Jenkins NodeJS Plugin 1.6.0 and previous versions does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
jenkins nodejs
Vulmon