Advisories for Npm/@Asymmetric-Effort/Specifyjs package

2026

@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state

Finding Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71 Several console.warn calls are not gated behind DEV and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query fragments to users viewing the browser console. Status Open — These warnings serve as development-time diagnostics. They do not expose credentials or PII, but may reveal internal architecture details. Recommendation Gate all development-time console.warn and console.error calls behind …

@asymmetric-effort/specifyjs: No redirect target validation in secureFetch

Finding Location: core/src/shared/secure-fetch.ts assertSecureUrl validated only the initial request URL. The fetch() API follows redirects by default (up to 20 hops). A request to a valid https:// URL could redirect to http://internal-service/ or other unvalidated destinations. Status Fixed in v0.2.136 — secureFetch now defaults to redirect: 'error' which rejects any redirect. Callers can override with { redirect: 'follow' } if they trust the target.

@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection

Finding Location: core/src/client/graphql.ts:66-80 The gql template tag function warned about interpolated values containing GraphQL metacharacters ({}():) but still concatenated them into the query string, enabling potential GraphQL injection. Status Fixed in v0.2.136 — The gql function now throws an error when metacharacters are detected in interpolated values, forcing developers to use the variables parameter.

@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString

Finding Location: core/src/server/render-to-string.ts:307-311 CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (\65xpression(), null bytes, or CSS comments (exp/**/ression(). Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers. Status Fixed in v0.2.136 — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for behavior:, -moz-binding, and -o-link patterns.