chore(typescript): update ts-sdk seed#14705
Conversation
fern-support
force-pushed
the
update-ts-sdk-seed
branch
from
c453f9b to
91df59d
Compare
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
🌱 Seed Test SelectorSelect languages to run seed tests for:
How to use: Click the ⋯ menu above → "Edit" → check the boxes you want → click "Update comment". Tests will run automatically and snapshots will be committed to this PR. |
![hex-security-app[bot]](https://avatars.githubusercontent.com/in/2665233?s=60&v=4){kind=small}
| const fetchFn = clientOptions.fetch ?? (await getFetchFn()); | ||
|
|
||
| if (logger.isDebug()) { | ||
| logger.debug("Making passthrough HTTP request", { |
There was a problem hiding this comment.
In makePassthroughRequest.ts (lines 155–161 and 180–187) the full fullUrl is written to the debug log without calling redactUrl(). By contrast, fetcherImpl in Fetcher.ts always calls redactUrl(url) before logging (line 266) and its behavior is verified by the extensive redacting.test.ts suite.
If a caller passes a URL that embeds credentials in the query string — e.g. client.fetch("https://api.example.com/data?api_key=s3cr3t&token=abc") — and debug logging is active ({ level: "debug", silent: false }), the key and token appear in plaintext in the log output. The same omission applies to URL userinfo credentials (user:pass@host). The mergedHeaders (which contain auth tokens) are not logged, but the URL is — and URL-embedded secrets are a common bearer-token pattern that the regular fetcher specifically protects against.
Prompt To Fix With AI
Import `redactUrl` from `Fetcher.ts` (or move it to a shared utility) and apply it to `fullUrl` before logging in both debug blocks inside `makePassthroughRequest`:
```ts
// line ~156
logger.debug("Making passthrough HTTP request", {
method,
url: redactUrl(fullUrl), // was: fullUrl
hasBody: body != null,
});
// line ~181
logger.debug("Passthrough HTTP request completed", {
method,
url: redactUrl(fullUrl), // was: fullUrl
statusCode: response.status,
});
```
Add a corresponding test in `makePassthroughRequest.test.ts` that enables debug logging and asserts `api_key`, `token`, and `user:pass@host` patterns are replaced with `[REDACTED]`, mirroring the existing tests in `redacting.test.ts`.Severity: low | Confidence: 95%
3 participants
Auto-generated PR, triggered by GitHub event: push from branch: main.
GitHub workflow run: https://github.com/fern-api/fern/actions/runs/24081027448