npm - @zapier/secret-scrubber - Versions diffs - 1.0.7 → 1.1.0 - Mend

@zapier/secret-scrubber 1.0.7 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,15 @@
+## 1.1.0
+_released `2024-02-01`_
+- replace dependency on `crypto/createHash` to reduce upstream bundle sizes for browsers ([!13](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/13))
+## 1.0.8
+_released `2023-10-25`_
+- fix issue where the order of replacements in `scrub` matters in the sense that we can end up with partially scrubbed sensitive data. Now, we sort the sensitive bank values by larger keys first ([!11](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/11))
 ## 1.0.7
 _released `2022-04-28`_

package/lib/index.js CHANGED Viewed

@@ -10,11 +10,17 @@ const utils_1 = require("./utils");
  */
 const scrub = (input, secretValues) => {
     const sensitiveBank = (0, utils_1.makeSensitiveBank)(secretValues);
+    // Sort by string length first and then by letters.
+    // Otherwise, a sensitive bank {"abcdefg": "aa", "abcdefgh": "bb"} would censor {"api_key": "abcdefgh"}
+    // into {"api_key": "aah"} while the desired output is {"api_key": "bb"}.
+    const sortedKeys = Object.keys(sensitiveBank).sort((x, y) => x.length - y.length === 0 ? y.localeCompare(x) : y.length - x.length);
+    const sensitiveBankEntries = sortedKeys
+        .map((key) => [key, sensitiveBank[key]]);
     const replacer = (val) => {
         if (typeof val === 'string') {
             let copiedVal = val;
             // have to look for substrings in the value instead of looking for the value in the map
-            Object.entries(sensitiveBank).forEach(([transformed, censored]) => {
+            sensitiveBankEntries.forEach(([transformed, censored]) => {
                 copiedVal = (0, utils_1.replaceAll)(copiedVal, transformed, censored);
             });
             return copiedVal;

package/lib/utils.js CHANGED Viewed

@@ -1,12 +1,15 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.replaceAll = exports.recurseExtract = exports.recurseReplace = exports.makeSensitiveBank = exports.censor = exports.base64 = exports.hash = exports.isLongEnoughToBeSecret = void 0;
-const crypto_1 = require("crypto");
+const create_hash_1 = __importDefault(require("create-hash"));
 const isPlainObject = require("lodash.isplainobject");
 const MIN_SECRET_SIZE = 6;
 const isLongEnoughToBeSecret = (s) => s.length >= MIN_SECRET_SIZE;
 exports.isLongEnoughToBeSecret = isLongEnoughToBeSecret;
-const hash = (input) => (0, crypto_1.createHash)('sha256').update(input, 'binary').digest('hex');
+const hash = (input) => (0, create_hash_1.default)('sha256').update(input, 'binary').digest('hex');
 exports.hash = hash;
 const base64 = (val) => {
     try {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@zapier/secret-scrubber",
-  "version": "1.0.7",
+  "version": "1.1.0",
   "description": "Confidently remove secrets and sensitive values from unstructured objects.",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",
@@ -40,6 +40,7 @@
     "singleQuote": true
   },
   "devDependencies": {
+    "@types/create-hash": "^1.2.6",
     "@types/jest": "26.0.23",
     "@types/lodash.isplainobject": "^4.0.6",
     "@types/node": "~16",
@@ -62,6 +63,7 @@
     "typescript": "~4.4"
   },
   "dependencies": {
+    "create-hash": "^1.2.0",
     "lodash.isplainobject": "^4.0.6"
   }
 }