Rule "Console logging should not be used" is missing from JavaScript Ruleset

Whereas the TypeScript ruleset includes the important rule “Console logging should not be used” which addresses an “OWASP Top 10 2017 Category A3 - Sensitive Data Exposure” item (, the rule is conspicuously, and I believe incorrectly, missing from the JavaScript rule set ( In both uses cases, the use of console logging exposes a security vulnerability; therefore, it should be added to the JavaScript ruleset as well.

Hi @sarbour

In fact there is rule S106 for JS: Even if it has code smell type it does the same. We will discuss in the team if we should change the type of the rule.

FYI there is rule under specification which is a security hotspot.