Original issue tinyhumansai#2623 by @oxoxDev on 2026-05-25T10:39:38Z
Summary
app/package.json lists redux-logger and debug in dependencies. Move them to devDependencies and guard usage so production Tauri builds cannot log JWTs / API responses / chat messages.
Problem / Context
Confirmed in app/package.json:
"debug": "^4.4.3" under dependencies"redux-logger": "^3.0.6" under dependencies
redux-logger logs every Redux action + state change; debug exposes namespaced console output. Even with Vite tree-shaking, runtime-deps placement is a correctness/audit smell. CWE-532.
Identified by audit tinyhumansai#2575 (M-2).
Scope
-
Move both to devDependencies.
-
Wrap any redux-logger middleware import behind import.meta.env.DEV:
const middleware = [
...(import.meta.env.DEV ? [require('redux-logger').default] : []),
];
-
Verify the production bundle (pnpm build, then grep app/dist) no longer references either package.
Acceptance criteria
Related
Summary
app/package.jsonlistsredux-loggeranddebugindependencies. Move them todevDependenciesand guard usage so production Tauri builds cannot log JWTs / API responses / chat messages.Problem / Context
Confirmed in
app/package.json:"debug": "^4.4.3"underdependencies"redux-logger": "^3.0.6"underdependenciesredux-loggerlogs every Redux action + state change;debugexposes namespaced console output. Even with Vite tree-shaking, runtime-deps placement is a correctness/audit smell. CWE-532.Identified by audit tinyhumansai#2575 (M-2).
Scope
Move both to
devDependencies.Wrap any
redux-loggermiddleware import behindimport.meta.env.DEV:Verify the production bundle (
pnpm build, then grepapp/dist) no longer references either package.Acceptance criteria
redux-logger+debugindevDependenciesonlyRelated