mongodb-js · gagik · Nov 20, 2025 · Nov 18, 2025 · Nov 19, 2025 · Nov 19, 2025
@@ -87,30 +87,31 @@
     "js-yaml": "^4.1.0",
     "mongodb-connection-string-url": "^3.0.2",
     "mongodb-log-writer": "^2.4.3",
+    "mongodb-redact": "^1.3.0",
     "numeral": "^2.0.6",
     "pretty-repl": "^4.0.1",
     "semver": "^7.5.4",
     "strip-ansi": "^6.0.0",
     "text-table": "^0.2.0",
-    "yargs-parser": "^20.2.4",
-    "glibc-version": "^1.0.0"
+    "glibc-version": "^1.0.0",
+    "yargs-parser": "^20.2.4"
   },
   "devDependencies": {
-    "mongodb": "^6.19.0",
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/sbom-tools": "^0.8.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "@types/ansi-escape-sequences": "^4.0.0",
+    "@types/chai-as-promised": "^7.1.3",
     "@types/js-yaml": "^4.0.5",
     "@types/node": "^22.15.30",
     "@types/numeral": "^2.0.2",
     "@types/text-table": "^0.2.1",
     "@types/yargs-parser": "^15.0.0",
-    "@types/chai-as-promised": "^7.1.3",
     "chai-as-promised": "^7.1.1",
     "depcheck": "^1.4.7",
     "eslint": "^7.25.0",
+    "mongodb": "^6.19.0",
     "mongodb-crypt-library-dummy": "^1.0.2",
     "prettier": "^2.8.8",
     "webpack-merge": "^5.8.0"

@@ -3,15 +3,14 @@ import {
   MongoshRuntimeError,
   MongoshWarning,
 } from '@mongosh/errors';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString, redact } from 'mongodb-redact';
 import i18n from '@mongosh/i18n';
 import type { AutoEncryptionOptions } from '@mongosh/service-provider-core';
 import { EJSON, ObjectId } from 'bson';
 import { NodeDriverServiceProvider } from '@mongosh/service-provider-node-driver';
 import type { CliOptions, DevtoolsConnectOptions } from '@mongosh/arg-parser';
 import { SnippetManager } from '@mongosh/snippet-manager';
 import { Editor } from '@mongosh/editor';
-import { redactSensitiveData } from '@mongosh/history';
 import type { Analytics as SegmentAnalytics } from '@segment/analytics-node';
 import askpassword from 'askpassword';
 import { EventEmitter, once } from 'events';
@@ -306,7 +305,7 @@ export class CliRepl implements MongoshIOProvider {
       'Starting log',
       {
         execPath: process.execPath,
-        envInfo: redactSensitiveData(this.getLoggedEnvironmentVariables()),
+        envInfo: redact(this.getLoggedEnvironmentVariables()),
         ...(await buildInfo()),
       }
     );
@@ -905,7 +904,7 @@ export class CliRepl implements MongoshIOProvider {
       this.output.write(
         i18n.__(CONNECTING) +
           '\t\t' +
-          this.clr(redactURICredentials(driverUri), 'mongosh:uri') +
+          this.clr(redactConnectionString(driverUri), 'mongosh:uri') +
           '\n'
       );
     }

@@ -23,7 +23,7 @@ import { getStoragePaths, getGlobalConfigPaths } from './config-directory';
 import { getCryptLibraryPaths } from './crypt-library-paths';
 import { getTlsCertificateSelector } from './tls-certificate-selector';
 import { applyPacProxyS390XPatch } from './pac-proxy-s390x-patch';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString } from 'mongodb-redact';
 import { generateConnectionInfoFromCliArgs } from '@mongosh/arg-parser';
 import askcharacter from 'askcharacter';
 import { PassThrough } from 'stream';
@@ -218,7 +218,7 @@ async function main() {
       driverInfo: { name: 'mongosh', version },
     };
 
-    const title = `mongosh ${redactURICredentials(
+    const title = `mongosh ${redactConnectionString(
       connectionInfo.connectionString
     )}`;
     process.title = title;

@@ -1,7 +1,7 @@
 import assert from 'assert';
 import { promises as fs } from 'fs';
 import { once } from 'events';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString } from 'mongodb-redact';
 import fleSmokeTestScript from './smoke-tests-fle';
 import { baseBuildInfo, buildInfo } from './build-info';
 import escapeRegexp from 'escape-string-regexp';
@@ -469,7 +469,7 @@ async function runSmokeTest({
     stderr: includeStderr ? stderr : '',
     executable,
     actualExitCode,
-    args: args.map((arg) => redactURICredentials(arg)),
+    args: args.map((arg) => redactConnectionString(arg)),
   };
   try {
     assert.match(includeStderr ? `${stdout}\n${stderr}` : stdout, output);

@@ -35,16 +35,14 @@
     "unitTestsOnly": true
   },
   "dependencies": {
-    "mongodb-connection-string-url": "^3.0.2",
-    "mongodb-redact": "^1.1.5"
+    "mongodb-redact": "^1.3.0"
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "depcheck": "^1.4.7",
     "eslint": "^7.25.0",
-    "mongodb-connection-string-url": "^3.0.2",
     "prettier": "^2.8.8"
   }
 }
@@ -1,6 +1,4 @@
-import redactSensitiveData from 'mongodb-redact';
-
-export const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUserPassword|connect|Mongo)\b`;
+import { shouldRedactCommand, redact } from 'mongodb-redact';
 
 /**
  * Modifies the most recent command in history based on sensitive information.
@@ -11,16 +9,13 @@ export const HIDDEN_COMMANDS = String.raw`\b(createUser|auth|updateUser|changeUs
  */
 export function changeHistory(
   history: string[],
-  redact: 'redact-sensitive-data' | 'keep-sensitive-data'
+  redactMode: 'redact-sensitive-data' | 'keep-sensitive-data'
 ): void {
   if (history.length === 0) return;
-  const hiddenCommands = new RegExp(HIDDEN_COMMANDS, 'g');
 
-  if (hiddenCommands.test(history[0])) {
+  if (shouldRedactCommand(history[0])) {
 if (this.redactHistory !== 'keep') { 
   const history: string[] = (repl as any).history; 
   changeHistory( 
     history, 
     this.redactHistory === 'remove-redact' 
       ? 'redact-sensitive-data' 
       : 'keep-sensitive-data' 
   ); 
 } 
 if (this.redactHistory !== 'keep') { 
   const history: string[] = (repl as any).history; 
   changeHistory( 
     history, 
     this.redactHistory === 'remove-redact' 
       ? 'redact-sensitive-data' 
       : 'keep-sensitive-data' 
   ); 
 } 
     history.shift();
-  } else if (redact === 'redact-sensitive-data') {
-    history[0] = redactSensitiveData(history[0]);
+  } else if (redactMode === 'redact-sensitive-data') {
+    history[0] = redact(history[0]);
   }
 }
-
-export { redactSensitiveData };
@@ -1,2 +1 @@
-export { changeHistory, redactSensitiveData, HIDDEN_COMMANDS } from './history';
-export { redactConnectionString as redactURICredentials } from 'mongodb-connection-string-url';
+export { changeHistory } from './history';
@@ -20,10 +20,9 @@
     "@mongodb-js/device-id": "^0.2.1",
     "@mongodb-js/devtools-connect": "^3.9.4",
     "@mongosh/errors": "2.4.4",
-    "@mongosh/history": "2.4.9",
     "@mongosh/types": "^3.14.0",
     "mongodb-log-writer": "^2.4.3",
-    "mongodb-redact": "^1.1.5",
+    "mongodb-redact": "^1.3.0",
     "native-machine-id": "^0.1.1"
   },
   "devDependencies": {

@@ -1132,6 +1132,54 @@ describe('MongoshLoggingAndTelemetry', function () {
     expect(analyticsOutput).to.be.empty;
   });
 
+  it('redacts logging of sensitive commands', async function () {
+    loggingAndTelemetry.attachLogger(logger);
+    await (loggingAndTelemetry as LoggingAndTelemetry).setupTelemetryPromise;
+
+    expect(logOutput).to.have.lengthOf(0);
+
+    // Test that sensitive commands are redacted
+    bus.emit('mongosh:evaluate-input', {
+      input: 'db.createUser({user: "admin", pwd: "password", roles: []})',
+    });
+    bus.emit('mongosh:evaluate-input', { input: 'db.auth("user", "pass")' });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'db.updateUser("user", {pwd: "newpass"})',
+    });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'db.changeUserPassword("user", "newpass")',
+    });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'connect("mongodb://user:pass@localhost/")',
+    });
+    bus.emit('mongosh:evaluate-input', {
+      input: 'new Mongo("mongodb://user:pass@localhost/")',
+    });
+
+    // Test that non-sensitive commands are still logged
+    bus.emit('mongosh:evaluate-input', { input: 'db.getUsers()' });
+    bus.emit('mongosh:evaluate-input', { input: 'show dbs' });
+
+    // Should only have logged the non-sensitive commands
+    expect(logOutput).to.have.lengthOf(8);
+    expect(logOutput[0].msg).to.equal('Evaluating input');
+    expect(logOutput[0].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[1].msg).to.equal('Evaluating input');
+    expect(logOutput[1].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[2].msg).to.equal('Evaluating input');
+    expect(logOutput[2].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[3].msg).to.equal('Evaluating input');
+    expect(logOutput[3].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[4].msg).to.equal('Evaluating input');
+    expect(logOutput[4].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[5].msg).to.equal('Evaluating input');
+    expect(logOutput[5].attr.input).to.equal('<sensitive command used>');
+    expect(logOutput[6].msg).to.equal('Evaluating input');
+    expect(logOutput[6].attr.input).to.equal('db.getUsers()');
+    expect(logOutput[7].msg).to.equal('Evaluating input');
+    expect(logOutput[7].attr.input).to.equal('show dbs');
+  });
+
   it('tracks custom logging events', async function () {
     expect(logOutput).to.have.lengthOf(0);
     expect(analyticsOutput).to.be.empty;

@@ -1,5 +1,8 @@
-import redactInfo from 'mongodb-redact';
-import { redactURICredentials } from '@mongosh/history';
+import {
+  redact,
+  redactConnectionString,
+  shouldRedactCommand,
+} from 'mongodb-redact';
 import type {
   MongoshBus,
   ApiEventWithArguments,
@@ -326,7 +329,7 @@ export class LoggingAndTelemetry implements MongoshLoggingAndTelemetry {
 
     onBus('mongosh:connect', (args: ConnectEvent) => {
       const { uri, resolved_hostname, ...argsWithoutUriAndHostname } = args;
-      const connectionUri = uri && redactURICredentials(uri);
+      const connectionUri = uri && redactConnectionString(uri);
       const atlasHostname = {
         atlas_hostname: args.is_atlas ? resolved_hostname : null,
       };
@@ -460,6 +463,17 @@ export class LoggingAndTelemetry implements MongoshLoggingAndTelemetry {
     });
 
     onBus('mongosh:evaluate-input', (args: EvaluateInputEvent) => {
+      if (shouldRedactCommand(args.input)) {
+        this.log.info(
+          'MONGOSH',
+          mongoLogId(1_000_000_007),
+          'repl',
+          'Evaluating input',
+          { input: '<sensitive command used>' }
+        );
+        return;
+      }
+
       this.log.info(
         'MONGOSH',
         mongoLogId(1_000_000_007),
@@ -523,7 +537,7 @@ export class LoggingAndTelemetry implements MongoshLoggingAndTelemetry {
         mongoLogId(1_000_000_011),
         'shell-api',
         'Performed API call',
-        redactInfo(arg)
+        redact(arg)
       );
     });
 
@@ -848,7 +862,7 @@ export class LoggingAndTelemetry implements MongoshLoggingAndTelemetry {
           mongoLogId(1_000_000_047),
           'editor',
           'Open external editor',
-          redactInfo(ev)
+          redact(ev)
         );
       }
     );
@@ -932,7 +946,7 @@ export class LoggingAndTelemetry implements MongoshLoggingAndTelemetry {
         },
       },
       'mongosh',
-      (uri) => redactURICredentials(uri)
+      (uri) => redactConnectionString(uri)
     );
   }
 }
@@ -54,12 +54,11 @@
     "@babel/core": "^7.26.10",
     "@babel/types": "^7.26.10",
     "@mongosh/arg-parser": "^3.22.0",
-    "@mongosh/shell-bson": "1.0.4",
     "@mongosh/errors": "2.4.4",
-    "@mongosh/history": "2.4.9",
     "@mongosh/i18n": "^2.19.0",
     "@mongosh/service-provider-core": "3.6.3",
-    "mongodb-redact": "^1.1.5",
+    "@mongosh/shell-bson": "1.0.4",
+    "mongodb-redact": "^1.3.0",
     "mongodb-schema": "^12.6.2"
   },
   "devDependencies": {

@@ -92,11 +92,11 @@ import {
   MongoshInternalError,
 } from '@mongosh/errors';
 import Bulk from './bulk';
-import { HIDDEN_COMMANDS } from '@mongosh/history';
 import PlanCache from './plan-cache';
 import ChangeStreamCursor from './change-stream-cursor';
 import { ShellApiErrors } from './error-codes';
 import type { MQLDocument, MQLQuery, MQLPipeline } from './mql-types';
+import { shouldRedactCommand } from 'mongodb-redact';
 
 export type CollectionWithSchema<
   M extends GenericServerSideSchema = GenericServerSideSchema,
@@ -1625,8 +1625,7 @@ export class Collection<
       }
     }
 
-    const hiddenCommands = new RegExp(HIDDEN_COMMANDS);
-    if (typeof commandName === 'string' && !hiddenCommands.test(commandName)) {
+    if (typeof commandName === 'string' && !shouldRedactCommand(commandName)) {
       this._emitCollectionApiCall('runCommand', { commandName });
     }
     const cmd =

@@ -50,7 +50,7 @@ import {
   MongoshUnimplementedError,
   MongoshInternalError,
 } from '@mongosh/errors';
-import { HIDDEN_COMMANDS } from '@mongosh/history';
+import { shouldRedactCommand } from 'mongodb-redact';
 import type Session from './session';
 import ChangeStreamCursor from './change-stream-cursor';
 import { ShellApiErrors } from './error-codes';
@@ -401,8 +401,7 @@ export class Database<
     }
 
     try {
-      const hiddenCommands = new RegExp(HIDDEN_COMMANDS);
-      if (!Object.keys(cmd).some((k) => hiddenCommands.test(k))) {
+      if (!Object.keys(cmd).some((k) => shouldRedactCommand(k))) {
         this._emitDatabaseApiCall('runCommand', { cmd, options });
       }
       return await this._runCommand(cmd, options);
@@ -435,8 +434,7 @@ export class Database<
       cmd = { [cmd]: 1 };
     }
 
-    const hiddenCommands = new RegExp(HIDDEN_COMMANDS);
-    if (!Object.keys(cmd).some((k) => hiddenCommands.test(k))) {
+    if (!Object.keys(cmd).some((k) => shouldRedactCommand(k))) {
       this._emitDatabaseApiCall('adminCommand', { cmd });
     }
     return await this._runAdminCommand(cmd, {});

@@ -24,7 +24,7 @@ import Cursor from './cursor';
 import type { DeleteResult } from './result';
 import { assertArgsDefinedType, assertKeysDefined } from './helpers';
 import { asPrintable } from './enums';
-import { redactURICredentials } from '@mongosh/history';
+import { redactConnectionString } from 'mongodb-redact';
 import type Mongo from './mongo';
 import {
   CommonErrors,
@@ -111,7 +111,7 @@ export class ClientEncryption extends ShellApiWithMongoClass {
   }
 
   [asPrintable](): string {
-    return `ClientEncryption class for ${redactURICredentials(
+    return `ClientEncryption class for ${redactConnectionString(
       this._mongo._uri
     )}`;
   }
@@ -280,7 +280,7 @@ export class KeyVault extends ShellApiWithMongoClass {
   }
 
   [asPrintable](): string {
-    return `KeyVault class for ${redactURICredentials(this._mongo._uri)}`;
+    return `KeyVault class for ${redactConnectionString(this._mongo._uri)}`;
   }
 
   createKey(kms: 'local', keyAltNames?: string[]): Promise<BinaryType>;