Login credentials should not be surfaced in the logs. This needs to be updated immediately and therefore I propose that all logging of config.url be removed entirely. Perhaps in the future a more sophisticated logging method that redacts the credentials can be developed.
There are many instances where
config.url
is being logged. This url will often include login credentials in the form:Login credentials should not be surfaced in the logs. This needs to be updated immediately and therefore I propose that all logging of
config.url
be removed entirely. Perhaps in the future a more sophisticated logging method that redacts the credentials can be developed.See: https://github.com/digitalbazaar/bedrock-mongodb/blob/master/lib/index.js#L101