Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
Since #8828 was merged to fix #4170 (released in CLI v11.8.0), the "environment-related config" section of npm config list shows the values of the HTTP_PROXY, HTTPS_PROXY and NO_PROXY env vars. However, unlike the native proxy and https-proxy options, it doesn't obscure the credentials in the proxy URL.
Expected Behavior
Any obvious credentials in the npm config list output should be replaced by *** (or e.g. (protected), as is done with auth-related configuration like //<some-registry>:_auth).
Steps To Reproduce
Given:
# .npmrc
proxy=${HTTP_PROXY}
then you see e.g.:
$ HTTP_PROXY=http://user:pass@example.com:80 npm config list
# ... user config
; "project" config from path/to/.npmrc
proxy = "http://user:***@example.com:80"
; environment-related config
; HTTP_PROXY = "http://user:pass@example.com:80"
# ... etc.
The password in the proxy config option is correctly redacted, but the HTTP_PROXY env var is emitted as-is.
Environment
Tested on two entirely different systems, both with npm >11.8:
- npm: v12.0.1 / v11.13.0
- Node.js: v26.5.0 / v24.16.0
- OS Name: macOS Tahoe 26.5.2 / Windows 11
- System Model Name: MacBook Pro / Lenovo ThinkPad
- npm config: already given in example
Is there an existing issue for this?
This issue exists in the latest npm version
This is not just a request to bump a dependency for a CVE
Current Behavior
Since #8828 was merged to fix #4170 (released in CLI v11.8.0), the "environment-related config" section of
npm config listshows the values of theHTTP_PROXY,HTTPS_PROXYandNO_PROXYenv vars. However, unlike the nativeproxyandhttps-proxyoptions, it doesn't obscure the credentials in the proxy URL.Expected Behavior
Any obvious credentials in the
npm config listoutput should be replaced by***(or e.g.(protected), as is done with auth-related configuration like//<some-registry>:_auth).Steps To Reproduce
Given:
then you see e.g.:
The password in the
proxyconfig option is correctly redacted, but theHTTP_PROXYenv var is emitted as-is.Environment
Tested on two entirely different systems, both with npm >11.8: