(.*)@is used to match the text up until the first occurrence of
@instead of the non-greedy
(.*?)@. Seems reminiscent of the recent Lastpass vulnerability (e.g.
https://foo:bar@host/foo/bar/@quux), though I can't see any way to exploit it beyond potentially hiding URL contents in logs. Was going to file, but figured I should pop in here first to see if I'm missing something.
const nano = require('nano')('http://db:5984/');
const nano = require('nano')('http://127.0.0.1:5984/');