GHSA-qcr8-x557-7cp3: @asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Finding
Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71
Several console.warn calls are not gated behind DEV and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console.
Status
Open — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details.
Recommendation
Gate all development-time console.warn and console.error calls behind process.env.NODE_ENV !== 'production' or a DEV constant that build tools can tree-shake.
Details
Original advisory: https://github.com/advisories/GHSA-qcr8-x557-7cp3
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10