docs(logging): add section about `debug.log`'s security & that private/secure information may exist there

[darcyclarke]

trafficstars

Summary

There's been some confusion about npm's responsibility/capabilities to sanitize npm-debug.log's especially since we've previously issued a CVE for this (ref. https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp) which was/is confusing - let's clarify that.

Exit Criteria

• [ ] Clearly document that debug logs may contain sensitive information & should be treated as such in the Logging section

Example of Wording

In regards to sensitive/private information & security best practices:   Logs that are generated & stored by npm can & will contain any number of references to information that was output from a project's own source code, scripts, packages & third-party processes; this means that although npm will do a best-effort job at redacting information we believe to be sensitive & are aware of, it does not fully prevent other scripts from generating logs that may include potentially sensitive information or configuration (including npm configuration). In general, you should consider npm-debug.log files to be sensitive & review them before exfiltrating/sharing them to untrusted parties.   npm configuration is often stored in either a .npmrc or package.json file; meaning this information is readily available to any system process in which the logs will be stored. If users provide a registry configuration via. command line flag, then that information is also readily available in memory where third-party packages may also be executing code. The only realistic mitigation tactic I can foresee is to thoroughly vet & ensure code living & executing on your system is trustworthy.

[ljharb]

If it's generating the log inside a project folder, it could be easily committed and/or published - perhaps if the log's not going to be sanitized, then it should be generated somewhere else?

[lukekarrys]

This is complete. And files are no longer written to a project directory.