Redact OTP values from argv logs

AI-DEV-BOT · AI-DEV-BOT · commit 8e67656e9a5d · 2026-05-29T20:50:23.000+09:00
diff --git a/lib/utils/clean-argv.js b/lib/utils/clean-argv.js
@@ -2,6 +2,7 @@ const { redactLog: replaceInfo } = require('@npmcli/redact')
 const { isProtected } = require('./protected-config.js')
 
 const REDACTED = '***'
+const isProtectedArg = key => isProtected(key) || key === 'otp'
 
 const cleanArgv = (argv) => {
   const cleaned = replaceInfo(argv)
@@ -14,7 +15,7 @@ const cleanArgv = (argv) => {
     const raw = arg.slice(2)
     const equalsIndex = raw.indexOf('=')
     const key = equalsIndex === -1 ? raw : raw.slice(0, equalsIndex)
-    if (!isProtected(key)) {
+    if (!isProtectedArg(key)) {
       continue
     }
 
diff --git a/test/lib/cli/entry.js b/test/lib/cli/entry.js
@@ -115,6 +115,7 @@ t.test('logged argv redacts protected config values', async t => {
         '--//registry.npmjs.org/:_authToken=plain-secret',
         '--_password',
         'hunter2',
+        '--otp=123456',
       ],
     },
   })
@@ -123,8 +124,10 @@ t.test('logged argv redacts protected config values', async t => {
   const argv = logs.verbose.byTitle('argv')[0]
   t.notMatch(argv, 'plain-secret')
   t.notMatch(argv, 'hunter2')
+  t.notMatch(argv, '123456')
   t.match(argv, '"--//registry.npmjs.org/:_authToken" "***"')
   t.match(argv, '"--_password" "***"')
+  t.match(argv, '"--otp" "***"')
 })
 
 t.test('print usage if no params provided', async t => {
diff --git a/test/lib/utils/clean-argv.js b/test/lib/utils/clean-argv.js
@@ -0,0 +1,53 @@
+const t = require('tap')
+const { cleanArgv } = require('../../../lib/utils/clean-argv.js')
+
+t.test('redacts protected config values', t => {
+  t.strictSame(cleanArgv([
+    '--password=secret',
+    '--otp',
+    '123456',
+    '--//registry.npmjs.org/:_authToken',
+    'plain-secret',
+    '--registry',
+    'https://user:pass@registry.npmjs.org',
+  ]), [
+    '--password=***',
+    '--otp',
+    '***',
+    '--//registry.npmjs.org/:_authToken',
+    '***',
+    '--registry',
+    'https://user:***@registry.npmjs.org',
+  ])
+  t.end()
+})
+
+t.test('redacts protected config values with equals', t => {
+  t.strictSame(cleanArgv([
+    '--otp=123456',
+    '--_authToken=plain-secret',
+    '--//registry.npmjs.org/:_password=hunter2',
+  ]), [
+    '--otp=***',
+    '--_authToken=***',
+    '--//registry.npmjs.org/:_password=***',
+  ])
+  t.end()
+})
+
+t.test('leaves non-protected config values intact', t => {
+  t.strictSame(cleanArgv([
+    '--registry',
+    'https://registry.npmjs.org',
+    '--auth-type',
+    'legacy',
+    '--scope=@npmcli',
+  ]), [
+    '--registry',
+    'https://registry.npmjs.org',
+    '--auth-type',
+    'legacy',
+    '--scope=@npmcli',
+  ])
+  t.end()
+})
