fix: correct password redaction

Avoids setting '***' at the start of urls witout passwords, avoids
hazard if a password is 'https:'.

Author: isaacs

check-response.js

@@ -32,9 +32,12 @@ function logRequest (method, res, startTime, opts) {
 
   let urlStr
   try {
-    const { URL } = require('url')
+    const URL = require('url').URL
     const url = new URL(res.url)
-    urlStr = res.url.replace(url.password, '***')
+    if (url.password) {
+      url.password = '***'
+    }
+    urlStr = url.toString()
   } catch (er) {
     urlStr = res.url
   }

package.json

@@ -13,7 +13,7 @@
   "scripts": {
     "prerelease": "npm t",
     "postrelease": "npm publish && git push --follow-tags",
-    "pretest": "standard",
+    "posttest": "standard",
     "release": "standard-version -s",
     "test": "tap -J --coverage test/*.js",
     "update-coc": "weallbehave -o . && git add CODE_OF_CONDUCT.md && git commit -m 'docs(coc): updated CODE_OF_CONDUCT.md'",