR 🍰
With that I'll close for now.