fix: also hide sensitive info when loggin from cli.js

cli.js

@@ -1,4 +1,6 @@
-const {argv} = require('process');
+const {argv, env, stderr} = require('process');
+const util = require('util');
+const hideSensitive = require('./lib/hide-sensitive');
 
 const stringList = {
   type: 'string',
@@ -57,7 +59,7 @@ Usage:
     return 0;
   } catch (err) {
     if (err.name !== 'YError') {
-      console.error(err);
+      stderr.write(hideSensitive(env)(util.inspect(err, {colors: true})));
     }
     return 1;
   }

lib/hide-sensitive.js

@@ -7,7 +7,5 @@ module.exports = env => {
   );
 
   const regexp = new RegExp(toReplace.map(envVar => escapeRegExp(env[envVar])).join('|'), 'g');
-  return output => {
-    return output && toReplace.length > 0 ? output.toString().replace(regexp, SECRET_REPLACEMENT) : output;
-  };
+  return output => (output && toReplace.length > 0 ? output.toString().replace(regexp, SECRET_REPLACEMENT) : output);
 };

test/cli.test.js

@@ -1,6 +1,8 @@
 import test from 'ava';
+import {escapeRegExp} from 'lodash';
 import proxyquire from 'proxyquire';
 import {stub} from 'sinon';
+import {SECRET_REPLACEMENT} from '../lib/definitions/constants';
 
 const requireNoCache = proxyquire.noPreserveCache();
 
@@ -208,3 +210,15 @@ test.serial('Return error code if semantic-release throw error', async t => {
   t.regex(t.context.errors, /semantic-release error/);
   t.is(exitCode, 1);
 });
+
+test.serial('Hide sensitive environment variable values from the logs', async t => {
+  const env = {MY_TOKEN: 'secret token'};
+  const run = stub().rejects(new Error(`Throw error: Exposing token ${env.MY_TOKEN}`));
+  const argv = ['', ''];
+  const cli = requireNoCache('../cli', {'.': run, process: {...process, argv, env: {...process.env, ...env}}});
+
+  const exitCode = await cli();
+
+  t.regex(t.context.errors, new RegExp(`Throw error: Exposing token ${escapeRegExp(SECRET_REPLACEMENT)}`));
+  t.is(exitCode, 1);
+});