Problem
After the targeted fixes in 747b4d0 (mnemonic + password) and 148a57f (Quickswap handlers + reducer debug), there are still ~90 console.log lines across the codebase. Many emit:
- Wallet addresses
- Token amounts
- Tx state machine transitions
- API response bodies (potentially including the user's portfolio in plain text)
Top offenders:
| Lines |
File |
| 36 |
data/queryApi.js |
| 15 |
data/ethApi.js |
| 9 |
views/EthToPolygonBridge.js |
| 8 |
views/GravityToEthBridge.js |
| 8 |
data/txApi.js (still — only the addr/amount logs cleared) |
| 7 |
pages/index.jsx |
| 6 |
data/useStakeReducer.js (still) |
| 5 |
views/MntlToGravityBridge.js |
Same threat model as 747b4d0: anything in the browser console is readable by extensions, screen recorders, and pasted-into-DevTools support sessions. Not a critical leak (no keys), but unnecessary.
Proposed fix
Two passes:
-
Sweep: for each file, classify each console.log as:
- Drop: debug leftover, never useful in prod (most). Just delete.
- Demote: keep for dev visibility, gate behind
process.env.NODE_ENV === "development" or behind a debug flag.
- Promote to
console.error: error-paths that should still log in prod (audit logs).
-
Lint rule: add no-console to .eslintrc with allow-list for error + warn. Use eslint-disable-next-line for any genuinely-needed log. Wires up forever-after.
Where to look
grep -rn "console\.log(" --include="*.js" --include="*.jsx" --exclude-dir=node_modules .
Why now
Low-risk, high-cosmetic-value cleanup. Good first issue for an external contributor. Pairs with the eslint rule add.
Acceptance
Background: continuation of the audit pass behind #198.
Problem
After the targeted fixes in 747b4d0 (mnemonic + password) and 148a57f (Quickswap handlers + reducer debug), there are still ~90
console.loglines across the codebase. Many emit:Top offenders:
data/queryApi.jsdata/ethApi.jsviews/EthToPolygonBridge.jsviews/GravityToEthBridge.jsdata/txApi.js(still — only the addr/amount logs cleared)pages/index.jsxdata/useStakeReducer.js(still)views/MntlToGravityBridge.jsSame threat model as 747b4d0: anything in the browser console is readable by extensions, screen recorders, and pasted-into-DevTools support sessions. Not a critical leak (no keys), but unnecessary.
Proposed fix
Two passes:
Sweep: for each file, classify each
console.logas:process.env.NODE_ENV === "development"or behind adebugflag.console.error: error-paths that should still log in prod (audit logs).Lint rule: add
no-consoleto.eslintrcwith allow-list forerror+warn. Useeslint-disable-next-linefor any genuinely-neededlog. Wires up forever-after.Where to look
grep -rn "console\.log(" --include="*.js" --include="*.jsx" --exclude-dir=node_modules .Why now
Low-risk, high-cosmetic-value cleanup. Good first issue for an external contributor. Pairs with the eslint rule add.
Acceptance
console.logeither deleted or gated under dev.eslintrc.jsonhas"no-console": ["warn", { "allow": ["error", "warn"] }]Background: continuation of the audit pass behind #198.