Pattern-based sanitization for sensitive data in objects and strings. Masks or removes fields matching configurable patterns, making data safe for logging or external exposure.
Works with both JavaScript and TypeScript — ships with compiled JS, TypeScript declarations, and source maps.
npm install data-sanitizationyarn add data-sanitizationimport { sanitizeData } from 'data-sanitization';
const input = {
username: 'mark',
password: 'super-secret',
api_key: 'sk_live_abc123',
};
const result = sanitizeData(input);
// => { username: 'mark', password: '**********', api_key: '**********' }Works with JSON strings and form-encoded strings:
sanitizeData('{"password":"secret","username":"mark"}');
// => '{"password":"**********","username":"mark"}'
sanitizeData('password=secret&username=mark');
// => 'password=**********&username=mark'sanitizeData(
{ password: 'secret', token: 'abc', username: 'mark' },
{ removeMatches: true },
);
// => { username: 'mark' }| Option | Type | Default | Description |
|---|---|---|---|
patternMask |
string |
********** |
String used to replace matched field values |
removeMatches |
boolean |
false |
Remove matched fields entirely instead of masking |
customPatterns |
string[] |
Additional field name patterns to match | |
customMatchers |
DataSanitizationMatcher[] |
Additional regex matchers for custom data formats | |
useDefaultPatterns |
boolean |
true |
Whether to include the built-in default patterns |
useDefaultMatchers |
boolean |
true |
Whether to include the built-in default matchers |
The following field name patterns are matched by default (case-insensitive, substring match):
apikeyapi_keypasswordsecrettoken
A field named db_password or client_secret_key would also match because
these patterns match as substrings.
Two matchers are included by default:
- JSON matcher — matches
"fieldName":"value"patterns in JSON and JSON-like strings - Form-encoded matcher — matches
fieldName=valueandfieldName:valuepatterns in URL-encoded and similarly delimited strings
import { sanitizeData } from 'data-sanitization';
// Add a custom pattern alongside defaults
sanitizeData(data, {
customPatterns: ['ssn', 'credit_card'],
});
// Use only custom patterns, no defaults
sanitizeData(data, {
customPatterns: ['ssn'],
useDefaultPatterns: false,
});
// Use a custom mask
sanitizeData(data, {
patternMask: '[REDACTED]',
});For custom data formats, provide a DataSanitizationMatcher — a function that
takes a pattern string and returns a global, case-insensitive RegExp. The
regex must use capture groups $1 and $2 to preserve the field name and
trailing delimiter while replacing the value.
sanitizeData throws a DataSanitizationError when:
- The input is not a
stringorobject(e.g.,number,boolean,undefined) - An unexpected error occurs during sanitization (e.g., malformed JSON that cannot be re-parsed)
import { sanitizeData } from 'data-sanitization';
import { DataSanitizationError } from 'data-sanitization/errors';
try {
sanitizeData(123 as any);
} catch (error) {
if (error instanceof DataSanitizationError) {
console.error(error.message); // 'Invalid data type'
console.error(error.details); // { originalData: 123 }
}
}- String input is sanitized directly via regex replacement.
- Object input is converted to a JSON string via
JSON.stringify, sanitized, then parsed back withJSON.parse. - Each configured pattern is tested against each matcher to produce regex instances that find and replace sensitive field values.
For development setup, testing, and release process, see docs/development.md.