Security: Mask credentials in debug logs, replace yamljs, update dependencies

[Copilot]

Improves library security by preventing credential leaks, replacing unmaintained dependencies, and documenting security best practices.

Critical: Credential Exposure in Debug Logs

When debug mode was enabled, PINs and TANs were logged in plain text. The HNSHA segment's debugString now masks credentials:

// Before: PIN "12345" visible in logs
verbose(`Sending Request: ${request}`);  // Contains full HNSHA with PIN

// After: Credentials masked
segment.debugString;  // "DG 2: ***MASKED***, ***MASKED***"

Changes:

• Override HNSHA.debugString to mask PIN/TAN with ***MASKED***
• Remove credential exposure from HttpConnection.send() verbose logging
• toString() still serializes actual credentials for transmission

Replace Deprecated yamljs

Replaced unmaintained yamljs (last updated 2016) with actively maintained yaml package:

// Before
import * as YAML from "yamljs";
YAML.stringify(obj, 4);

// After
import { stringify } from "yaml";
stringify(obj, { indent: 4 });

Dependency Updates

• typescript: ^5.8.0 → ^5.9.3
• eslint-config-prettier: ^9.1.0 → ^10.1.8
• eslint-plugin-prettier: ^5.1.3 → ^5.5.4
• minimatch: ^10.0.1 → ^10.1.1

Documentation

Added SECURITY.md with vulnerability disclosure process and security best practices section to README covering credential management, debug mode usage, and secure connection handling.

Original prompt

Kannst du probieren die Sicherheit von dieser Library weiter zu erhöhen und zu schauen, welche Library wir ggf. austauschen können.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This pull request significantly improves the security posture of the FinTS library by preventing credential leaks in debug logs, replacing an unmaintained dependency, and providing comprehensive security documentation.

Key Changes:

• Masks PIN and TAN credentials in HNSHA segment debug output to prevent accidental exposure in logs
• Replaces deprecated yamljs (last updated 2016) with actively maintained yaml package
• Updates development dependencies (TypeScript, ESLint plugins, minimatch) to latest versions
• Adds comprehensive SECURITY.md and security best practices section to README

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
packages/fints/src/segments/hnsha.ts	Overrides debugString getter to mask PIN/TAN credentials with ***MASKED*** while preserving actual values in toString() for transmission
packages/fints/src/segments/tests/test-hnsha.ts	Adds comprehensive security tests verifying credentials are masked in debug output but exposed in serialization
packages/fints/src/http-connection.ts	Removes credential exposure from verbose logging by only logging URL instead of full request string
packages/fints-cli/src/config.ts	Migrates from yamljs to yaml package with equivalent API usage
packages/fints-cli/package.json	Updates dependencies: adds yaml 2.8.2, removes yamljs and @types/yamljs, updates TypeScript and minimatch
packages/fints/package.json	Updates devDependencies: TypeScript to 5.9.3, minimatch to 10.1.1
package.json	Updates root devDependencies: eslint-config-prettier to 10.1.8, eslint-plugin-prettier to 5.5.4, TypeScript to 5.9.3
yarn.lock	Reflects all dependency updates and removals
SECURITY.md	New comprehensive security policy covering credential masking, dependency security, HTTPS enforcement, best practices, and vulnerability disclosure process
README.md	Adds security section with credential handling guidelines and secure coding examples

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.