fix: redact credentials from error.request

Author: gr2m

lib/http-error.js

@@ -17,6 +17,19 @@ module.exports = class HttpError extends Error {
       }
     })
     this.headers = headers
-    this.request = request
+
+    // redact request credentials without mutating original request options
+    const requestCopy = Object.assign({}, request)
+    if (request.headers.authorization) {
+      requestCopy.headers = Object.assign({}, request.headers, {
+        authorization: request.headers.authorization.replace(/ .*$/, ' [REDACTED]')
+      })
+    }
+
+    // client_id & client_secret can be passed as URL query parameters to increase rate limit
+    // see https://developer.github.com/v3/#increasing-the-unauthenticated-rate-limit-for-oauth-applications
+    requestCopy.url = requestCopy.url.replace(/\bclient_secret=\w+/g, 'client_secret=[REDACTED]')
+
+    this.request = requestCopy
   }
 }