Thanks to Ben Nizette, I merged a PR which removes logging of sensitive data in the couch/cloudant package. The PR contained the following description below. I've gone ahead and merged it.
-r https://github.com/apache/openwhisk-package-cloudant/pull/220 A standard pattern in this package is to print the contents of the Cloudant response to stdout through console.log before returning it in to the runtime. This is redundant because OpenWhisk itself provides methods to record and view the data being passed between actions. It's also harmful for two reasons: 1. Unneccesarry platform logging. The platform logs for our Cloudant instance are captured for compliance reasons. In our workload, we were literally paying twice as much for log file parsing as for our OpenWhisk processing, as the body of every database document was ending up in the logs (and some were quite big) 2. Security. The document bodies ending up in the logs meant that log file 'read' permissions were being effectively escalalted to ersatz database 'read' permissions. In particular, our compliance team could, but shouldn't have been able to, view some customer data. This PR removes all console.log and console.error with the exception of one (in common.js constructObject). Most of the removals were required to fix point 2 above though there were some that were pure simple debug output that could be left in, but were removed based on point 1. The one instance left was left because without it, there would have been an empty catch block and I'm not familiar enough with the code to understand the implications of that here! I'm happy to revise the PR to reinstate some of the pure debug outputs if required.
