New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bower should hide credentials in URLs in the default output #2176
Comments
I kind of feel like we shouldn't change the default behavior here. Mainly because there might also be situations where you want to output the private parts of said URLs. Even if it is just to revalidate the URL manually or by piping the output ( |
Given the potential for foot-shooting here, could this at least be spelled out very loudly in the documentation? The other option which I have seen in other tools is to have an explicit "anti-silent" flag, for example |
Agree with @benmann and would like to add that with the suggestions he has made, there seems little benefit to be gained from adding such a feature when weighed against the edge cases and additional complexity it would add. |
Should we add a comment about it in the documentation? |
As @benallfree and @ankon suggested, I did a PR and now there is a note below the |
Thx for the PR 🍰 |
It is possible that bower gets to work with package URLs of various types, and there is various levels of name->URL resolutions happening. Bower helpfully logs the URLs it finally attempts to work with, for example:
There is a problem though when invoking bower like this:
This will leak the value of
${SECRET}
into the output of bower.The specific case where this happens:
The quick & working approach for me is to use
bower -s
when installing this specific component, but I think it would be great if bower could be "foot-shooting safe" by default here.The text was updated successfully, but these errors were encountered: