Close Open Privacy Scan
App Privacy Score
High risk · 305 finding(s)
Dependency score: 77 (Medium risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Confirmed data exfiltration in application code
External domains:
api.anthropic.comapi.cerebras.aiapi.deepseek.comapi.fireworks.aiapi.github.comapi.groq.comapi.moonshot.aiapi.netlify.comapi.openai.comapi.supabase.comapi.vercel.comgitlab.commodels.github.aiopenrouter.airaw.githubusercontent.com
repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:51 → repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:72 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:111 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:137 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:159 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:197 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:211 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:246 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:275 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:288 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:323 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:337 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:379 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:412 → repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:81 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:107 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:129 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:163 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:177 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:208 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:233 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:246 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:277 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:291 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:331 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:364 → repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361repo/app/components/@settings/tabs/vercel/VercelTab.tsx:68 → repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65repo/app/components/@settings/tabs/vercel/VercelTab.tsx:150 → repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147repo/app/components/@settings/tabs/vercel/VercelTab.tsx:214 → repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:79 → repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77repo/app/components/chat/SupabaseAlert.tsx:51 → repo/app/components/chat/SupabaseAlert.tsx:47repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → repo/app/components/chat/VercelDeploymentLink.client.tsx:30repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → repo/app/components/chat/VercelDeploymentLink.client.tsx:53repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → repo/app/components/chat/VercelDeploymentLink.client.tsx:83repo/app/components/chat/VercelDeploymentLink.client.tsx:105 → repo/app/components/chat/VercelDeploymentLink.client.tsx:105repo/app/components/deploy/NetlifyDeploy.client.tsx:153 → repo/app/components/deploy/NetlifyDeploy.client.tsx:145repo/app/components/deploy/NetlifyDeploy.client.tsx:153 → repo/app/components/deploy/NetlifyDeploy.client.tsx:177repo/app/components/deploy/VercelDeploy.client.tsx:191 → repo/app/components/deploy/VercelDeploy.client.tsx:182repo/app/lib/hooks/useGitHubConnection.ts:78 → repo/app/lib/hooks/useGitHubConnection.ts:75repo/app/lib/hooks/useGitHubConnection.ts:226 → repo/app/lib/hooks/useGitHubConnection.ts:223repo/app/lib/hooks/useGitLabConnection.ts:95 → repo/app/lib/hooks/useGitLabConnection.ts:92repo/app/lib/hooks/useGitLabConnection.ts:216 → repo/app/lib/hooks/useGitLabConnection.ts:213repo/app/lib/hooks/useSupabaseConnection.ts:68 → repo/app/lib/hooks/useSupabaseConnection.ts:70repo/app/lib/services/githubApiService.ts:54 → repo/app/lib/services/githubApiService.ts:51repo/app/lib/services/githubApiService.ts:140 → repo/app/lib/services/githubApiService.ts:137repo/app/lib/services/githubApiService.ts:168 → repo/app/lib/services/githubApiService.ts:165repo/app/lib/services/githubApiService.ts:196 → repo/app/lib/services/githubApiService.ts:193repo/app/routes/api.github-branches.ts:32 → repo/app/routes/api.github-branches.ts:71repo/app/routes/api.github-branches.ts:32 → repo/app/routes/api.github-branches.ts:95repo/app/routes/api.github-stats.ts:18 → repo/app/routes/api.github-stats.ts:26repo/app/routes/api.github-stats.ts:18 → repo/app/routes/api.github-stats.ts:50repo/app/routes/api.github-stats.ts:18 → repo/app/routes/api.github-stats.ts:79repo/app/routes/api.github-user.ts:17 → repo/app/routes/api.github-user.ts:25repo/app/routes/api.github-user.ts:107 → repo/app/routes/api.github-user.ts:116repo/app/routes/api.github-user.ts:107 → repo/app/routes/api.github-user.ts:165repo/app/routes/api.github-user.ts:107 → repo/app/routes/api.github-user.ts:211repo/app/routes/api.netlify-user.ts:15 → repo/app/routes/api.netlify-user.ts:22repo/app/routes/api.netlify-user.ts:82 → repo/app/routes/api.netlify-user.ts:90repo/app/routes/api.supabase-user.ts:15 → repo/app/routes/api.supabase-user.ts:22repo/app/routes/api.supabase-user.ts:97 → repo/app/routes/api.supabase-user.ts:105repo/app/routes/api.supabase-user.ts:97 → repo/app/routes/api.supabase-user.ts:159repo/app/routes/api.system.git-info.ts:85 → repo/app/routes/api.system.git-info.ts:119repo/app/routes/api.system.git-info.ts:85 → repo/app/routes/api.system.git-info.ts:145repo/app/routes/api.system.git-info.ts:85 → repo/app/routes/api.system.git-info.ts:160repo/app/routes/api.system.git-info.ts:85 → repo/app/routes/api.system.git-info.ts:228repo/app/routes/api.system.git-info.ts:85 → repo/app/routes/api.system.git-info.ts:274repo/app/routes/api.vercel-user.ts:15 → repo/app/routes/api.vercel-user.ts:31repo/app/routes/api.vercel-user.ts:93 → repo/app/routes/api.vercel-user.ts:110</> First-Party Code
first-party (npm)
npm first-party const response = await fetch('/api/gitlab-projects', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
token: connection.token,
gitlabUrl: connection.gitlabUrl || 'https://gitlab.com',
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
clear_cache: true,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const cacheResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/purge_cache`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const envResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/env`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const functionsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/functions`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const analyticsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/traffic`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
method: 'DELETE',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(endpoint, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
clear_cache: true,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const cacheResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/purge_cache`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const envResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/env`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const functionsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/functions`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const analyticsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/traffic`, {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
method: 'DELETE',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(endpoint, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.vercel.com/v1/deployments`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: projectId,
target: 'production',
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.vercel.com/v1/projects/${projectId}`, {
method: 'DELETE',
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const testResponse = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${token}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('/api/supabase/query', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Bearer ${connection.token}`,
},
body: JSON.stringify({
projectId: connection.selectedProjectId,
query: sql,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
cache: 'no-store',
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const projectDetailsResponse = await fetch(`https://api.vercel.com/v9/projects/${project.id}`, {
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
cache: 'no-store',
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const deploymentsResponse = await fetch(
`https://api.vercel.com/v6/deployments?projectId=${project.id}&limit=1`,
{
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
cache: 'no-store',
},
);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const fallbackResponse = await fetch(`/api/vercel-deploy?projectId=${projectId}&token=${connection.token}`, {
method: 'GET',
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('/api/netlify-deploy', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
siteId: existingSiteId || undefined,
files: fileContents,
token: netlifyConn.token,
chatId: currentChatId,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const statusResponse = await fetch(
`https://api.netlify.com/api/v1/sites/${data.site.id}/deploys/${data.deploy.id}`,
{
headers: {
Authorization: `Bearer ${netlifyConn.token}`,
},
},
);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('/api/vercel-deploy', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
projectId: existingProjectId || undefined,
files: fileContents,
sourceFiles: allProjectFiles,
token: vercelConn.token,
chatId: currentChatId,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
'User-Agent': 'Bolt.diy',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
'User-Agent': 'Bolt.diy',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`${baseUrl}/api/v4/user`, {
headers: {
'Content-Type': 'application/json',
'PRIVATE-TOKEN': connection.token,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`${baseUrl}/api/v4/user`, {
headers: {
'Content-Type': 'application/json',
'PRIVATE-TOKEN': connection.token,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('/api/supabase', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
token: cleanToken,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`${this._baseURL}${endpoint}`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
'User-Agent': 'Bolt.diy',
...options.headers,
},
...options,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/contributors?per_page=1`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
'User-Agent': 'Bolt.diy',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/issues?state=all&per_page=1`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
'User-Agent': 'Bolt.diy',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/pulls?state=all&per_page=1`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
'User-Agent': 'Bolt.diy',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const repoResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const branchesResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}/branches?per_page=100`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const userResponse = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const repoResponse = await fetch(
`https://api.github.com/user/repos?sort=updated&per_page=100&page=${page}&affiliation=owner,organization_member`,
{
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
},
);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const branchesResponse = await fetch(`https://api.github.com/repos/${repo.full_name}/branches?per_page=1`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.github.com/user/repos?sort=updated&per_page=100', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.github.com/repos/${repoFullName}/branches`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(
`https://api.github.com/search/repositories?q=${encodeURIComponent(searchQuery)}&per_page=${perPage}&sort=updated`,
{
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
},
);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${netlifyToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.netlify.com/api/v1/sites', {
headers: {
Authorization: `Bearer ${netlifyToken}`,
'Content-Type': 'application/json',
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.supabase.com/v1/projects', {
headers: {
Authorization: `Bearer ${supabaseToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.supabase.com/v1/projects', {
headers: {
Authorization: `Bearer ${supabaseToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.supabase.com/v1/projects/${projectId}/api-keys`, {
headers: {
Authorization: `Bearer ${supabaseToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const reposResponse = await fetch('https://api.github.com/user/repos?per_page=100&sort=updated', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const gistsResponse = await fetch('https://api.github.com/gists', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.github.com/user/orgs', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`https://api.github.com/users/${username}/events?per_page=30`, {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${vercelToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch('https://api.vercel.com/v13/projects', {
headers: {
Authorization: `Bearer ${vercelToken}`,
'User-Agent': 'bolt.diy-app',
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 110 low-confidence finding(s)
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${connection.token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${tokenInput}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
headers: {
Authorization: `Bearer ${token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${tokenInput}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
headers: {
Authorization: `Bearer ${token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
{process.env.NODE_ENV === 'development' && this.state.error && (
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(`https://api.vercel.com/v1/deployments`, {
method: 'POST',
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: projectId,
target: 'production',
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const testResponse = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${token}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
headers: {
Authorization: `Bearer ${connection.token}`,
'Content-Type': 'application/json',
},
cache: 'no-store',
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const content = await container.fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await container.fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await container.fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await container.fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await container.fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const latestPackageResponse = await fetch(
'https://raw.githubusercontent.com/stackblitz-labs/bolt.diy/main/package.json',
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await webcontainer.fs.readFile(relativePath, encoding);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const result = await webcontainer.fs.writeFile(relativePath, data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const result = await webcontainer.fs.writeFile(relativePath, data, encoding);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
'User-Agent': 'Bolt.diy',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${tokenType === 'classic' ? 'token' : 'Bearer'} ${token}`,
'User-Agent': 'Bolt.diy',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
'User-Agent': 'Bolt.diy',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(`https://api.anthropic.com/v1/models`, {
headers: {
'x-api-key': `${apiKey}`,
'anthropic-version': '2023-06-01',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.cerebras.ai/v1/models', {
headers: {
Authorization: `Bearer ${apiKey}`,
},
signal: this.createTimeoutSignal(5000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.deepseek.com/models', {
headers: {
Authorization: `Bearer ${apiKey}`,
},
signal: this.createTimeoutSignal(5000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.fireworks.ai/v1/accounts/fireworks/models?page_size=100', {
headers: {
Authorization: `Bearer ${apiKey}`,
},
signal: this.createTimeoutSignal(5000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://models.github.ai/v1/models', {
headers: {
Authorization: `Bearer ${apiKey}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(`https://api.groq.com/openai/v1/models`, {
headers: {
Authorization: `Bearer ${apiKey}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.moonshot.ai/v1/models', {
headers: {
Authorization: `Bearer ${apiKey}`,
},
signal: this.createTimeoutSignal(5000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://openrouter.ai/api/v1/models', {
headers: {
'Content-Type': 'application/json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(`https://api.openai.com/v1/models`, {
headers: {
Authorization: `Bearer ${apiKey}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await container.fs.writeFile(key, value.content, { encoding: value.isBinary ? undefined : 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await webcontainer.fs.writeFile(relativePath, action.content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await webcontainer.fs.readFile(historyPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await webcontainer.fs.readFile(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await webcontainer.fs.readFile(sourceFile);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.NODE_ENV === 'production'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const errorMessage = sanitizeErrorMessage(error, process.env.NODE_ENV === 'development');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
appVersion: process.env.NEXT_PUBLIC_VERSION || 'unknown',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await webcontainer.fs.writeFile(relativePath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await webcontainer.fs.writeFile(relativePath, Buffer.from(content));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await webcontainer.fs.writeFile(relativePath, contentToWrite);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${envToken}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${envToken}`,
'Content-Type': 'application/json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
(context?.cloudflare?.env as any)?.GITHUB_BUG_REPORT_TOKEN || process.env.GITHUB_BUG_REPORT_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(context?.cloudflare?.env as any)?.BUG_REPORT_REPO || process.env.BUG_REPORT_REPO || 'stackblitz-labs/bolt.diy';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVarName] ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const processEnv = process.env[baseUrlEnvVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[apiTokenEnvVar] ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVarName] ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_TOKEN ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.VITE_GITHUB_ACCESS_TOKEN ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_TOKEN ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.VITE_GITHUB_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userResponse = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const isProduction = process.env.NODE_ENV === 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
context?.cloudflare?.env?.GITHUB_TOKEN || process.env.GITHUB_TOKEN || process.env.VITE_GITHUB_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_TOKEN ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.VITE_GITHUB_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.GITHUB_TOKEN ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.VITE_GITHUB_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.github.com/user/repos?sort=updated&per_page=100', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${githubToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const createSiteResponse = await fetch('https://api.netlify.com/api/v1/sites', {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: siteName,
custom_domain: null,
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const createSiteResponse = await fetch('https://api.netlify.com/api/v1/sites', {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: siteName,
custom_domain: null,
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.VITE_NETLIFY_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.netlify.com/api/v1/user', {
headers: {
Authorization: `Bearer ${netlifyToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.VITE_NETLIFY_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.netlify.com/api/v1/sites', {
headers: {
Authorization: `Bearer ${netlifyToken}`,
'Content-Type': 'application/json',
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.VITE_SUPABASE_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.supabase.com/v1/projects', {
headers: {
Authorization: `Bearer ${supabaseToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.VITE_SUPABASE_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.supabase.com/v1/projects', {
headers: {
Authorization: `Bearer ${supabaseToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const projectsResponse = await fetch('https://api.supabase.com/v1/projects', {
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
hasGithubToken: Boolean(process.env.GITHUB_ACCESS_TOKEN || context.env?.GITHUB_ACCESS_TOKEN),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
hasNetlifyToken: Boolean(process.env.NETLIFY_TOKEN || context.env?.NETLIFY_TOKEN),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
nodeEnv: process.env.NODE_ENV,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const githubResponse = await fetch('https://api.github.com/zen', {
method: 'GET',
headers: {
Accept: 'application/vnd.github.v3+json',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const netlifyResponse = await fetch('https://api.netlify.com/api/v1/', {
method: 'GET',
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const isDevelopment = process.env.NODE_ENV === 'development';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const serverGithubToken = process.env.GITHUB_ACCESS_TOKEN || context.env?.GITHUB_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.github.com/user', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const reposResponse = await fetch('https://api.github.com/user/repos?per_page=100&sort=updated', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const gistsResponse = await fetch('https://api.github.com/gists', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch('https://api.github.com/user/orgs', {
headers: {
Accept: 'application/vnd.github.v3+json',
Authorization: `Bearer ${token}`,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const createProjectResponse = await fetch('https://api.vercel.com/v9/projects', {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: projectName,
framework: detectedFramework || null,
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const createProjectResponse = await fetch('https://api.vercel.com/v9/projects', {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: projectName,
framework: detectedFramework || null,
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const deployResponse = await fetch(`https://api.vercel.com/v13/deployments`, {
method: 'POST',
headers: {
Authorization: `Bearer ${token}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(deploymentConfig),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.VITE_VERCEL_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.vercel.com/v2/user', {
headers: {
Authorization: `Bearer ${vercelToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.VITE_VERCEL_ACCESS_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch('https://api.vercel.com/v13/projects', {
headers: {
Authorization: `Bearer ${vercelToken}`,
'User-Agent': 'bolt.diy-app',
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
teamId: process.env.APPLE_TEAM_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
forbidOnly: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
retries: process.env.CI ? 2 : 0,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workers: process.env.CI ? 1 : undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
baseURL: process.env.PREVIEW_URL || 'http://localhost:5173',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webServer: process.env.CI ? undefined : {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reuseExistingServer: !process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version: JSON.stringify(process.env.npm_package_version),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'development';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
console.log('🔧 Environment:', process.env.NODE_ENV);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
acc[collectionName][iconName] = async () => fs.readFile(iconPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
__APP_VERSION: JSON.stringify(process.env.npm_package_version),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
'process.env.NODE_ENV': JSON.stringify(process.env.NODE_ENV),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"process.env.NODE_ENV": JSON.stringify(process.env.NODE_ENV)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
rollup-plugin-node-polyfills
npm dependency options.track(input.path(), start, input.length, 'tagged');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
options.track(input.path(), input.offset, input.length, 'content');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 8 low-confidence finding(s)
if (!process.browser && process.env.READABLE_STREAM === 'disable') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.browser && process.env.READABLE_STREAM === 'disable') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.browser && process.env.READABLE_STREAM === 'disable') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.browser && process.env.READABLE_STREAM === 'disable') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (typeof opts === 'function') return fs.writeFile(key, data, null, opts);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(key, data, opts, cb);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (typeof opts === 'function') return fs.readFile(key, null, opts);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
debugEnviron = process.env.NODE_DEBUG || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
dotenv
npm dependencyexpand_more 18 low-confidence finding(s)
if (process.env.DOTENV_CONFIG_ENCODING != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.encoding = process.env.DOTENV_CONFIG_ENCODING
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOTENV_CONFIG_PATH != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.path = process.env.DOTENV_CONFIG_PATH
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOTENV_CONFIG_QUIET != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.quiet = process.env.DOTENV_CONFIG_QUIET
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOTENV_CONFIG_DEBUG != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.debug = process.env.DOTENV_CONFIG_DEBUG
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.override = process.env.DOTENV_CONFIG_OVERRIDE
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.DOTENV_KEY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
electron-log
npm dependencyexpand_more 18 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(preloadPath, preloadCode, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.APPDATA || path.join(home, 'AppData/Roaming');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.XDG_CONFIG_HOME || path.join(home, '.config');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return os.homedir?.() || process.env.HOME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.NODE_ENV === 'development'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
|| process.env.ELECTRON_IS_DEV === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(fileName, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
useStyles: process.env.FORCE_STYLES,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(this.path, '', {
mode: this.writeOptions.mode,
flag: 'w',
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(this.path, text, this.writeOptions, (e) => {
file.hasActiveAsyncWriting = false;
if (e) {
file.emit(
'error',
new Error(`Couldn't write to ${file.path}. ${e.message}`),
this,
);
} else {
file.increaseBytesWrittenCounter(text);
}
file.nextAsyncWrite();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(this.path, text, this.writeOptions);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, '', { flag: 'a', mode: writeOptions.mode });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
lines: fs.readFileSync(logPath, 'utf8').split(os.EOL),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
electron-updater
npm dependencyexpand_more 15 low-confidence finding(s)
result = process.env["LOCALAPPDATA"] || path.join(homedir, "AppData", "Local");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
result = process.env["XDG_CACHE_HOME"] || path.join(homedir, ".cache");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs_1 = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env["APPIMAGE"] == null && !this.forceDevUpdateConfig) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env["SNAP"] == null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const oldFile = process.env["APPIMAGE"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const appImageFile = process.env["APPIMAGE"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs_1 = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pmOverride = (_a = process.env.ELECTRON_BUILDER_LINUX_PACKAGE_MANAGER) === null || _a === void 0 ? void 0 : _a.trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs_1 = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs_1 = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs_1 = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isValidateOperationRange = process.env["DIFFERENTIAL_DOWNLOAD_PLAN_BUILDER_VALIDATE_RANGES"] === "true";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const token = (githubOptions.private ? process.env["GH_TOKEN"] || process.env["GITHUB_TOKEN"] : null) || githubOptions.token;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const arch = process.env["TEST_UPDATER_ARCH"] || process.arch;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
isomorphic-git
npm dependencyexpand_more 5 low-confidence finding(s)
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return targetFs.readFile().catch(e => e)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return targetFs.readFile().catch(e => e)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return targetFs.readFile().catch(e => e)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return targetFs.readFile().catch(e => e)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mime
npm dependencyexpand_more 1 low-confidence finding(s)
const json = await fs.readFile(
path.join(__dirname, '../../package.json'),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
nanostores
npm dependencyexpand_more 7 low-confidence finding(s)
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react
npm dependencyexpand_more 14 low-confidence finding(s)
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react-beautiful-dnd
npm dependencyexpand_more 12 low-confidence finding(s)
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isProduction: boolean = process.env.NODE_ENV === 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isProduction: boolean = process.env.NODE_ENV === 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV !== 'production' &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
react-dom
npm dependencyexpand_more 24 low-confidence finding(s)
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"production" !== process.env.NODE_ENV &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
remix-island
npm dependencyexpand_more 1 low-confidence finding(s)
mode: process.env.NODE_ENV,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
zustand
npm dependencyexpand_more 2 low-confidence finding(s)
extensionConnector = (enabled != null ? enabled : process.env.NODE_ENV !== "production") && window.__REDUX_DEVTOOLS_EXTENSION__;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== "production" && args[0].type === "__setState" && !didWarnAboutReservedActionType) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- @ai-sdk/amazon-bedrock prod — dist-only: no readable source
- @ai-sdk/anthropic prod — dist-only: no readable source
- @ai-sdk/cohere prod — dist-only: no readable source
- @ai-sdk/deepseek prod — dist-only: no readable source
- @ai-sdk/google prod — dist-only: no readable source
- @ai-sdk/mistral prod — dist-only: no readable source
- @ai-sdk/openai prod — dist-only: no readable source
- @ai-sdk/ui-utils prod — dist-only: no readable source
- @codemirror/autocomplete prod — dist-only: no readable source
- @codemirror/commands prod — dist-only: no readable source
- @codemirror/lang-cpp prod — dist-only: no readable source
- @codemirror/lang-css prod — dist-only: no readable source
- @codemirror/lang-html prod — dist-only: no readable source
- @codemirror/lang-javascript prod — dist-only: no readable source
- @codemirror/lang-json prod — dist-only: no readable source
- @codemirror/lang-markdown prod — dist-only: no readable source
- @codemirror/lang-python prod — dist-only: no readable source
- @codemirror/lang-vue prod — dist-only: no readable source
- @codemirror/lang-sass prod — dist-only: no readable source
- @codemirror/language prod — dist-only: no readable source
- @codemirror/search prod — dist-only: no readable source
- @codemirror/lang-wast prod — dist-only: no readable source
- @codemirror/view prod — dist-only: no readable source
- @codemirror/state prod — dist-only: no readable source
- @headlessui/react prod — dist-only: no readable source
- @lezer/highlight prod — dist-only: no readable source
- @modelcontextprotocol/sdk prod — dist-only: no readable source
- @openrouter/ai-sdk-provider prod — dist-only: no readable source
- @radix-ui/react-checkbox prod — dist-only: no readable source
- @radix-ui/react-collapsible prod — dist-only: no readable source
- @phosphor-icons/react prod — dist-only: no readable source
- @radix-ui/react-context-menu prod — dist-only: no readable source
- @radix-ui/react-dialog prod — dist-only: no readable source
- @radix-ui/react-dropdown-menu prod — dist-only: no readable source
- @radix-ui/react-label prod — dist-only: no readable source
- @radix-ui/react-popover prod — dist-only: no readable source
- @radix-ui/react-progress prod — dist-only: no readable source
- @radix-ui/react-scroll-area prod — dist-only: no readable source
- @radix-ui/react-switch prod — dist-only: no readable source
- @radix-ui/react-separator prod — dist-only: no readable source
- @radix-ui/react-tabs prod — dist-only: no readable source
- @radix-ui/react-tooltip prod — dist-only: no readable source
- @remix-run/cloudflare-pages prod — dist-only: no readable source
- @remix-run/cloudflare prod — dist-only: no readable source
- @remix-run/react prod — dist-only: no readable source
- @unocss/reset prod — no javascript source
- ai prod — dist-only: no readable source
- class-variance-authority prod — dist-only: no readable source
- framer-motion prod — dist-only: no readable source
- jose prod — dist-only: no readable source
- ollama-ai-provider prod — dist-only: no readable source
- react-chartjs-2 prod — dist-only: no readable source
- react-hotkeys-hook prod — dist-only: no readable source
- react-resizable-panels prod — dist-only: no readable source
- react-window prod — dist-only: no readable source
- shiki prod — dist-only: no readable source
- use-debounce prod — dist-only: no readable source