Close Open Privacy Scan

bolt Snapshot: commit 2e254ac
science engine v3
schedule 2026-07-09T09:09:56.099388+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

Incomplete scan — only 57/114 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

22 /100
High privacy risk — application leak confirmed

High risk · 305 finding(s)

Dependency score: 77 (Medium risk)

bar_chart Score Breakdown

pii_flow −60
egress −15
env_fs −3

list Scan Summary

68 high 2 medium 235 low
First-party packages: 1
Dependency packages: 12
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: api.anthropic.comapi.cerebras.aiapi.deepseek.comapi.fireworks.aiapi.github.comapi.groq.comapi.moonshot.aiapi.netlify.comapi.openai.comapi.supabase.comapi.vercel.comgitlab.commodels.github.aiopenrouter.airaw.githubusercontent.com

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:51 repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:72 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:111 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:137 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:159 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:197 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:211 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:246 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:275 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:288 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:323 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:337 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:379 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:412 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:81 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:107 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:129 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:163 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:177 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:208 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:233 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:246 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:277 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:291 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:331 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:364 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:68 repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:150 repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:214 repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:79 repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/SupabaseAlert.tsx:51 repo/app/components/chat/SupabaseAlert.tsx:47
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:32 repo/app/components/chat/VercelDeploymentLink.client.tsx:30
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:32 repo/app/components/chat/VercelDeploymentLink.client.tsx:53
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:32 repo/app/components/chat/VercelDeploymentLink.client.tsx:83
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:105 repo/app/components/chat/VercelDeploymentLink.client.tsx:105
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:153 repo/app/components/deploy/NetlifyDeploy.client.tsx:145
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:153 repo/app/components/deploy/NetlifyDeploy.client.tsx:177
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/VercelDeploy.client.tsx:191 repo/app/components/deploy/VercelDeploy.client.tsx:182
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:78 repo/app/lib/hooks/useGitHubConnection.ts:75
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:226 repo/app/lib/hooks/useGitHubConnection.ts:223
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:95 repo/app/lib/hooks/useGitLabConnection.ts:92
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:216 repo/app/lib/hooks/useGitLabConnection.ts:213
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useSupabaseConnection.ts:68 repo/app/lib/hooks/useSupabaseConnection.ts:70
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:54 repo/app/lib/services/githubApiService.ts:51
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:140 repo/app/lib/services/githubApiService.ts:137
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:168 repo/app/lib/services/githubApiService.ts:165
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:196 repo/app/lib/services/githubApiService.ts:193
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:32 repo/app/routes/api.github-branches.ts:71
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:32 repo/app/routes/api.github-branches.ts:95
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:18 repo/app/routes/api.github-stats.ts:26
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:18 repo/app/routes/api.github-stats.ts:50
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:18 repo/app/routes/api.github-stats.ts:79
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:17 repo/app/routes/api.github-user.ts:25
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:107 repo/app/routes/api.github-user.ts:116
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:107 repo/app/routes/api.github-user.ts:165
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:107 repo/app/routes/api.github-user.ts:211
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:15 repo/app/routes/api.netlify-user.ts:22
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:82 repo/app/routes/api.netlify-user.ts:90
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:15 repo/app/routes/api.supabase-user.ts:22
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:97 repo/app/routes/api.supabase-user.ts:105
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:97 repo/app/routes/api.supabase-user.ts:159
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:119
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:145
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:160
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:228
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:274
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:15 repo/app/routes/api.vercel-user.ts:31
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:93 repo/app/routes/api.vercel-user.ts:110

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #d531162b7490499e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:51 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45
      const response = await fetch('/api/gitlab-projects', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          token: connection.token,
          gitlabUrl: connection.gitlabUrl || 'https://gitlab.com',
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5041dcff1ab19a5e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:72 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #96d1b7afabb6692d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:111 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #821b7837d47eb10e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:137 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134
            const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                clear_cache: true,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #77844d6f0e44d2e8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:159 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156
          const cacheResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/purge_cache`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8ccbbd00a1a2a052 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:197 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #218b97d21fe147b6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:211 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209
          const envResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/env`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5c47ad1690996669 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:246 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243
          const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
              'Content-Type': 'application/json',
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #694734a0e2968b13 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:275 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #da990fea85c57ab1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:288 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286
          const functionsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/functions`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4070d9a57eea6ed4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:323 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #22517bc14cf27aa5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:337 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335
          const analyticsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/traffic`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5a36ad5f8bf9a0fa User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:379 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376
          const response = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            method: 'DELETE',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6492963abd31c803 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:412 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4b9aaa047519ba6b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:81 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #95722fa874f5432e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:107 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104
            const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                clear_cache: true,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #cde3fae531b00930 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:129 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126
          const cacheResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/purge_cache`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #29a07ec16695847b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:163 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #aa649ed5f0a73621 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:177 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175
          const envResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/env`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1e46202f250890d5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:208 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205
          const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
              'Content-Type': 'application/json',
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1de7f8fca8e4d1c5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:233 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #78f4725f05b2aee0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:246 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244
          const functionsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/functions`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5901128c86f5955e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:277 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d80d4ba3bf855b3b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:291 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289
          const analyticsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/traffic`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5e16281aa146e8bc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:331 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328
          const response = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            method: 'DELETE',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #066409f4256f31c6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:364 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7ae72d3c2a2f713e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:68 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65
            const response = await fetch(`https://api.vercel.com/v1/deployments`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                name: projectId,
                target: 'production',
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4c142b11abb8bfaa User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:150 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147
            const response = await fetch(`https://api.vercel.com/v1/projects/${projectId}`, {
              method: 'DELETE',
              headers: {
                Authorization: `Bearer ${connection.token}`,
              },
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3f43fd41aff5a21c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:214 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221
      const testResponse = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${token}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #52318abbba22dbf9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:79 → /tmp/closeopen-rtzo9t7d/repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77
      const response = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
          'Content-Type': 'application/json',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f94a72ebb3bbb520 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/SupabaseAlert.tsx:47 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/chat/SupabaseAlert.tsx:51 → /tmp/closeopen-rtzo9t7d/repo/app/components/chat/SupabaseAlert.tsx:47
      const response = await fetch('/api/supabase/query', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
          Authorization: `Bearer ${connection.token}`,
        },
        body: JSON.stringify({
          projectId: connection.selectedProjectId,
          query: sql,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0f9bcffba36e682a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:30 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:30
        const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
          headers: {
            Authorization: `Bearer ${connection.token}`,
            'Content-Type': 'application/json',
          },
          cache: 'no-store',
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6ee36bd7c07950ec User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:53 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:53
          const projectDetailsResponse = await fetch(`https://api.vercel.com/v9/projects/${project.id}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
              'Content-Type': 'application/json',
            },
            cache: 'no-store',
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9aecc2c6e7d2ab98 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:83 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:83
          const deploymentsResponse = await fetch(
            `https://api.vercel.com/v6/deployments?projectId=${project.id}&limit=1`,
            {
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              cache: 'no-store',
            },
          );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c977ffbbc10c1981 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:105 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:105 → /tmp/closeopen-rtzo9t7d/repo/app/components/chat/VercelDeploymentLink.client.tsx:105
        const fallbackResponse = await fetch(`/api/vercel-deploy?projectId=${projectId}&token=${connection.token}`, {
          method: 'GET',
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e92f4cea25072469 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:145 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/deploy/NetlifyDeploy.client.tsx:153 → /tmp/closeopen-rtzo9t7d/repo/app/components/deploy/NetlifyDeploy.client.tsx:145
      const response = await fetch('/api/netlify-deploy', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          siteId: existingSiteId || undefined,
          files: fileContents,
          token: netlifyConn.token,
          chatId: currentChatId,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #476d23129c6122e0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:177 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/deploy/NetlifyDeploy.client.tsx:153 → /tmp/closeopen-rtzo9t7d/repo/app/components/deploy/NetlifyDeploy.client.tsx:177
          const statusResponse = await fetch(
            `https://api.netlify.com/api/v1/sites/${data.site.id}/deploys/${data.deploy.id}`,
            {
              headers: {
                Authorization: `Bearer ${netlifyConn.token}`,
              },
            },
          );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a0f3d29a545b3491 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/VercelDeploy.client.tsx:182 · flow /tmp/closeopen-rtzo9t7d/repo/app/components/deploy/VercelDeploy.client.tsx:191 → /tmp/closeopen-rtzo9t7d/repo/app/components/deploy/VercelDeploy.client.tsx:182
      const response = await fetch('/api/vercel-deploy', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          projectId: existingProjectId || undefined,
          files: fileContents,
          sourceFiles: allProjectFiles,
          token: vercelConn.token,
          chatId: currentChatId,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #cb47ae95770ac628 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:75 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitHubConnection.ts:78 → /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitHubConnection.ts:75
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #34db7ee69fdd15db User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:223 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitHubConnection.ts:226 → /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitHubConnection.ts:223
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #79cbc220f98bf86a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:92 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitLabConnection.ts:95 → /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitLabConnection.ts:92
      const response = await fetch(`${baseUrl}/api/v4/user`, {
        headers: {
          'Content-Type': 'application/json',
          'PRIVATE-TOKEN': connection.token,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #18faf3a6fea4af70 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:213 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitLabConnection.ts:216 → /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useGitLabConnection.ts:213
      const response = await fetch(`${baseUrl}/api/v4/user`, {
        headers: {
          'Content-Type': 'application/json',
          'PRIVATE-TOKEN': connection.token,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6dc28dc591192fe2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useSupabaseConnection.ts:70 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useSupabaseConnection.ts:68 → /tmp/closeopen-rtzo9t7d/repo/app/lib/hooks/useSupabaseConnection.ts:70
      const response = await fetch('/api/supabase', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          token: cleanToken,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #aeca3447e1e30e5e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:51 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:54 → /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:51
    const response = await fetch(`${this._baseURL}${endpoint}`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
        ...options.headers,
      },
      ...options,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #bc323e2f87b30b17 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:137 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:140 → /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:137
    const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/contributors?per_page=1`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #bcd54621715b3015 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:165 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:168 → /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:165
    const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/issues?state=all&per_page=1`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b95ac3fa2403235a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:193 · flow /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:196 → /tmp/closeopen-rtzo9t7d/repo/app/lib/services/githubApiService.ts:193
    const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/pulls?state=all&per_page=1`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c8059b2b2e1f2e25 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:71 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-branches.ts:32 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-branches.ts:71
    const repoResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #26acc1f5b0025a5e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:95 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-branches.ts:32 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-branches.ts:95
    const branchesResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}/branches?per_page=100`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b82abf5c01ac7fa8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:26 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-stats.ts:18 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-stats.ts:26
    const userResponse = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e6282aad61d68c9b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:50 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-stats.ts:18 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-stats.ts:50
      const repoResponse = await fetch(
        `https://api.github.com/user/repos?sort=updated&per_page=100&page=${page}&affiliation=owner,organization_member`,
        {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${githubToken}`,
            'User-Agent': 'bolt.diy-app',
          },
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #81ca2f22545bbbdc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:79 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-stats.ts:18 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-stats.ts:79
          const branchesResponse = await fetch(`https://api.github.com/repos/${repo.full_name}/branches?per_page=1`, {
            headers: {
              Accept: 'application/vnd.github.v3+json',
              Authorization: `Bearer ${githubToken}`,
              'User-Agent': 'bolt.diy-app',
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c622d0b649eab1ce User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:25 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:17 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:25
    const response = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0be4b7da6f2e2f73 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:116 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:107 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:116
      const response = await fetch('https://api.github.com/user/repos?sort=updated&per_page=100', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `Bearer ${githubToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #57bae0d0a093a95a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:165 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:107 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:165
      const response = await fetch(`https://api.github.com/repos/${repoFullName}/branches`, {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `Bearer ${githubToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d64a52ef82f4046c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:211 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:107 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.github-user.ts:211
      const response = await fetch(
        `https://api.github.com/search/repositories?q=${encodeURIComponent(searchQuery)}&per_page=${perPage}&sort=updated`,
        {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${githubToken}`,
            'User-Agent': 'bolt.diy-app',
          },
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7ebdaeee39882bfb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:22 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.netlify-user.ts:15 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.netlify-user.ts:22
    const response = await fetch('https://api.netlify.com/api/v1/user', {
      headers: {
        Authorization: `Bearer ${netlifyToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #34e40df96071e0de User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:90 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.netlify-user.ts:82 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.netlify-user.ts:90
      const response = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${netlifyToken}`,
          'Content-Type': 'application/json',
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #09e2e7e5732cb145 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:22 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.supabase-user.ts:15 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.supabase-user.ts:22
    const response = await fetch('https://api.supabase.com/v1/projects', {
      headers: {
        Authorization: `Bearer ${supabaseToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #06a98ba5e4619dd5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:105 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.supabase-user.ts:97 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.supabase-user.ts:105
      const response = await fetch('https://api.supabase.com/v1/projects', {
        headers: {
          Authorization: `Bearer ${supabaseToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #110aea96e34eb054 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:159 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.supabase-user.ts:97 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.supabase-user.ts:159
      const response = await fetch(`https://api.supabase.com/v1/projects/${projectId}/api-keys`, {
        headers: {
          Authorization: `Bearer ${supabaseToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7d8d3ed4c5ce2dbf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:119 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:119
        const response = await fetch('https://api.github.com/user', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #092ba2a9ea0a9780 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:145 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:145
        const reposResponse = await fetch('https://api.github.com/user/repos?per_page=100&sort=updated', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e86a0ab7baf47d8c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:160 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:160
        const gistsResponse = await fetch('https://api.github.com/gists', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #61cdc09817807ab9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:228 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:228
        const response = await fetch('https://api.github.com/user/orgs', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #18cdfa6cf897e91e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:274 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.system.git-info.ts:274
        const response = await fetch(`https://api.github.com/users/${username}/events?per_page=30`, {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5900b61293c68a1b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:31 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.vercel-user.ts:15 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.vercel-user.ts:31
    const response = await fetch('https://api.vercel.com/v2/user', {
      headers: {
        Authorization: `Bearer ${vercelToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4a463d7274dc2ed8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:110 · flow /tmp/closeopen-rtzo9t7d/repo/app/routes/api.vercel-user.ts:93 → /tmp/closeopen-rtzo9t7d/repo/app/routes/api.vercel-user.ts:110
      const response = await fetch('https://api.vercel.com/v13/projects', {
        headers: {
          Authorization: `Bearer ${vercelToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 110 low-confidence finding(s)
low egress production #f3581a9cb1112b0e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #f3078a6ae7592dd6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:459
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${tokenInput}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c1fb9790a9deadfb Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:508
      const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${token}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #9b16456e777836af Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:414
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${tokenInput}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #f9cbd3476bd70317 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:462
      const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${token}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #66d97f5000efd3b6 Environment-variable access.
repo/app/components/@settings/tabs/providers/local/ErrorBoundary.tsx:54
          {process.env.NODE_ENV === 'development' && this.state.error && (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #a328af8232d76809 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65
            const response = await fetch(`https://api.vercel.com/v1/deployments`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                name: projectId,
                target: 'production',
              }),
            });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #cf8997b9543cb82c Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221
      const testResponse = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${token}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #1cef2a159831f89b Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77
      const response = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
          'Content-Type': 'application/json',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #9ecf34f5a24c5f6a Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/chat/VercelDeploymentLink.client.tsx:30
        const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
          headers: {
            Authorization: `Bearer ${connection.token}`,
            'Content-Type': 'application/json',
          },
          cache: 'no-store',
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ca3af2a4b67adba4 Filesystem access.
repo/app/components/deploy/GitHubDeploy.client.tsx:119
              const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c497dd6e3ac0ae3 Filesystem access.
repo/app/components/deploy/GitLabDeploy.client.tsx:119
              const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46aa2e163cbd9c81 Filesystem access.
repo/app/components/deploy/NetlifyDeploy.client.tsx:126
            const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4eb7723254a8335 Filesystem access.
repo/app/components/deploy/VercelDeploy.client.tsx:122
            const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16901b9f2ac44f9d Filesystem access.
repo/app/components/deploy/VercelDeploy.client.tsx:149
              const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #5cc3fbf03f9b9ef3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/api/updates.ts:58
    const latestPackageResponse = await fetch(
      'https://raw.githubusercontent.com/stackblitz-labs/bolt.diy/main/package.json',
    );

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #7dc62b14081f7282 Filesystem access.
repo/app/lib/hooks/useGit.ts:194
        const result = await webcontainer.fs.readFile(relativePath, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00beba50503b9568 Filesystem access.
repo/app/lib/hooks/useGit.ts:212
          const result = await webcontainer.fs.writeFile(relativePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4d312cd9d277402 Filesystem access.
repo/app/lib/hooks/useGit.ts:217
          const result = await webcontainer.fs.writeFile(relativePath, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #b6d1df66899b7d88 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/hooks/useGitHubConnection.ts:75
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #b2fb2d504936da0e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/hooks/useGitHubConnection.ts:118
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${tokenType === 'classic' ? 'token' : 'Bearer'} ${token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #6b94b8bf15a7409a Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/hooks/useGitHubConnection.ts:223
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #49840132b4702b9b Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/anthropic.ts:64
    const response = await fetch(`https://api.anthropic.com/v1/models`, {
      headers: {
        'x-api-key': `${apiKey}`,
        'anthropic-version': '2023-06-01',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #672f5ef9aae33e8c Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/cerebras.ts:78
      const response = await fetch('https://api.cerebras.ai/v1/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #54fffee1594388d7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/deepseek.ts:71
      const response = await fetch('https://api.deepseek.com/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ae6385dbd89ba330 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/fireworks.ts:85
      const response = await fetch('https://api.fireworks.ai/v1/accounts/fireworks/models?page_size=100', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #288110ac2cd419ea Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/github.ts:91
      const response = await fetch('https://models.github.ai/v1/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #47da40357f1e372c Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/groq.ts:55
    const response = await fetch(`https://api.groq.com/openai/v1/models`, {
      headers: {
        Authorization: `Bearer ${apiKey}`,
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #13fbe8d014e9cf72 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/moonshot.ts:62
      const response = await fetch('https://api.moonshot.ai/v1/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ffce36453153d9d0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/open-router.ts:56
      const response = await fetch('https://openrouter.ai/api/v1/models', {
        headers: {
          'Content-Type': 'application/json',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #121316b0c1aa9c14 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/openai.ts:70
    const response = await fetch(`https://api.openai.com/v1/models`, {
      headers: {
        Authorization: `Bearer ${apiKey}`,
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #fec5b79ffcabeb4b Filesystem access.
repo/app/lib/persistence/useChatHistory.ts:250
        await container.fs.writeFile(key, value.content, { encoding: value.isBinary ? undefined : 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4992378abfaff3b7 Filesystem access.
repo/app/lib/runtime/action-runner.ts:334
      await webcontainer.fs.writeFile(relativePath, action.content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #728ad814940df907 Filesystem access.
repo/app/lib/runtime/action-runner.ts:351
      const content = await webcontainer.fs.readFile(historyPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1a8de2e43ddb2a2 Filesystem access.
repo/app/lib/runtime/action-runner.ts:602
              await webcontainer.fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #594d3c80ebde8e79 Filesystem access.
repo/app/lib/runtime/action-runner.ts:659
          await webcontainer.fs.readFile(sourceFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c255f78fa39c0abd Environment-variable access.
repo/app/lib/security.ts:115
    ...(process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15f26e55a7d4b0a1 Environment-variable access.
repo/app/lib/security.ts:228
      const errorMessage = sanitizeErrorMessage(error, process.env.NODE_ENV === 'development');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e549864bede5020 Environment-variable access.
repo/app/lib/services/importExportService.ts:171
          appVersion: process.env.NEXT_PUBLIC_VERSION || 'unknown',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3badcc90b6e2f8a Filesystem access.
repo/app/lib/stores/files.ts:566
      await webcontainer.fs.writeFile(relativePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5c1d8fff50585d9 Filesystem access.
repo/app/lib/stores/files.ts:789
        await webcontainer.fs.writeFile(relativePath, Buffer.from(content));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ad688a7c9b8be9a Filesystem access.
repo/app/lib/stores/files.ts:802
        await webcontainer.fs.writeFile(relativePath, contentToWrite);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #fc256146e5afc89d Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/netlify.ts:39
    const response = await fetch('https://api.netlify.com/api/v1/user', {
      headers: {
        Authorization: `Bearer ${envToken}`,
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #94c42563b0e2cd74 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/netlify.ts:88
    const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #21c3fb1879cf4377 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/vercel.ts:80
    const response = await fetch('https://api.vercel.com/v2/user', {
      headers: {
        Authorization: `Bearer ${envToken}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #f93ae72e9fb81abc Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/vercel.ts:148
    const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #76e92eeabd36449b Environment-variable access.
repo/app/routes/api.bug-report.ts:195
      (context?.cloudflare?.env as any)?.GITHUB_BUG_REPORT_TOKEN || process.env.GITHUB_BUG_REPORT_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f072f19fefa7de4c Environment-variable access.
repo/app/routes/api.bug-report.ts:197
      (context?.cloudflare?.env as any)?.BUG_REPORT_REPO || process.env.BUG_REPORT_REPO || 'stackblitz-labs/bolt.diy';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe443d60e08ee7cf Environment-variable access.
repo/app/routes/api.check-env-key.ts:36
    process.env[envVarName] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7f8b67930529b45 Environment-variable access.
repo/app/routes/api.configured-providers.ts:41
          const processEnv = process.env[baseUrlEnvVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d85ec668c205981e Environment-variable access.
repo/app/routes/api.configured-providers.ts:69
            process.env[apiTokenEnvVar] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba90c8483965401a Environment-variable access.
repo/app/routes/api.export-api-keys.ts:35
      process.env[envVarName] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7f8fbbd04a27066 Filesystem access.
repo/app/routes/api.git-info.ts:3
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52b3cfc743533ff7 Environment-variable access.
repo/app/routes/api.github-branches.ts:61
        process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de2f4393060e8385 Environment-variable access.
repo/app/routes/api.github-branches.ts:62
        process.env.VITE_GITHUB_ACCESS_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #439357760a986b52 Environment-variable access.
repo/app/routes/api.github-stats.ts:18
      process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b13de3f85b62e93c Environment-variable access.
repo/app/routes/api.github-stats.ts:19
      process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #3bb31519a02b6130 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.github-stats.ts:26
    const userResponse = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #82e9b0574dd63484 Environment-variable access.
repo/app/routes/api.github-template.ts:7
  const isProduction = process.env.NODE_ENV === 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b473e0c4ae1b695 Environment-variable access.
repo/app/routes/api.github-template.ts:215
      context?.cloudflare?.env?.GITHUB_TOKEN || process.env.GITHUB_TOKEN || process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29c8bbc415ebe9e4 Environment-variable access.
repo/app/routes/api.github-user.ts:17
      process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4268dd08c2e18f6 Environment-variable access.
repo/app/routes/api.github-user.ts:18
      process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #0925906ffc2dbf82 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.github-user.ts:25
    const response = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3c5e9b4261469965 Environment-variable access.
repo/app/routes/api.github-user.ts:107
      process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #136ded35db3649d1 Environment-variable access.
repo/app/routes/api.github-user.ts:108
      process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #f564785a99696d6a Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.github-user.ts:116
      const response = await fetch('https://api.github.com/user/repos?sort=updated&per_page=100', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `Bearer ${githubToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #6fc97de5f30f2fb3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-deploy.ts:42
      const createSiteResponse = await fetch('https://api.netlify.com/api/v1/sites', {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${token}`,
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          name: siteName,
          custom_domain: null,
        }),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #bb6074e5c4f2953d Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-deploy.ts:95
        const createSiteResponse = await fetch('https://api.netlify.com/api/v1/sites', {
          method: 'POST',
          headers: {
            Authorization: `Bearer ${token}`,
            'Content-Type': 'application/json',
          },
          body: JSON.stringify({
            name: siteName,
            custom_domain: null,
          }),
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3b45f234af337e5b Environment-variable access.
repo/app/routes/api.netlify-user.ts:15
      process.env.VITE_NETLIFY_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #b846a2b133c5a6e4 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-user.ts:22
    const response = await fetch('https://api.netlify.com/api/v1/user', {
      headers: {
        Authorization: `Bearer ${netlifyToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #6c0e145c9b10e6d8 Environment-variable access.
repo/app/routes/api.netlify-user.ts:82
      process.env.VITE_NETLIFY_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #05807657646cf244 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-user.ts:90
      const response = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${netlifyToken}`,
          'Content-Type': 'application/json',
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #61bdd54341c39ce7 Environment-variable access.
repo/app/routes/api.supabase-user.ts:15
      process.env.VITE_SUPABASE_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #ae0adf036c7a06a6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.supabase-user.ts:22
    const response = await fetch('https://api.supabase.com/v1/projects', {
      headers: {
        Authorization: `Bearer ${supabaseToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8f39aeafc06733d7 Environment-variable access.
repo/app/routes/api.supabase-user.ts:97
      process.env.VITE_SUPABASE_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #c53e3ecfbe94cd89 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.supabase-user.ts:105
      const response = await fetch('https://api.supabase.com/v1/projects', {
        headers: {
          Authorization: `Bearer ${supabaseToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #e11efd41da407693 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.supabase.ts:12
    const projectsResponse = await fetch('https://api.supabase.com/v1/projects', {
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #eef8aa744361551c Environment-variable access.
repo/app/routes/api.system.diagnostics.ts:17
    hasGithubToken: Boolean(process.env.GITHUB_ACCESS_TOKEN || context.env?.GITHUB_ACCESS_TOKEN),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cab1993abcaa7214 Environment-variable access.
repo/app/routes/api.system.diagnostics.ts:18
    hasNetlifyToken: Boolean(process.env.NETLIFY_TOKEN || context.env?.NETLIFY_TOKEN),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78255146145ed0cf Environment-variable access.
repo/app/routes/api.system.diagnostics.ts:19
    nodeEnv: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #c9aee3cb5691e243 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.diagnostics.ts:70
    const githubResponse = await fetch('https://api.github.com/zen', {
      method: 'GET',
      headers: {
        Accept: 'application/vnd.github.v3+json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ef44fa25e1cf5cf8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.diagnostics.ts:93
    const netlifyResponse = await fetch('https://api.netlify.com/api/v1/', {
      method: 'GET',
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #d2f72adc58cb05b2 Environment-variable access.
repo/app/routes/api.system.disk-info.ts:20
const isDevelopment = process.env.NODE_ENV === 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2c0fbb131beaf9b Environment-variable access.
repo/app/routes/api.system.git-info.ts:85
    const serverGithubToken = process.env.GITHUB_ACCESS_TOKEN || context.env?.GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #2973cbcf628354ec Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:119
        const response = await fetch('https://api.github.com/user', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #6e53fdcbfb228a83 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:145
        const reposResponse = await fetch('https://api.github.com/user/repos?per_page=100&sort=updated', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #e0280ff973af778a Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:160
        const gistsResponse = await fetch('https://api.github.com/gists', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #f73c87b3dca0ba1b Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:228
        const response = await fetch('https://api.github.com/user/orgs', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #39af626ecbb9e86e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-deploy.ts:267
      const createProjectResponse = await fetch('https://api.vercel.com/v9/projects', {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${token}`,
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          name: projectName,
          framework: detectedFramework || null,
        }),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #b1a63dbf487076be Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-deploy.ts:314
        const createProjectResponse = await fetch('https://api.vercel.com/v9/projects', {
          method: 'POST',
          headers: {
            Authorization: `Bearer ${token}`,
            'Content-Type': 'application/json',
          },
          body: JSON.stringify({
            name: projectName,
            framework: detectedFramework || null,
          }),
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #5611991d9cbd1cdc Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-deploy.ts:417
    const deployResponse = await fetch(`https://api.vercel.com/v13/deployments`, {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(deploymentConfig),
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #27600641b4de4585 Environment-variable access.
repo/app/routes/api.vercel-user.ts:15
      process.env.VITE_VERCEL_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #f00f16de20403bd7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-user.ts:31
    const response = await fetch('https://api.vercel.com/v2/user', {
      headers: {
        Authorization: `Bearer ${vercelToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #f5d140cd3824b9f8 Environment-variable access.
repo/app/routes/api.vercel-user.ts:93
      process.env.VITE_VERCEL_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #13841d2c5609b8b5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-user.ts:110
      const response = await fetch('https://api.vercel.com/v13/projects', {
        headers: {
          Authorization: `Bearer ${vercelToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #e40f79e5f4ad5b81 Environment-variable access.
repo/notarize.cjs:24
      teamId: process.env.APPLE_TEAM_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd63d72184e5968e Environment-variable access.
repo/playwright.config.preview.ts:11
  forbidOnly: !!process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #955e1bbb63fa0292 Environment-variable access.
repo/playwright.config.preview.ts:12
  retries: process.env.CI ? 2 : 0,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c83153f2248e815 Environment-variable access.
repo/playwright.config.preview.ts:13
  workers: process.env.CI ? 1 : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42385f8260ad3108 Environment-variable access.
repo/playwright.config.preview.ts:17
    baseURL: process.env.PREVIEW_URL || 'http://localhost:5173',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c74c561ceea32838 Environment-variable access.
repo/playwright.config.preview.ts:30
  webServer: process.env.CI ? undefined : {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fa598de649663cd Environment-variable access.
repo/playwright.config.preview.ts:33
    reuseExistingServer: !process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7409c017865f1c7 Environment-variable access.
repo/pre-start.cjs:14
  version: JSON.stringify(process.env.npm_package_version),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #148f91d6c583fe49 Filesystem access.
repo/scripts/clean.js:1
import { rm, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9122a8b61a06dca9 Environment-variable access.
repo/scripts/electron-dev.mjs:26
process.env.NODE_ENV = 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7b9f61bd574dffc Environment-variable access.
repo/scripts/electron-dev.mjs:29
console.log('🔧 Environment:', process.env.NODE_ENV);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9201a8f8fb2269f8 Filesystem access.
repo/uno.config.ts:15
    acc[collectionName][iconName] = async () => fs.readFile(iconPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4478fca8074739b Environment-variable access.
repo/vite-electron.config.ts:23
      __APP_VERSION: JSON.stringify(process.env.npm_package_version),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #578713ba56ee7c3d Environment-variable access.
repo/vite.config.ts:17
      'process.env.NODE_ENV': JSON.stringify(process.env.NODE_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #256899f50eb44817 Environment-variable access.
repo/vite.config.ts.timestamp-1770328346417-a90f095482a09.mjs:15
      "process.env.NODE_ENV": JSON.stringify(process.env.NODE_ENV)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

rollup-plugin-node-polyfills

npm dependency
medium telemetry dependency Excluded from app score #2c27552738c1577d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/polyfills/crypto-browserify.js:14053
      options.track(input.path(), start, input.length, 'tagged');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #9efccf0825a35a5e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/polyfills/crypto-browserify.js:14056
      options.track(input.path(), input.offset, input.length, 'content');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #db69fc251bd1d617 Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:5139
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f57b22cd587368b4 Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:7529
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fa6e9a2f33aeacf Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:10396
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71ec17a03033e0e1 Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:14206
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #905608336ceef70f Filesystem access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:18623
		if (typeof opts === 'function') return fs.writeFile(key, data, null, opts);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bdb960cb1029c1c Filesystem access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:18662
		fs.writeFile(key, data, opts, cb);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e4599d04050062c Filesystem access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:18699
		if (typeof opts === 'function') return fs.readFile(key, null, opts);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b596a933d05eb2ef Environment-variable access.
pkgs/npm/[email protected]/polyfills/util.js:100
    debugEnviron = process.env.NODE_DEBUG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #a66abc4fb8c76aae Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:4
if (process.env.DOTENV_CONFIG_ENCODING != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #173ef6194413e196 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:5
  options.encoding = process.env.DOTENV_CONFIG_ENCODING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be052e8378410e1e Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:8
if (process.env.DOTENV_CONFIG_PATH != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87755009774b1cb6 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:9
  options.path = process.env.DOTENV_CONFIG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3950d9aa23a2e1c7 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:12
if (process.env.DOTENV_CONFIG_QUIET != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d9611c1ae526429 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:13
  options.quiet = process.env.DOTENV_CONFIG_QUIET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef0a58c051a437fe Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:16
if (process.env.DOTENV_CONFIG_DEBUG != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #187284b2d5d2eb53 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:17
  options.debug = process.env.DOTENV_CONFIG_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a009170d440e31d0 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:20
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e639597687133904 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:21
  options.override = process.env.DOTENV_CONFIG_OVERRIDE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9eaa832214560bf Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:24
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1176c07486f291e6 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:25
  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7d2b30b44f3e0da Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8ab8a715533a11d Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:141
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c76c495af857821 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:142
    return process.env.DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c68a3f304c2b6914 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:221
  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12679d39745e72c5 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:222
  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55c9c844054d32d2 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:277
      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

electron-log

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #ab7ffc6ae9f19ae3 Filesystem access.
pkgs/npm/[email protected]/src/main/initialize.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9000ca3aa90ce9d6 Filesystem access.
pkgs/npm/[email protected]/src/main/initialize.js:81
    fs.writeFileSync(preloadPath, preloadCode, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26ec25c62bc6c814 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:121
        return process.env.APPDATA || path.join(home, 'AppData/Roaming');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee186c1202f80908 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:125
        return process.env.XDG_CONFIG_HOME || path.join(home, '.config');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73344611219091ce Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:131
    return os.homedir?.() || process.env.HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #174b7129b3bc1124 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:147
    return process.env.NODE_ENV === 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0385aa1e64861541 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:148
      || process.env.ELECTRON_IS_DEV === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8da82ba608718c7 Filesystem access.
pkgs/npm/[email protected]/src/node/packageJson.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07b15d83a928d3c3 Filesystem access.
pkgs/npm/[email protected]/src/node/packageJson.js:39
    const json = JSON.parse(fs.readFileSync(fileName, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2aa4fd68486f566c Environment-variable access.
pkgs/npm/[email protected]/src/node/transports/console.js:56
    useStyles: process.env.FORCE_STYLES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d334386ed2dfc64 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5e5c778afec3d9d Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:34
      fs.writeFileSync(this.path, '', {
        mode: this.writeOptions.mode,
        flag: 'w',
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c93e669c012a9e64 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:96
    fs.writeFile(this.path, text, this.writeOptions, (e) => {
      file.hasActiveAsyncWriting = false;

      if (e) {
        file.emit(
          'error',
          new Error(`Couldn't write to ${file.path}. ${e.message}`),
          this,
        );
      } else {
        file.increaseBytesWrittenCounter(text);
      }

      file.nextAsyncWrite();
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb50cf969b128d3e Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:132
      fs.writeFileSync(this.path, text, this.writeOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6472236c14528392 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/FileRegistry.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77772e863a33ea0d Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/FileRegistry.js:72
    fs.writeFileSync(filePath, '', { flag: 'a', mode: writeOptions.mode });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37e1dbd7c9d0c7f1 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/index.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7cd48f44dea9283 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/index.js:149
            lines: fs.readFileSync(logPath, 'utf8').split(os.EOL),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

electron-updater

npm dependency
expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #84d565b801d803d4 Environment-variable access.
pkgs/npm/[email protected]/out/AppAdapter.js:11
        result = process.env["LOCALAPPDATA"] || path.join(homedir, "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e11ad946c4aac9a Environment-variable access.
pkgs/npm/[email protected]/out/AppAdapter.js:17
        result = process.env["XDG_CACHE_HOME"] || path.join(homedir, ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b61d59eb0dca0866 Filesystem access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:7
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2c688fce3b521e7 Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:18
        if (process.env["APPIMAGE"] == null && !this.forceDevUpdateConfig) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fb7c14dd53f4c96 Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:19
            if (process.env["SNAP"] == null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f595cdb344f4989 Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:38
                const oldFile = process.env["APPIMAGE"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adc647edcc29f512 Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:73
        const appImageFile = process.env["APPIMAGE"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2530022a3b7ae5d Filesystem access.
pkgs/npm/[email protected]/out/DownloadedUpdateHelper.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #975826de7fe379c4 Environment-variable access.
pkgs/npm/[email protected]/out/LinuxUpdater.js:96
        const pmOverride = (_a = process.env.ELECTRON_BUILDER_LINUX_PACKAGE_MANAGER) === null || _a === void 0 ? void 0 : _a.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4ac1fcd03e08eb7 Filesystem access.
pkgs/npm/[email protected]/out/MacUpdater.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5e68af2843bb075 Filesystem access.
pkgs/npm/[email protected]/out/differentialDownloader/DataSplitter.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e033be5e4fcb3c6b Filesystem access.
pkgs/npm/[email protected]/out/differentialDownloader/DifferentialDownloader.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97f098730e22a6a7 Environment-variable access.
pkgs/npm/[email protected]/out/differentialDownloader/downloadPlanBuilder.js:73
const isValidateOperationRange = process.env["DIFFERENTIAL_DOWNLOAD_PLAN_BUILDER_VALIDATE_RANGES"] === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #405feb707da2639d Environment-variable access.
pkgs/npm/[email protected]/out/providerFactory.js:24
            const token = (githubOptions.private ? process.env["GH_TOKEN"] || process.env["GITHUB_TOKEN"] : null) || githubOptions.token;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43b29305d160f1aa Environment-variable access.
pkgs/npm/[email protected]/out/providers/Provider.js:32
            const arch = process.env["TEST_UPDATER_ARCH"] || process.arch;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

isomorphic-git

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #11eae79df6fd6d62 Filesystem access.
pkgs/npm/[email protected]/cli.cjs:2
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a82b31482b3867e6 Filesystem access.
pkgs/npm/[email protected]/index.cjs:5016
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd8f913846257442 Filesystem access.
pkgs/npm/[email protected]/index.js:5003
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efd037fc6886f047 Filesystem access.
pkgs/npm/[email protected]/models/index.cjs:213
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4844eb93c5e8917f Filesystem access.
pkgs/npm/[email protected]/models/index.js:207
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mime

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #1ea1e8edc3ad0798 Filesystem access.
pkgs/npm/[email protected]/src/mime_cli.ts:17
  const json = await fs.readFile(
    path.join(__dirname, '../../package.json'),
    'utf-8',
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nanostores

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #e0c14a28d24c9697 Environment-variable access.
pkgs/npm/[email protected]/atom/index.js:115
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58271ef4c35b44eb Environment-variable access.
pkgs/npm/[email protected]/clean-stores/index.js:6
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0de6cccd1f307617 Environment-variable access.
pkgs/npm/[email protected]/computed/index.js:19
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6448e5db737cfece Environment-variable access.
pkgs/npm/[email protected]/computed/index.js:43
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c9f19fb42d15999 Environment-variable access.
pkgs/npm/[email protected]/deep-map/index.js:9
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acd6ba0ce92d0625 Environment-variable access.
pkgs/npm/[email protected]/lifecycle/index.js:145
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fead742228971dd Environment-variable access.
pkgs/npm/[email protected]/map-creator/index.js:28
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #c4e61070a8479efd Environment-variable access.
pkgs/npm/[email protected]/cjs/react-compiler-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccd7ea0d4ddcdcef Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-dev-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff4e2106eaf7cd15 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-dev-runtime.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccd506ffc4a64693 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2df110e2fb3a2714 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-runtime.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb80735fdc5e79de Environment-variable access.
pkgs/npm/[email protected]/cjs/react.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70995fd5d4995004 Environment-variable access.
pkgs/npm/[email protected]/cjs/react.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #118f8832c0de05ef Environment-variable access.
pkgs/npm/[email protected]/compiler-runtime.js:10
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f6a2a4ffd5da385 Environment-variable access.
pkgs/npm/[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f19ac812debc0a8b Environment-variable access.
pkgs/npm/[email protected]/jsx-dev-runtime.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21aa96bc2db35a7f Environment-variable access.
pkgs/npm/[email protected]/jsx-dev-runtime.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92f96486be427a78 Environment-variable access.
pkgs/npm/[email protected]/jsx-runtime.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63583f49fa5e2299 Environment-variable access.
pkgs/npm/[email protected]/jsx-runtime.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cac707a381db908 Environment-variable access.
pkgs/npm/[email protected]/react.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react-beautiful-dnd

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #322a90a072dce967 Environment-variable access.
pkgs/npm/[email protected]/src/debug/timings.js:21
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fff54fa3150bd8a2 Environment-variable access.
pkgs/npm/[email protected]/src/debug/timings.js:37
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d04741526b4f9a25 Environment-variable access.
pkgs/npm/[email protected]/src/dev-warning.js:3
const isProduction: boolean = process.env.NODE_ENV === 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0261b99caa5585c Environment-variable access.
pkgs/npm/[email protected]/src/invariant.js:3
const isProduction: boolean = process.env.NODE_ENV === 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96a3875f7eade614 Environment-variable access.
pkgs/npm/[email protected]/src/state/create-store.js:27
  process.env.NODE_ENV !== 'production' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8072615533b7415a Environment-variable access.
pkgs/npm/[email protected]/src/state/middleware/util/validate-dimensions.js:64
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e820f19fc974d2e5 Environment-variable access.
pkgs/npm/[email protected]/src/view/drag-drop-context/app.jsx:177
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3050bbd2d13e695d Environment-variable access.
pkgs/npm/[email protected]/src/view/drag-drop-context/error-boundary.jsx:33
      if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edca78f92b0f7fa7 Environment-variable access.
pkgs/npm/[email protected]/src/view/drag-drop-context/error-boundary.jsx:67
      if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12d54be9c2666ed4 Environment-variable access.
pkgs/npm/[email protected]/src/view/use-dev.js:5
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d940968a2e2a9735 Environment-variable access.
pkgs/npm/[email protected]/src/view/use-droppable-publisher/get-closest-scrollable.js:34
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cde48d5edf4dfe88 Environment-variable access.
pkgs/npm/[email protected]/src/view/use-droppable-publisher/use-droppable-publisher.js:168
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react-dom

npm dependency
expand_more 24 low-confidence finding(s)
low env_fs dependency Excluded from app score #4abbbbb779b3fecf Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-profiling.development.js:15
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e3d3b8b1c7eecbf Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server-legacy.browser.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86a45943712b6b9d Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server-legacy.node.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a15416988446431 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.browser.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fba5df37df885db Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.edge.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea3868cf537d7969 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.node.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62765a9583681d84 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-test-utils.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea0a4c89599b4858 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e80f017000ae3848 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13e7990a65003786 Environment-variable access.
pkgs/npm/[email protected]/client.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb15e64cb823909f Environment-variable access.
pkgs/npm/[email protected]/client.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9daa930273c0acc Environment-variable access.
pkgs/npm/[email protected]/index.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ef726ab0b501277 Environment-variable access.
pkgs/npm/[email protected]/index.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24dec7360a9baf92 Environment-variable access.
pkgs/npm/[email protected]/profiling.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4127e8d4312bd259 Environment-variable access.
pkgs/npm/[email protected]/profiling.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e237b48016ac92e2 Environment-variable access.
pkgs/npm/[email protected]/react-dom.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a92506055dcf0630 Environment-variable access.
pkgs/npm/[email protected]/server.browser.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d4fa352547fa487 Environment-variable access.
pkgs/npm/[email protected]/server.bun.js:5
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66b2438316fb1387 Environment-variable access.
pkgs/npm/[email protected]/server.edge.js:5
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c88dd2b49a20e3f8 Environment-variable access.
pkgs/npm/[email protected]/server.node.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c037930d3742c4eb Environment-variable access.
pkgs/npm/[email protected]/static.browser.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52788ed8c96937c3 Environment-variable access.
pkgs/npm/[email protected]/static.edge.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #344935c06eab931c Environment-variable access.
pkgs/npm/[email protected]/static.node.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6406a139be3b912d Environment-variable access.
pkgs/npm/[email protected]/test-utils.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

remix-island

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #cafd14a95ad759f8 Environment-variable access.
pkgs/npm/[email protected]/examples/cloudflare-example/server.js:6
  mode: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

zustand

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #8e9c642b69edbe2f Environment-variable access.
pkgs/npm/[email protected]/middleware.js:66
    extensionConnector = (enabled != null ? enabled : process.env.NODE_ENV !== "production") && window.__REDUX_DEVTOOLS_EXTENSION__;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6a8632e947806c9 Environment-variable access.
pkgs/npm/[email protected]/middleware.js:128
      if (process.env.NODE_ENV !== "production" && args[0].type === "__setState" && !didWarnAboutReservedActionType) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @ai-sdk/amazon-bedrock prod — dist-only: no readable source
  • @ai-sdk/anthropic prod — dist-only: no readable source
  • @ai-sdk/cohere prod — dist-only: no readable source
  • @ai-sdk/deepseek prod — dist-only: no readable source
  • @ai-sdk/google prod — dist-only: no readable source
  • @ai-sdk/mistral prod — dist-only: no readable source
  • @ai-sdk/openai prod — dist-only: no readable source
  • @ai-sdk/ui-utils prod — dist-only: no readable source
  • @codemirror/autocomplete prod — dist-only: no readable source
  • @codemirror/commands prod — dist-only: no readable source
  • @codemirror/lang-cpp prod — dist-only: no readable source
  • @codemirror/lang-css prod — dist-only: no readable source
  • @codemirror/lang-html prod — dist-only: no readable source
  • @codemirror/lang-javascript prod — dist-only: no readable source
  • @codemirror/lang-json prod — dist-only: no readable source
  • @codemirror/lang-markdown prod — dist-only: no readable source
  • @codemirror/lang-python prod — dist-only: no readable source
  • @codemirror/lang-vue prod — dist-only: no readable source
  • @codemirror/lang-sass prod — dist-only: no readable source
  • @codemirror/language prod — dist-only: no readable source
  • @codemirror/search prod — dist-only: no readable source
  • @codemirror/lang-wast prod — dist-only: no readable source
  • @codemirror/view prod — dist-only: no readable source
  • @codemirror/state prod — dist-only: no readable source
  • @headlessui/react prod — dist-only: no readable source
  • @lezer/highlight prod — dist-only: no readable source
  • @modelcontextprotocol/sdk prod — dist-only: no readable source
  • @openrouter/ai-sdk-provider prod — dist-only: no readable source
  • @radix-ui/react-checkbox prod — dist-only: no readable source
  • @radix-ui/react-collapsible prod — dist-only: no readable source
  • @phosphor-icons/react prod — dist-only: no readable source
  • @radix-ui/react-context-menu prod — dist-only: no readable source
  • @radix-ui/react-dialog prod — dist-only: no readable source
  • @radix-ui/react-dropdown-menu prod — dist-only: no readable source
  • @radix-ui/react-label prod — dist-only: no readable source
  • @radix-ui/react-popover prod — dist-only: no readable source
  • @radix-ui/react-progress prod — dist-only: no readable source
  • @radix-ui/react-scroll-area prod — dist-only: no readable source
  • @radix-ui/react-switch prod — dist-only: no readable source
  • @radix-ui/react-separator prod — dist-only: no readable source
  • @radix-ui/react-tabs prod — dist-only: no readable source
  • @radix-ui/react-tooltip prod — dist-only: no readable source
  • @remix-run/cloudflare-pages prod — dist-only: no readable source
  • @remix-run/cloudflare prod — dist-only: no readable source
  • @remix-run/react prod — dist-only: no readable source
  • @unocss/reset prod — no javascript source
  • ai prod — dist-only: no readable source
  • class-variance-authority prod — dist-only: no readable source
  • framer-motion prod — dist-only: no readable source
  • jose prod — dist-only: no readable source
  • ollama-ai-provider prod — dist-only: no readable source
  • react-chartjs-2 prod — dist-only: no readable source
  • react-hotkeys-hook prod — dist-only: no readable source
  • react-resizable-panels prod — dist-only: no readable source
  • react-window prod — dist-only: no readable source
  • shiki prod — dist-only: no readable source
  • use-debounce prod — dist-only: no readable source