GHSA-qcr8-x557-7cp3MediumDisclosed before NVD
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
📋 Description
Finding
Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71
Several console.warn calls are not gated behind __DEV__ and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.
Status
Open — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.
Recommendation
Gate all development-time console.warn and console.error calls behind process.env.NODE_ENV !== 'production' or a __DEV__ constant that build tools can tree-shake.
🎯 Affected products1
- npm/@asymmetric-effort/specifyjs:<= 0.2.137