Update: avoid printing TOTP to output when publishing (#31)

This prevents the npm 2FA code from being printed to standard output. As a result, an attacker who had compromised an npm access token and also had access to build output would no longer be able to obtain a TOTP and use it in the next 30 seconds.
eslint · Nov 10, 2018 · 1f776d1 · 1f776d1
1 parent 73b3f38
commit 1f776d1
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/shell-ops.js b/lib/shell-ops.js
@@ -74,7 +74,7 @@ module.exports = {
      * @private
      */
     exec: function(cmd) {
-        console.log("+ " + cmd);
+        console.log("+ " + cmd.replace(/--otp=\d+/g, "--otp=(redacted)"));
         var result = this.execSilent(cmd);
         console.log(result);
     },