GHSA-qcr8-x557-7cp3MediumDisclosed before NVD

@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state

Published
July 2, 2026
Last Modified
July 2, 2026

📋 Description

Finding

Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71

Several console.warn calls are not gated behind __DEV__ and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.

Status

Open — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.

Recommendation

Gate all development-time console.warn and console.error calls behind process.env.NODE_ENV !== 'production' or a __DEV__ constant that build tools can tree-shake.

🎯 Affected products1

  • npm/@asymmetric-effort/specifyjs:<= 0.2.137

🔗 References (3)