Please add pg-password-util to the wiki: https://www.npmjs.com/package/pg-password-util

It's a standalone lib that handles encoding PostgreSQL passwords client-side so that CREATE USER ... / ALTER USER ... statements do not include the plaintext of passwords in your application logs. It includes TypeScript type declarations as well.

So it replaces SQL like this being sent to your DB:

ALTER USER app PASSWORD 'Super Duper Secret!'

With SQL like this:

ALTER USER app PASSWORD 'SCRAM-SHA-256$4096:M1A3zTFR9TzaX5NuvytilQ==$TZtMCtrZ8wkkZVkS7vursem77PsBqthl8GqkPohscJw=:POfEEJ9BOrm6upeAFKU3awWqMg+kKYXyPOG5E5tuhJc='

It defaults to using SCRAM-SHA-256 for the encoding but also supports md5 for older versions of PG. It also includes a helper to change a user's password using whatever the database says is the preferred encoding (i.e. SCRAM-SHA-256 for anything 10+ and md5 for anything older):

// client is a pg.Client
await alterUserPassword(client, {
    username: 'app',
    password: 'my-new-secret-password',
});