diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
index 6e4dbbf396ed..750323fa38c8 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll
@@ -61,7 +61,12 @@ class RemoteSource extends Source instanceof RemoteFlowSource {
  * An argument to a logging mechanism.
  */
 class LoggingSink extends Sink {
-  LoggingSink() { this = any(LoggerCall console).getAMessageComponent() }
+  LoggingSink() {
+    exists(LoggerCall logger |
+      this = logger.getAMessageComponent() and
+      not logger = API::moduleImport("debug").getReturn().getACall()
+    )
+  }
 }
 
 /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
index a0fc508808e5..f14ef70a34f7 100644
--- a/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
+++ b/javascript/ql/test/query-tests/Security/CWE-117/logInjectionGood.js
@@ -27,3 +27,13 @@ const server = http.createServer((req, res) => {
         console.error(`[ERROR] Error: "${error}"`);
     }
 });
+
+const debug = require('debug')('app');
+
+const server_debug = http.createServer((req, res) => {
+    let q = url.parse(req.url, true);
+    let username = q.query.username;
+
+    // OK - debug package is not a production logger
+    debug('User: %s', username);
+});