VDB
KO
MEDIUM

GHSA-qcr8-x557-7cp3

@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state

Details

## Finding

**Location**: `core/src/core/scheduler.ts:23`, `core/src/hooks/dispatcher.ts:100`, `core/src/client/graphql.ts:71`

Several `console.warn` calls are not gated behind `__DEV__` and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.

## Status

**Open** — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.

## Recommendation

Gate all development-time `console.warn` and `console.error` calls behind `process.env.NODE_ENV !== 'production'` or a `__DEV__` constant that build tools can tree-shake.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @asymmetric-effort/specifyjs
Introduced in: 0 Fixed in: 0.2.140
Fix npm install @asymmetric-effort/specifyjs@0.2.140

References