Skip to main content
ESLint Interlace
Plugin: operabilityRules

no-debug-code-in-production

Detects debug code that should not be present in production builds.

Type-unaware

Keywords: console.log, DEBUG, DEV, CWE-489, leftover debug, production security

⚠️ This rule errors by default in the recommended config.

Quick Summary

AspectDetails
CWE ReferenceCWE-489 (Active Debug Code)
OWASP MobileM7: Client Code Quality
SeverityHigh
CategorySecurity

Rule Details

Debug code left in production can expose sensitive information, internal system details, or create attack vectors. This rule detects:

  • console.log() statements
  • DEBUG identifiers
  • __DEV__ React Native development flags

Examples

❌ Incorrect

// Console logging in production code
function processPayment(card) {
  console.log('Processing card:', card.number); // Exposes PII!
  return chargeCard(card);
}

// Debug flags left in code
if (DEBUG) {
  showInternalState();
}

// React Native dev flag
if (__DEV__) {
  enableDevTools();
}

✅ Correct

const mode = 'production'

Error Message Format

When triggered, this rule produces:

🔒 [CWE-489](https://cwe.mitre.org/data/definitions/489.html) | Debug Code in Production detected - DEBUG, __DEV__, console | HIGH
   Fix: Review and apply secure practices | https://cwe.mitre.org/data/definitions/489.html

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Aliased Console

Why: Aliased console object not traced.

// ❌ NOT DETECTED - Aliased console
const log = console.log;
log('debug info');

Mitigation: Avoid aliasing console methods.

Custom Debug Functions

Why: Custom logging functions not recognized.

// ❌ NOT DETECTED - Custom debug function
function debug(msg) {
  console.log(msg);
}
debug('internal state');

Mitigation: Apply rule to debug function definitions.

Dynamic Method Names

Why: Dynamic property access not analyzed.

// ❌ NOT DETECTED - Dynamic method
const method = 'log';
console[method]('debug');

Mitigation: Avoid dynamic console access.

When Not To Use It

  • In development-only configuration files
  • In CLI tools where console output is expected
  • When using a logging library that conditionally strips debug logs

Further Reading

  • no-exposed-debug-endpoints (planned)
  • detect-mixed-content (planned)

Category: Security
Type: Problem
Recommended: Yes

no-console-log

Disallow console.log with configurable remediation strategies and LLM-optimized output. This rule is part of eslint-plugin-operability and provides 4 auto-f

no-process-exit

Prevents direct process.exit() calls to encourage graceful shutdown patterns. This rule is part of eslint-plugin-operability.

On this page

Quick Summary
Rule Details
Examples
❌ Incorrect
✅ Correct
Error Message Format
Known False Negatives
Aliased Console
Custom Debug Functions
Dynamic Method Names
When Not To Use It
Further Reading
Related Rules