[BUG] Password in plain text when getting the proxy details from config through CLI

[OutOfCoffeeError]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Whenever we set the proxy in our config through CLI command
npm config set proxy "http://username:password@servername:port/"
It is stored in plain text in our config, so whenever we fire the following command
npm get proxy
the sensitive information like password is shown on CLI, which I think is a security vulnerability.
Also, the password is also stored in your local config file as a plain text.

Expected Behavior

When npm get proxy is fired, the password should not be shown or should be encrypted. Password in your local npm config file also should be encrypted.

Steps To Reproduce

first run the command to setup your proxy for npm
npm config set proxy "http://domain\username:password@servername:port/"
then run
npm get proxy

Environment

• OS: Windows
• Node: 12.16.3
• npm: 6.14.4

[ljharb]

The security vulnerability is using http basic auth at all.

There’s no way to avoid storing the password in the clear, since it’s part of the URL. Even if it were encrypted in npmrc, a user could use wireshark to view the fully decrypted url.