Skip to content

[BUG] npm config list leaks credentials in proxy-related environment variables #9773

Description

@textbook

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

This is not just a request to bump a dependency for a CVE

  • This is not solely a request to bump a dependency for a CVE

Current Behavior

Since #8828 was merged to fix #4170 (released in CLI v11.8.0), the "environment-related config" section of npm config list shows the values of the HTTP_PROXY, HTTPS_PROXY and NO_PROXY env vars. However, unlike the native proxy and https-proxy options, it doesn't obscure the credentials in the proxy URL.

Expected Behavior

Any obvious credentials in the npm config list output should be replaced by *** (or e.g. (protected), as is done with auth-related configuration like //<some-registry>:_auth).

Steps To Reproduce

Given:

# .npmrc
proxy=${HTTP_PROXY}

then you see e.g.:

$ HTTP_PROXY=http://user:pass@example.com:80 npm config list

# ... user config

; "project" config from path/to/.npmrc

proxy = "http://user:***@example.com:80"

; environment-related config

; HTTP_PROXY = "http://user:pass@example.com:80"

# ... etc.

The password in the proxy config option is correctly redacted, but the HTTP_PROXY env var is emitted as-is.

Environment

Tested on two entirely different systems, both with npm >11.8:

  • npm: v12.0.1 / v11.13.0
  • Node.js: v26.5.0 / v24.16.0
  • OS Name: macOS Tahoe 26.5.2 / Windows 11
  • System Model Name: MacBook Pro / Lenovo ThinkPad
  • npm config: already given in example

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next steps

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions