Potential fix for code scanning alert no. 1: Clear-text logging of sensitive information

[ardatan]

Potential fix for https://github.com/ardatan/graphql-tools-prisma-loader/security/code-scanning/1

To remediate, we must ensure that sensitive data from environment variables is never logged directly, especially in error, warning, or info logs. The fix should be targeted at the logging operation where tainted data may be logged. In the current path, this specifically means altering the way error messages are constructed and logged in the populateVariable() method (in Variables.ts). Here, rather than include the actual value (which can be sensitive) in log messages, the code should refer only to variable names or use a placeholder indicating value omission.

So, in the relevant error message (when trying to populate a non-string value into a string), we should avoid logging the value of matchedString if it could ever be sensitive. Instead, only log that a variable reference failed without stating its value, or obscure the value (e.g., replace with [REDACTED]). Additionally, all logging in Output.warn() should be reviewed to reject or redact sensitive data if provided, but since we cannot change every use, it's best to sanitize error message construction.

Steps:

• In Variables.ts, update the error message construction in populateVariable: do not log the actual value of variable substitutions; log only the variable name or a string like [REDACTED] as appropriate.
• No changes are required in the Output.ts file, so logging methods remain unchanged.
• No new dependencies are needed.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
@graphql-tools/prisma-loader	9.0.1-alpha-20250923120853-9b200bb414d0fe046042b4885e5901070659d00b	npm ↗︎ unpkg ↗︎