Close Open Privacy Scan

bolt Snapshot: commit 4098115
science engine v3
schedule 2026-07-08T01:10:22.124502+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

App Privacy Score

37 /100
High privacy risk — application leak confirmed

High risk · 88 finding(s)

Dependency score: 97 (Low risk)

bar_chart Score Breakdown

pii_flow −60
env_fs −3

list Scan Summary

2 high 0 medium 86 low
First-party packages: 5
Dependency packages: 2
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: ${process.env.FIREBASE_STORAGE_EMULATOR_HOST}`;firebaseremoteconfig.googleapis.com

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/pkgs/core/scripts/release/buildChangelog.ts:8 repo/pkgs/core/scripts/release/buildChangelog.ts:55
high first-party (npm): pkgs/core User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/pkgs/core/scripts/release/buildChangelog.ts:8 repo/pkgs/core/scripts/release/buildChangelog.ts:55

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #88128701063cfefe User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/pkgs/core/scripts/release/buildChangelog.ts:55 · flow /tmp/closeopen-2vizfyqw/repo/pkgs/core/scripts/release/buildChangelog.ts:8 → /tmp/closeopen-2vizfyqw/repo/pkgs/core/scripts/release/buildChangelog.ts:55
        gh
          .request("GET /repos/{owner}/{repo}/commits/{ref}", {
            owner: "date-fns",
            repo: "date-fns",
            ref: c.hash,
          })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 27 low-confidence finding(s)
low env_fs production #c8f564b5648bc390 Filesystem access.
repo/pkgs/core/examples/cdn/dom.js:1
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07888387170498c3 Filesystem access.
repo/pkgs/core/examples/cdn/dom.js:8
    return readFile(resolve(process.cwd(), "." + pathname));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f06333c2e4c8d286 Environment-variable access.
repo/pkgs/core/examples/cdn/dom.js:32
    pkg = process.env.DATE_FNS_CDN_TEST_PKG || "@date-fns/cdn",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #209703d968f78c56 Filesystem access.
repo/pkgs/core/scripts/_lib/listFPFns.ts:1
import { readdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6398c2f1942daa82 Filesystem access.
repo/pkgs/core/scripts/_lib/listFns.ts:1
import { readdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5738554c476eead0 Filesystem access.
repo/pkgs/core/scripts/_lib/listLocales.ts:1
import { readdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf21bd61287e59b7 Environment-variable access.
repo/pkgs/core/scripts/release/buildChangelog.ts:8
const gh = new Octokit({ auth: process.env.OCTOKIT_TOKEN });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5651d996fdcb78d Environment-variable access.
repo/pkgs/core/src/add/test.ts:75
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55ac05016d88852e Environment-variable access.
repo/pkgs/core/src/addBusinessDays/test.ts:136
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ac21172ba558fd3 Environment-variable access.
repo/pkgs/core/src/addDays/test.ts:75
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e8277ab79579758 Environment-variable access.
repo/pkgs/core/src/addMonths/test.ts:55
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92240b9b0d8a21f7 Environment-variable access.
repo/pkgs/core/src/differenceInCalendarDays/test.ts:113
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0c57b8ff9886a28 Environment-variable access.
repo/pkgs/core/src/differenceInDays/test.ts:68
      Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d61495b2c13a055c Filesystem access.
repo/pkgs/docs/scripts/buildMds.ts:2
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61ae71d40d91f12c Environment-variable access.
repo/pkgs/docs/scripts/buildMds.ts:12
const dateFnsDir = process.env.DATE_FNS_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0734a507e2b5779c Filesystem access.
repo/pkgs/docs/scripts/buildMds.ts:15
const packageJsonStr = await readFile(
  path.resolve(dateFnsDir, "package.json"),
  "utf-8",
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce3377d642285f3e Filesystem access.
repo/pkgs/docs/scripts/buildMds.ts:49
const docsJsonStr = await readFile("tmp/docs.json", "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8122cc0df91db632 Filesystem access.
repo/pkgs/docs/src/bin.ts:4
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d567e77bafe5974 Filesystem access.
repo/pkgs/docs/src/bin.ts:137
  const packageStr = await readFile(packagePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80017364da75382f Filesystem access.
repo/pkgs/docs/src/bin.ts:202
      const markdown = await readFile(
        path.resolve(configDir, file.path),
        "utf8",
      );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87b6a213a3de41a1 Filesystem access.
repo/pkgs/docs/src/json.ts:2
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5444fde0a91a20a0 Filesystem access.
repo/pkgs/docs/src/json.ts:162
  const docsJSON = await readFile(jsonPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9f3647073f2e12d Filesystem access.
repo/pkgs/tz/copy.mjs:2
import { copyFile, mkdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28926f3f8098a87c Environment-variable access.
repo/pkgs/tz/playground.mjs:3
    process.env.TZ ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8571652a626363a Filesystem access.
repo/pkgs/tz/size.mjs:2
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c38116340093a81 Filesystem access.
repo/pkgs/tz/size.mjs:38
  const code = await readFile(srcPath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4124f723be26c321 Filesystem access.
repo/pkgs/utc/copy.mjs:2
import { copyFile, mkdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): pkgs/core

npm first-party
high pii_flow production #88128701063cfefe User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/pkgs/core/scripts/release/buildChangelog.ts:55 · flow /tmp/closeopen-2vizfyqw/repo/pkgs/core/scripts/release/buildChangelog.ts:8 → /tmp/closeopen-2vizfyqw/repo/pkgs/core/scripts/release/buildChangelog.ts:55
        gh
          .request("GET /repos/{owner}/{repo}/commits/{ref}", {
            owner: "date-fns",
            repo: "date-fns",
            ref: c.hash,
          })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 13 low-confidence finding(s)
low env_fs production #c8f564b5648bc390 Filesystem access.
repo/pkgs/core/examples/cdn/dom.js:1
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07888387170498c3 Filesystem access.
repo/pkgs/core/examples/cdn/dom.js:8
    return readFile(resolve(process.cwd(), "." + pathname));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f06333c2e4c8d286 Environment-variable access.
repo/pkgs/core/examples/cdn/dom.js:32
    pkg = process.env.DATE_FNS_CDN_TEST_PKG || "@date-fns/cdn",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #209703d968f78c56 Filesystem access.
repo/pkgs/core/scripts/_lib/listFPFns.ts:1
import { readdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6398c2f1942daa82 Filesystem access.
repo/pkgs/core/scripts/_lib/listFns.ts:1
import { readdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5738554c476eead0 Filesystem access.
repo/pkgs/core/scripts/_lib/listLocales.ts:1
import { readdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf21bd61287e59b7 Environment-variable access.
repo/pkgs/core/scripts/release/buildChangelog.ts:8
const gh = new Octokit({ auth: process.env.OCTOKIT_TOKEN });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5651d996fdcb78d Environment-variable access.
repo/pkgs/core/src/add/test.ts:75
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55ac05016d88852e Environment-variable access.
repo/pkgs/core/src/addBusinessDays/test.ts:136
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ac21172ba558fd3 Environment-variable access.
repo/pkgs/core/src/addDays/test.ts:75
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e8277ab79579758 Environment-variable access.
repo/pkgs/core/src/addMonths/test.ts:55
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92240b9b0d8a21f7 Environment-variable access.
repo/pkgs/core/src/differenceInCalendarDays/test.ts:113
    Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0c57b8ff9886a28 Environment-variable access.
repo/pkgs/core/src/differenceInDays/test.ts:68
      Intl.DateTimeFormat().resolvedOptions().timeZone || process.env.tz;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): pkgs/docs

npm first-party
expand_more 9 low-confidence finding(s)
low env_fs production #d61495b2c13a055c Filesystem access.
repo/pkgs/docs/scripts/buildMds.ts:2
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61ae71d40d91f12c Environment-variable access.
repo/pkgs/docs/scripts/buildMds.ts:12
const dateFnsDir = process.env.DATE_FNS_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0734a507e2b5779c Filesystem access.
repo/pkgs/docs/scripts/buildMds.ts:15
const packageJsonStr = await readFile(
  path.resolve(dateFnsDir, "package.json"),
  "utf-8",
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce3377d642285f3e Filesystem access.
repo/pkgs/docs/scripts/buildMds.ts:49
const docsJsonStr = await readFile("tmp/docs.json", "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8122cc0df91db632 Filesystem access.
repo/pkgs/docs/src/bin.ts:4
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d567e77bafe5974 Filesystem access.
repo/pkgs/docs/src/bin.ts:137
  const packageStr = await readFile(packagePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80017364da75382f Filesystem access.
repo/pkgs/docs/src/bin.ts:202
      const markdown = await readFile(
        path.resolve(configDir, file.path),
        "utf8",
      );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87b6a213a3de41a1 Filesystem access.
repo/pkgs/docs/src/json.ts:2
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5444fde0a91a20a0 Filesystem access.
repo/pkgs/docs/src/json.ts:162
  const docsJSON = await readFile(jsonPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): pkgs/tz

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #f9f3647073f2e12d Filesystem access.
repo/pkgs/tz/copy.mjs:2
import { copyFile, mkdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28926f3f8098a87c Environment-variable access.
repo/pkgs/tz/playground.mjs:3
    process.env.TZ ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8571652a626363a Filesystem access.
repo/pkgs/tz/size.mjs:2
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c38116340093a81 Filesystem access.
repo/pkgs/tz/size.mjs:38
  const code = await readFile(srcPath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): pkgs/utc

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #4124f723be26c321 Filesystem access.
repo/pkgs/utc/copy.mjs:2
import { copyFile, mkdir } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@react-native/babel-preset

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #85c0112b0582afb3 Filesystem access.
pkgs/npm/@[email protected]/src/index.js:35
  const {readFileSync} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff53de9f7bfa0eaa Filesystem access.
pkgs/npm/@[email protected]/src/index.js:38
    readFileSync(__filename),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ce01096fde6031c Filesystem access.
pkgs/npm/@[email protected]/src/index.js:39
    readFileSync(require.resolve('./configs/main.js')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f092633d9a5780d Filesystem access.
pkgs/npm/@[email protected]/src/index.js:40
    readFileSync(require.resolve('./configs/hmr.js')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35808126babf45ad Filesystem access.
pkgs/npm/@[email protected]/src/index.js:41
    readFileSync(require.resolve('./configs/lazy-imports.js')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47753906a874b10d Filesystem access.
pkgs/npm/@[email protected]/src/index.js:42
    readFileSync(require.resolve('./passthrough-syntax-plugins.js')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5cfe9cf8e8dbaff Filesystem access.
pkgs/npm/@[email protected]/src/index.js:43
    readFileSync(require.resolve('./plugin-warn-on-deep-imports.js')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

firebase-admin

npm dependency
expand_more 25 low-confidence finding(s)
low env_fs dependency Excluded from app score #429fd18945ea97f4 Filesystem access.
pkgs/npm/[email protected]/lib/app/credential-internal.js:23
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bc4bf7b4a5d2c81 Filesystem access.
pkgs/npm/[email protected]/lib/app/credential-internal.js:153
            return new ServiceAccount(JSON.parse(fs.readFileSync(filePath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d276b394176329f6 Filesystem access.
pkgs/npm/[email protected]/lib/app/credential-internal.js:250
            RefreshToken.validateFromJSON(JSON.parse(fs.readFileSync(filePath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af865d095ae394a1 Filesystem access.
pkgs/npm/[email protected]/lib/app/credential-internal.js:338
            ImpersonatedServiceAccount.validateFromJSON(JSON.parse(fs.readFileSync(filePath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27322f5eaa5874dd Filesystem access.
pkgs/npm/[email protected]/lib/app/lifecycle.js:25
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af6e8f80c9e1d973 Environment-variable access.
pkgs/npm/[email protected]/lib/app/lifecycle.js:286
    const config = process.env[exports.FIREBASE_CONFIG_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3df4bd2011a681b0 Filesystem access.
pkgs/npm/[email protected]/lib/app/lifecycle.js:291
        const contents = config.startsWith('{') ? config : fs.readFileSync(config, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24cc7d963525848f Environment-variable access.
pkgs/npm/[email protected]/lib/auth/auth-api-request.js:2051
    return process.env.FIREBASE_AUTH_EMULATOR_HOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aca9e9aed6908167 Environment-variable access.
pkgs/npm/[email protected]/lib/data-connect/data-connect-api-client-internal.js:543
    return process.env.DATA_CONNECT_EMULATOR_HOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8d6bebbdb7a0e74 Environment-variable access.
pkgs/npm/[email protected]/lib/database/database.js:141
        const emulatorHost = process.env.FIREBASE_DATABASE_EMULATOR_HOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cc1b233d2664f51 Environment-variable access.
pkgs/npm/[email protected]/lib/eventarc/eventarc-client-internal.js:151
        return process.env.CLOUD_EVENTARC_EMULATOR_HOST ?? EVENTARC_API;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63a7cca0cb70dc66 Environment-variable access.
pkgs/npm/[email protected]/lib/eventarc/eventarc-utils.js:28
    const source = ce.source ?? process.env.EVENTARC_CLOUD_EVENT_SOURCE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fa21dc829353b7d Environment-variable access.
pkgs/npm/[email protected]/lib/extensions/extensions-api-client-internal.js:66
        return process.env['FIREBASE_EXT_URL'] ?? EXTENSIONS_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de1a2570468608dd Environment-variable access.
pkgs/npm/[email protected]/lib/extensions/extensions.js:61
        if (!validator.isNonEmptyString(process.env['EXT_INSTANCE_ID'])) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92de36d029ab091b Environment-variable access.
pkgs/npm/[email protected]/lib/extensions/extensions.js:67
        this.extensionInstanceId = process.env['EXT_INSTANCE_ID'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73e1348f2c817269 Environment-variable access.
pkgs/npm/[email protected]/lib/extensions/extensions.js:125
        const projectId = process.env['PROJECT_ID'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #536141eff83d6879 Environment-variable access.
pkgs/npm/[email protected]/lib/functions/functions-api-client-internal.js:50
        const emulatorHost = process.env.CLOUD_TASKS_EMULATOR_HOST?.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b5c584bf4f673cf Environment-variable access.
pkgs/npm/[email protected]/lib/remote-config/remote-config-api-client-internal.js:31
const FIREBASE_REMOTE_CONFIG_URL_BASE = process.env.FIREBASE_REMOTE_CONFIG_URL_BASE || 'https://firebaseremoteconfig.googleapis.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b831d4f723fa43c8 Environment-variable access.
pkgs/npm/[email protected]/lib/storage/index.js:66
    const endpoint = (process.env.STORAGE_EMULATOR_HOST ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c848ff7d0014674a Environment-variable access.
pkgs/npm/[email protected]/lib/storage/storage.js:43
        if (!process.env.STORAGE_EMULATOR_HOST && process.env.FIREBASE_STORAGE_EMULATOR_HOST) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3d18c8042d68ea9 Environment-variable access.
pkgs/npm/[email protected]/lib/storage/storage.js:44
            const firebaseStorageEmulatorHost = process.env.FIREBASE_STORAGE_EMULATOR_HOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c05fc2d8ff8d0481 Environment-variable access.
pkgs/npm/[email protected]/lib/storage/storage.js:51
            process.env.STORAGE_EMULATOR_HOST = `http://${process.env.FIREBASE_STORAGE_EMULATOR_HOST}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #100bc3c5ff75bfa3 Environment-variable access.
pkgs/npm/[email protected]/lib/utils/api-request.js:849
            quotaProjectId = process.env.GOOGLE_CLOUD_QUOTA_PROJECT || quotaProjectId;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #914a48a97603c0c6 Environment-variable access.
pkgs/npm/[email protected]/lib/utils/api-request.js:883
            quotaProjectId = process.env.GOOGLE_CLOUD_QUOTA_PROJECT || quotaProjectId;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95f18f362779de4 Environment-variable access.
pkgs/npm/[email protected]/lib/utils/index.js:99
    const projectId = process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.