From 1f776d1b18bd8e0f03692fb2398b959d69171cd8 Mon Sep 17 00:00:00 2001
From: Teddy Katz <teddy.katz@gmail.com>
Date: Fri, 9 Nov 2018 22:12:56 -0500
Subject: [PATCH] Update: avoid printing TOTP to output when publishing (#31)

This prevents the npm 2FA code from being printed to standard output. As a result, an attacker who had compromised an npm access token and also had access to build output would no longer be able to obtain a TOTP and use it in the next 30 seconds.
---
 lib/shell-ops.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/shell-ops.js b/lib/shell-ops.js
index 132490f..6d47a28 100644
--- a/lib/shell-ops.js
+++ b/lib/shell-ops.js
@@ -74,7 +74,7 @@ module.exports = {
      * @private
      */
     exec: function(cmd) {
-        console.log("+ " + cmd);
+        console.log("+ " + cmd.replace(/--otp=\d+/g, "--otp=(redacted)"));
         var result = this.execSilent(cmd);
         console.log(result);
     },