GHSA-qcr8-x557-7cp3
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Details
## Finding
**Location**: `core/src/core/scheduler.ts:23`, `core/src/hooks/dispatcher.ts:100`, `core/src/client/graphql.ts:71`
Several `console.warn` calls are not gated behind `__DEV__` and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.
## Status
**Open** — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.
## Recommendation
Gate all development-time `console.warn` and `console.error` calls behind `process.env.NODE_ENV !== 'production'` or a `__DEV__` constant that build tools can tree-shake.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.2.140 npm install @asymmetric-effort/specifyjs@0.2.140