nice

helpful

Thanks, Clary! I will keep posting cool & knowledgeable content.

Hi! Why console.logs are a security risk?

That’s nice and simple on Next.js.
On Angular I created a service for logging and the log level is set based on what environment you log too. I then like to use the linter to stop any uses of console.log in the code ( except in the service ) a good git hook running the lint then stops people from committing a console log in the code.

One advantage I get with this is based on the error the service can decide if it wants to send the log via REST API to an external service for monitoring.

That's amazing

I do this too but without a plugin, I simply set an empty function for console.log on prod env.

console.log = function(){}

beside console sometimes people also use alert to test something. In some of our webapps we disabled alert the same way like above.. (someone once pushed alert("curse word") on friday in production, it popped up when user did something special. We got interesting mails on monday... ;)

That's nice trick, but It won't pass code review.

Could even use husky to setup custom git hooks for blocking a push or commit if linting fails

Nice trick! but what if you setup the rule late for you console.log ?

It means ESLint will autofix console.log from all files?

I couldn't find something that's the reason I tried it but now lots of solutions are available in comments.

Next time, I'm gonna surely try all these suggestions but this time I will continue it.

you don't need a plugin, you can wrap it yourself: dev.to/ayyash/writing-a-wrapper-fo...

I just add this code:
let testMode = true; // console log suppressed if false
if (!testMode) {console.log = function() {};} // to suppress console log

console.logs should just be used to bug check and afterwards removed. Don't leave it in the source code, especially not in big companies. You can maybe create a peek functionality in your utils, but that's that. Using build tools to remove code is just bad practice.

Some may be thinking that why we are not allowed to use the console.log in the production plus some other development enviornemnt as well, so the answer is that if you are fetching a lot of data from Back-End and printing that data in the Front-End in any framework then it is quite possible that, that data will again some time to get printed at the console so due to this reason we should avoid printing direct data to the console.

The other thing that has been mentioned in this article is the security risk, this also put the application on the risk as well.

This plugin looks good but it is there is a need to communicate the need and usage of this plugin to the other members of the team as well. However, I appreciate that you have bring this matter of writing console log on the production deployed application. This is a critical thing to which only a few developers pay attention, more power to you and looking forward to see some important articles from your side. Good Luck.

How about an ESLint rule for no console and a pre-commit hook?

This way, you don't need any ninja-hacks. You do your testing and remove them before the commit.

Linting rules seem like a great solution for this.

I prefer to create a custom logger wrapper/class and use it in app. In react apps as custom context/provider with hook to get logger instance in components.

Why? Several advantages:

• log to multiple services, not just console if necessary
• different logger implementation for tests, you can mock logger methods and assert them in tests (if you have business flow logs, then this is useful)
• different logger implementation for storybook: you can see logs as actions in storybook
• production? Just use dummy logger that do nothing or log only to production services

"Checking every file, and deleting the statement is very time-consuming"
ESLint's rule to deny console logs + ignore them just in console logger implementation

hi，your article is so good！ Can I translate your artical and post to my wechat public account？