[Backport 8.11] 8.11.0 changelog (#2097) * Changelog for 8.11.0 * Add redaction docs link to changelog

.buildkite/pipeline.yml

@@ -6,14 +6,13 @@ steps:
     env:
       NODE_VERSION: "{{ matrix.nodejs }}"
       TEST_SUITE: "{{ matrix.suite }}"
-      STACK_VERSION: 8.8.0-SNAPSHOT
+      STACK_VERSION: 8.10.3-SNAPSHOT
     matrix:
       setup:
         suite:
           - "free"
           - "platinum"
         nodejs:
-          - "16"
           - "18"
           - "20"
     command: ./.buildkite/run-tests.sh

.ci/Dockerfile

@@ -1,4 +1,4 @@
-ARG NODE_JS_VERSION=18
+ARG NODE_JS_VERSION=${NODE_JS_VERSION:-18}
 FROM node:${NODE_JS_VERSION}
 
 ARG BUILDER_UID=1000
@@ -12,15 +12,19 @@ RUN apt-get clean -y && \
     apt-get install -y zip
 
 # Set user permissions and directory
-RUN groupadd --system -g ${BUILDER_GID} ${BUILDER_GROUP} \
-    && useradd --system --shell /bin/bash -u ${BUILDER_UID} -g ${BUILDER_GROUP} -m elastic 1>/dev/null 2>/dev/null \
+RUN (id -g ${BUILDER_GID} || groupadd --system -g ${BUILDER_GID} ${BUILDER_GROUP}) \
+    && (id -u ${BUILDER_UID} || useradd --system --shell /bin/bash -u ${BUILDER_UID} -g ${BUILDER_GID} -m elastic) \
     && mkdir -p /usr/src/elasticsearch-js \
-    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /usr/src/
+    && chown -R ${BUILDER_UID}:${BUILDER_GID} /usr/src/
+
 WORKDIR /usr/src/elasticsearch-js
-USER ${BUILDER_USER}:${BUILDER_GROUP}
 
-# Install app dependencies
-COPY --chown=$BUILDER_USER:$BUILDER_GROUP package*.json ./
-RUN npm install
+# run remainder of commands as non-root user
+USER ${BUILDER_UID}:${BUILDER_GID}
+
+# install dependencies
+COPY package.json .
+RUN npm install --production=false
 
-COPY --chown=$BUILDER_USER:$BUILDER_GROUP . .
+# copy project files
+COPY . .

.ci/make.mjs

@@ -28,6 +28,11 @@ import assert from 'assert'
 import { join } from 'desm'
 import semver from 'semver'
 
+// xz/globals loads minimist-parsed args as a global `argv`, but it
+// interprets args like '8.10' as numbers and shortens them to '8.1'.
+// so we have to import and configure minimist ourselves.
+import minimist from 'minimist'
+const argv = minimist(process.argv.slice(2), { string: ['_', 'task'] })
 assert(typeof argv.task === 'string', 'Missing task parameter')
 
 switch (argv.task) {
@@ -86,10 +91,10 @@ async function bump (args) {
     'utf8'
   )
 
-  const pipeline = await readFile(join(import.meta.url, '..', '.buildkite', 'pipeline.yml'))
+  const pipeline = await readFile(join(import.meta.url, '..', '.buildkite', 'pipeline.yml'), 'utf8')
   await writeFile(
     join(import.meta.url, '..', '.buildkite', 'pipeline.yml'),
-    pipeline.replace(/STACK_VERSION: [0-9]+[0-9\.]*[0-9](?:\-SNAPSHOT)?/, `STACK_VERSION: ${cleanVersion}-SNAPSHOT`), // eslint-disable-line
+    pipeline.replace(/STACK_VERSION: [0-9]+[0-9\.]*[0-9](?:\-SNAPSHOT)?/, `STACK_VERSION: ${cleanVersion}-SNAPSHOT`),
     'utf8'
   )
 }

.ci/make.sh

@@ -144,19 +144,35 @@ docker build \
 
 echo -e "\033[34;1mINFO: running $product container\033[0m"
 
-docker run \
-  --volume "$repo:/usr/src/elasticsearch-js" \
-  --volume /usr/src/elasticsearch-js/node_modules \
-  -u "$(id -u):$(id -g)" \
-  --env "WORKFLOW=$WORKFLOW" \
-  --name make-elasticsearch-js \
-  --rm \
-  $product \
-  /bin/bash -c "cd /usr/src && \
-    git clone https://[email protected]/elastic/elastic-client-generator-js.git && \
-    mkdir -p /usr/src/elastic-client-generator-js/output && \
-    cd /usr/src/elasticsearch-js && \
-    node .ci/make.mjs --task $TASK ${TASK_ARGS[*]}"
+if [[ -z "${BUILDKITE+x}" ]] && [[ -z "${CI+x}" ]] && [[ -z "${GITHUB_ACTIONS+x}" ]]; then
+  echo -e "\033[34;1mINFO: Running in local mode"
+  docker run \
+    -u "$(id -u):$(id -g)" \
+    --volume "$repo:/usr/src/elasticsearch-js" \
+    --volume /usr/src/elasticsearch-js/node_modules \
+    --volume "$(realpath $repo/../elastic-client-generator-js):/usr/src/elastic-client-generator-js" \
+    --env "WORKFLOW=$WORKFLOW" \
+    --name make-elasticsearch-js \
+    --rm \
+    $product \
+    /bin/bash -c "mkdir -p /usr/src/elastic-client-generator-js/output && \
+      node .ci/make.mjs --task $TASK ${TASK_ARGS[*]}"
+else
+  echo -e "\033[34;1mINFO: Running in CI mode"
+  docker run \
+    --volume "$repo:/usr/src/elasticsearch-js" \
+    --volume /usr/src/elasticsearch-js/node_modules \
+    -u "$(id -u):$(id -g)" \
+    --env "WORKFLOW=$WORKFLOW" \
+    --name make-elasticsearch-js \
+    --rm \
+    $product \
+    /bin/bash -c "cd /usr/src && \
+      git clone https://[email protected]/elastic/elastic-client-generator-js.git && \
+      mkdir -p /usr/src/elastic-client-generator-js/output && \
+      cd /usr/src/elasticsearch-js && \
+      node .ci/make.mjs --task $TASK ${TASK_ARGS[*]}"
+fi
 
 # ------------------------------------------------------- #
 # Post Command tasks & checks

.github/workflows/backport.yml

@@ -1,16 +1,27 @@
+---
 name: Backport
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - labeled
 
 jobs:
   backport:
-    runs-on: ubuntu-latest
     name: Backport
+    runs-on: ubuntu-latest
+    # Only react to merged PRs for security reasons.
+    # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target.
+    if: >
+      github.event.pull_request.merged
+      && (
+        github.event.action == 'closed'
+        || (
+          github.event.action == 'labeled'
+          && contains(github.event.label.name, 'backport')
+        )
+      )
     steps:
-      - name: Backport
-        uses: tibdex/backport@7005ef85c4562bc23b0e9b4a9940d5922f439750
+      - uses: tibdex/backport@9565281eda0731b1d20c4025c43339fb0a23812e  # v2.0.4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/nodejs.yml

@@ -1,21 +1,40 @@
 ---
 name: Node CI
 
-on: [push, pull_request]
+on:
+  pull_request: {}
 
 jobs:
+  paths-filter:
+    name: Detect files changed
+    runs-on: ubuntu-latest
+    outputs:
+      src-only: '${{ steps.changes.outputs.src-only }}'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter/@v2.11.1
+        id: changes
+        with:
+          filters: |
+            src-only:
+              - '!(**/*.{md,asciidoc,txt}|*.{md,asciidoc,txt}|{docs,.ci,.buildkite,scripts}/**/*|catalog-info.yaml)'
+              - '.github/workflows/**'
+
   test:
     name: Test
     runs-on: ${{ matrix.os }}
+    needs: paths-filter
+    # only run if code relevant to unit tests was changed
+    if: needs.paths-filter.outputs.src-only == 'true'
 
     strategy:
       fail-fast: false
       matrix:
-        node-version: [14.x, 16.x, 18.x, 20.x]
+        node-version: [18.x, 20.x]
         os: [ubuntu-latest, windows-latest, macOS-latest]
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3

.github/workflows/stale.yml

@@ -0,0 +1,21 @@
+---
+name: 'Close stale issues and PRs'
+on:
+  schedule:
+    - cron: '30 1 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v8
+        with:
+          stale-issue-label: stale
+          stale-pr-label: stale
+          days-before-stale: 90
+          days-before-close: 14
+          exempt-issue-labels: 'good first issue'
+          close-issue-label: closed-stale
+          close-pr-label: closed-stale
+          stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. Remove the `stale` label, or leave a comment, or this will be closed in 14 days.'
+          stale-pr-message: 'This pull request is stale because it has been open 90 days with no activity. Remove the `stale` label, or leave a comment, or this will be closed in 14 days.'

README.md

@@ -4,6 +4,11 @@
 
 [![js-standard-style](https://img.shields.io/badge/code%20style-standard-brightgreen.svg?style=flat)](http://standardjs.com/)  [![Build Status](https://badge.buildkite.com/15e4246eb268ea78f6e10aa90bce38c1abb0a4489e79f5a0ac.svg)](https://buildkite.com/elastic/elasticsearch-javascript-client-integration-tests/builds?branch=main)  [![Node CI](https://github.com/elastic/elasticsearch-js/actions/workflows/nodejs.yml/badge.svg)](https://github.com/elastic/elasticsearch-js/actions/workflows/nodejs.yml)  [![codecov](https://codecov.io/gh/elastic/elasticsearch-js/branch/master/graph/badge.svg)](https://codecov.io/gh/elastic/elasticsearch-js)  [![NPM downloads](https://img.shields.io/npm/dm/@elastic/elasticsearch.svg?style=flat)](https://www.npmjs.com/package/@elastic/elasticsearch)
 
+**[Download the latest version of Elasticsearch](https://www.elastic.co/downloads/elasticsearch)**
+or
+**[sign-up](https://cloud.elastic.co/registration?elektra=en-ess-sign-up-page)**
+**for a free trial of Elastic Cloud**.
+
 The official Node.js client for Elasticsearch.
 
 ## Installation
@@ -28,7 +33,7 @@ of the getting started documentation.
 
 ### Node.js support
 
-NOTE: The minimum supported version of Node.js is `v14`.
+NOTE: The minimum supported version of Node.js is `v18`.
 
 The client versioning follows the Elastic Stack versioning, this means that
 major, minor, and patch releases are done following a precise schedule that
@@ -53,6 +58,7 @@ of `^7.10.0`).
 | `10.x`          | `April 2021`     | `7.12` (mid 2021)      |
 | `12.x`          | `April 2022`     | `8.2` (early 2022)     |
 | `14.x`          | `April 2023`     | `8.8` (early 2023)     |
+| `16.x`          | `September 2023` | `8.11` (late 2023)     |
 
 ### Compatibility
 

docs/advanced-config.asciidoc

@@ -91,6 +91,95 @@ const client = new Client({
 })
 ----
 
+[discrete]
+[[redaction]]
+==== Redaction of potentially sensitive data
+
+When the client raises an `Error` that originated at the HTTP layer, like a `ConnectionError` or `TimeoutError`, a `meta` object is often attached to the error object that includes metadata useful for debugging, like request and response information. Because this can include potentially sensitive data, like authentication secrets in an `Authorization` header, the client takes measures to redact common sources of sensitive data when this metadata is attached and serialized.
+
+If your configuration requires extra headers or other configurations that may include sensitive data, you may want to adjust these settings to account for that.
+
+By default, the `redaction` option is set to `{ type: 'replace' }`, which recursively searches for sensitive key names, case insensitive, and replaces their values with the string `[redacted]`.
+
+[source,js]
+----
+const { Client } = require('@elastic/elasticsearch')
+
+const client = new Client({
+  cloud: { id: '<cloud-id>' },
+  auth: { apiKey: 'base64EncodedKey' },
+})
+
+try {
+  await client.indices.create({ index: 'my_index' })
+} catch (err) {
+  console.log(err.meta.meta.request.options.headers.authorization) // prints "[redacted]"
+}
+----
+
+If you would like to redact additional properties, you can include additional key names to search and replace:
+
+[source,js]
+----
+const { Client } = require('@elastic/elasticsearch')
+
+const client = new Client({
+  cloud: { id: '<cloud-id>' },
+  auth: { apiKey: 'base64EncodedKey' },
+  headers: { 'X-My-Secret-Password': 'shhh it's a secret!' },
+  redaction: {
+    type: "replace",
+    additionalKeys: ["x-my-secret-password"]
+  }
+})
+
+try {
+  await client.indices.create({ index: 'my_index' })
+} catch (err) {
+  console.log(err.meta.meta.request.options.headers['X-My-Secret-Password']) // prints "[redacted]"
+}
+----
+
+Alternatively, if you know you're not going to use the metadata at all, setting the redaction type to `remove` will remove all optional sources of potentially sensitive data entirely, or replacing them with `null` for required properties.
+
+[source,js]
+----
+const { Client } = require('@elastic/elasticsearch')
+
+const client = new Client({
+  cloud: { id: '<cloud-id>' },
+  auth: { apiKey: 'base64EncodedKey' },
+  redaction: { type: "remove" }
+})
+
+try {
+  await client.indices.create({ index: 'my_index' })
+} catch (err) {
+  console.log(err.meta.meta.request.options.headers) // undefined
+}
+----
+
+Finally, if you prefer to turn off redaction altogether, perhaps while debugging on a local developer environment, you can set the redaction type to `off`. This will revert the client to pre-8.11.0 behavior, where basic redaction is only performed during common serialization methods like `console.log` and `JSON.stringify`.
+
+WARNING: Setting `redaction.type` to `off` is not recommended in production environments.
+
+[source,js]
+----
+const { Client } = require('@elastic/elasticsearch')
+
+const client = new Client({
+  cloud: { id: '<cloud-id>' },
+  auth: { apiKey: 'base64EncodedKey' },
+  redaction: { type: "off" }
+})
+
+try {
+  await client.indices.create({ index: 'my_index' })
+} catch (err) {
+  console.log(err.meta.meta.request.options.headers.authorization) // the actual header value will be logged
+}
+----
+
 [discrete]
 ==== Migrate to v8
 

docs/changelog.asciidoc

@@ -1,6 +1,25 @@
 [[changelog-client]]
 == Release notes
 
+[discrete]
+=== 8.11.0
+
+[discrete]
+=== Features
+
+[discrete]
+===== Support for Elasticsearch `v8.11.0`
+
+You can find all the API changes
+https://www.elastic.co/guide/en/elasticsearch/reference/8.11/release-notes-8.11.0.html[here].
+
+[discrete]
+===== Enhanced support for redacting potentially sensitive data https://github.com/elastic/elasticsearch-js/pull/2095[#2095]
+
+`@elastic/transport` https://github.com/elastic/elastic-transport-js/releases/tag/v8.4.0[version 8.4.0] introduces enhanced measures for ensuring that request metadata attached to some `Error` objects is redacted. This functionality is primarily to address custom logging solutions that don't use common serialization methods like `JSON.stringify`, `console.log`, or `util.inspect`, which were already accounted for.
+
+See <<redaction>> for more information.
+
 [discrete]
 === 8.10.0