pr/supply-chain-metadata

Pr/supply chain metadata

Author: hamdymohamedak

.github/SECURITY.md

@@ -0,0 +1,12 @@
+# Security policy
+
+The full threat model, SSRF/cache/retry guidance, and local security checks live in [`SECURITY.md`](../SECURITY.md) at the repository root (also shipped on npm).
+
+## Reporting a vulnerability
+
+Please do **not** open a public issue for undisclosed security defects.
+
+- Prefer a [GitHub private security advisory](https://github.com/openfetch-js/OpenFetch/security/advisories/new) for this repository, or
+- Contact the maintainer privately if you cannot use GitHub advisories.
+
+Include enough detail to reproduce or reason about impact. We aim to acknowledge valid reports and coordinate disclosure after a fix is available.

.github/workflows/publish.yml

@@ -0,0 +1,34 @@
+# Publishes to npm using trusted publishing (OIDC). On npmjs.com, trusted publisher must
+# reference this repo: https://github.com/openfetch-js/OpenFetch and workflow file: publish.yml
+# Requires: npm CLI >= 11.5.1, Node >= 22.14 (see https://docs.npmjs.com/trusted-publishers )
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Upgrade npm for trusted publishing
+        run: npm install -g npm@^11.5.1
+
+      - run: npm ci
+      - run: npm test
+
+      # No NODE_AUTH_TOKEN: authentication is OIDC when trusted publishing is enabled.
+      # Provenance is generated automatically for trusted publishing from GitHub Actions.
+      - run: npm publish

dist/core/error.d.ts

@@ -30,6 +30,8 @@ export type OpenFetchErrorToShapeOptions = {
     redactSensitiveUrlQuery?: boolean;
     /** Extra query parameter names to redact (case-insensitive); merged with the built-in list. */
     sensitiveQueryParamNames?: string[];
+    /** Replacement string for redacted query values (default `"[REDACTED]"`). */
+    sensitiveQueryParamReplacement?: string;
 };
 export declare class OpenFetchError<T = unknown> extends Error {
     config?: OpenFetchConfig;

dist/core/error.d.ts.map

@@ -39,6 +39,7 @@ export class OpenFetchError extends Error {
         const redactOpts = {
             enabled: options?.redactSensitiveUrlQuery !== false,
             paramNames: options?.sensitiveQueryParamNames,
+            replacement: options?.sensitiveQueryParamReplacement,
         };
         url = redactSensitiveUrlQuery(url, redactOpts);
         const method = (this.config?.method ?? "GET").toUpperCase();

dist/core/error.js

@@ -5,10 +5,13 @@ export type RedactUrlQueryOptions = {
     paramNames?: string[];
     /** When false, returns `url` unchanged. Default true. */
     enabled?: boolean;
+    /** Value substituted for sensitive query parameters (default `"[REDACTED]"`). */
+    replacement?: string;
 };
 /**
  * Replaces values of sensitive query parameters for safe logging or serialization.
- * Invalid or non-absolute URLs are returned unchanged.
+ * Supports absolute URLs and common relative forms (`/path?…`, `?only=query`, `api/x?…`).
+ * Strings that are not valid URLs and do not look like path/query requests are returned unchanged.
  */
 export declare function redactSensitiveUrlQuery(url: string, options?: RedactUrlQueryOptions): string;
 //# sourceMappingURL=redactUrlQuery.d.ts.map

dist/helpers/redactUrlQuery.d.ts

@@ -18,40 +18,112 @@ export const DEFAULT_SENSITIVE_QUERY_PARAM_NAMES = [
     "csrf",
     "nonce",
 ];
+const DEFAULT_REDACTION = "[REDACTED]";
 const DEFAULT_SET = new Set(DEFAULT_SENSITIVE_QUERY_PARAM_NAMES.map((n) => n.toLowerCase()));
+function normalizeKey(k) {
+    return k.toLowerCase().replace(/[-_]/g, "");
+}
+function buildPartialFragments(sensitive) {
+    const out = [];
+    for (const s of sensitive) {
+        const n = normalizeKey(s);
+        if (n !== "")
+            out.push(n);
+    }
+    return out;
+}
+const DEFAULT_PARTIAL_FRAGMENTS = buildPartialFragments(DEFAULT_SET);
+/**
+ * Path- or query-shaped strings that are safe to resolve with a dummy base.
+ * Avoids turning arbitrary tokens like `not-a-url` into `http://localhost/not-a-url`.
+ */
+function mayBeRelativeRequestUrl(url) {
+    return (url.startsWith("/") ||
+        url.startsWith("./") ||
+        url.startsWith("../") ||
+        url.startsWith("?") ||
+        url.includes("/") ||
+        url.includes("?"));
+}
+function parseUrlForRedaction(url) {
+    try {
+        const u = new URL(url);
+        return { u, relativeInput: false, queryOnlyInput: false };
+    }
+    catch {
+        if (!mayBeRelativeRequestUrl(url))
+            return null;
+        try {
+            const u = new URL(url, "http://localhost");
+            return {
+                u,
+                relativeInput: true,
+                queryOnlyInput: url.startsWith("?"),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+}
+function isSensitiveName(nameLower, sensitive, partialFragments) {
+    if (sensitive.has(nameLower))
+        return true;
+    const kn = normalizeKey(nameLower);
+    if (kn === "")
+        return false;
+    for (const frag of partialFragments) {
+        if (frag !== "" && kn.includes(frag))
+            return true;
+    }
+    return false;
+}
+function serializeAfterRedaction(parsed) {
+    const { u, relativeInput, queryOnlyInput } = parsed;
+    if (!relativeInput)
+        return u.toString();
+    if (queryOnlyInput)
+        return `${u.search}${u.hash}`;
+    return `${u.pathname}${u.search}${u.hash}`;
+}
 /**
  * Replaces values of sensitive query parameters for safe logging or serialization.
- * Invalid or non-absolute URLs are returned unchanged.
+ * Supports absolute URLs and common relative forms (`/path?…`, `?only=query`, `api/x?…`).
+ * Strings that are not valid URLs and do not look like path/query requests are returned unchanged.
  */
 export function redactSensitiveUrlQuery(url, options) {
     if (options?.enabled === false || url === "")
         return url;
     const extra = options?.paramNames ?? [];
     const sensitive = extra.length === 0
         ? DEFAULT_SET
-        : new Set([
-            ...DEFAULT_SET,
-            ...extra.map((n) => n.toLowerCase()),
-        ]);
-    try {
-        const u = new URL(url);
-        if (u.search === "")
-            return url;
-        const params = u.searchParams;
-        let changed = false;
-        const names = new Set();
-        params.forEach((_v, name) => {
-            names.add(name);
-        });
-        for (const name of names) {
-            if (sensitive.has(name.toLowerCase())) {
-                params.set(name, "[REDACTED]");
-                changed = true;
-            }
-        }
-        return changed ? u.toString() : url;
-    }
-    catch {
+        : new Set([...DEFAULT_SET, ...extra.map((n) => n.toLowerCase())]);
+    const partialFragments = extra.length === 0
+        ? DEFAULT_PARTIAL_FRAGMENTS
+        : buildPartialFragments(sensitive);
+    const replacement = options?.replacement ?? DEFAULT_REDACTION;
+    const parsed = parseUrlForRedaction(url);
+    if (parsed === null)
+        return url;
+    const { u } = parsed;
+    if (u.search === "")
         return url;
+    const params = u.searchParams;
+    let changed = false;
+    const names = new Set();
+    params.forEach((_v, name) => {
+        names.add(name);
+    });
+    for (const name of names) {
+        const lower = name.toLowerCase();
+        if (!isSensitiveName(lower, sensitive, partialFragments))
+            continue;
+        const n = params.getAll(name).length;
+        params.delete(name);
+        for (let i = 0; i < n; i++) {
+            params.append(name, replacement);
+        }
+        changed = true;
     }
+    return changed ? serializeAfterRedaction(parsed) : url;
 }

dist/helpers/redactUrlQuery.d.ts.map

@@ -36,6 +36,8 @@ export type DebugPluginOptions = {
     maskUrlQuery?: boolean;
     /** Extra query parameter names to redact in the logged URL (case-insensitive). */
     sensitiveQueryParamNames?: string[];
+    /** Replacement string for redacted query values in the logged URL (default `"[REDACTED]"`). */
+    sensitiveQueryParamReplacement?: string;
 };
 /**
  * Development-oriented logging middleware. Omit from production bundles if unused.