Close Open Privacy Scan
App Privacy Score
High risk · 5928 finding(s)
Dependency score: 97 (Low risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Confirmed data exfiltration in application code
External domains:
${host}:${hostPort}allowed.exampleapi.${region}.cisco.comapi.airtop.aiapi.example.comapi.github.comapi.openai.comapi.telegram.orgattacker.example.comenterprise.n8n.ioenv-proxy:3128env.example.comexample.comfrom-envfrom-env.example.comgithub.comhttp-proxy-lowercase.example.com:8080http-proxy.example.com:8080http-proxy:9090https-proxy-lowercase.example.com:8080https-proxy.example.com:8080https-proxy:8080issuer.example.commy-mcp-endpoint.ain8n.example.comn8n.iooauth2.googleapis.comold.example.comprovider.comproxy:8080proxy:9090slack.comsts.${region}.${getAwsDomain(regionvisibility.${region}.cisco.com
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 → repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45repo/.github/scripts/cla/check-signatures.mjs:90 → repo/.github/scripts/cla/check-signatures.mjs:92repo/.github/scripts/claude-task/resume-callback.mjs:18 → repo/.github/scripts/claude-task/resume-callback.mjs:45repo/.github/scripts/post-qa-metrics-comment.mjs:42 → repo/.github/scripts/post-qa-metrics-comment.mjs:65repo/.github/scripts/post-qa-metrics-comment.mjs:48 → repo/.github/scripts/post-qa-metrics-comment.mjs:117repo/.github/scripts/post-qa-metrics-comment.mjs:42 → repo/.github/scripts/post-qa-metrics-comment.mjs:127repo/.github/scripts/post-qa-metrics-comment.mjs:42 → repo/.github/scripts/post-qa-metrics-comment.mjs:133repo/.github/scripts/send-metrics.mjs:65 → repo/.github/scripts/send-metrics.mjs:87repo/packages/@n8n/cli/src/client.ts:48 → repo/packages/@n8n/cli/src/client.ts:89repo/packages/@n8n/computer-use/src/gateway-client.ts:308 → repo/packages/@n8n/computer-use/src/gateway-client.ts:302repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:222 → repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:73 → repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:72repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:92 → repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:89repo/packages/cli/src/license/license.service.ts:78 → repo/packages/cli/src/license/license.service.ts:71repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:172 → repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:283 → repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28 → repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76 → repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:380 → repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401repo/packages/cli/src/oauth/oauth.service.ts:1067 → repo/packages/cli/src/oauth/oauth.service.ts:1096repo/packages/core/src/binary-data/azure-blob.manager.ts:64 → repo/packages/core/src/binary-data/azure-blob.manager.ts:66repo/packages/core/src/binary-data/object-store.manager.ts:78 → repo/packages/core/src/binary-data/object-store.manager.ts:80repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8 → repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:334 → repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:148 → repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:105 → repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264 → repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328 → repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:41 → repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:31 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:29 → repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:25 → repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:29 → repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:208 → repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:48 → repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:591 → repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:28 → repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:172 → repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:36 → repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:126 → repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:37 → repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:23 → repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:187 → repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:90 → repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:432 → repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:958 → repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1019 → repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:556 → repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:45 → repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:55 → repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:47 → repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:35 → repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:23 → repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:32 → repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:109 → repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:248 → repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:33 → repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:137 → repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:86 → repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:36 → repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:56 → repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:51 → repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:65 → repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:30 → repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:79 → repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:111 → repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:43 → repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:44 → repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:293 → repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:33 → repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53repo/packages/testing/containers/services/keycloak.ts:509 → repo/packages/testing/containers/services/keycloak.ts:520repo/packages/testing/containers/services/ngrok.ts:48 → repo/packages/testing/containers/services/ngrok.ts:85repo/packages/testing/playwright/reporters/metrics-reporter.ts:40 → repo/packages/testing/playwright/reporters/metrics-reporter.ts:75repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87 → repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49 → repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59 → repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56repo/packages/testing/playwright/services/api-helper.ts:662 → repo/packages/testing/playwright/services/api-helper.ts:660repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:225 → repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:223repo/packages/testing/playwright/services/public-api-helper.ts:164 → repo/packages/testing/playwright/services/public-api-helper.ts:182repo/packages/testing/playwright/services/user-api-helper.ts:31 → repo/packages/testing/playwright/services/user-api-helper.ts:39repo/packages/testing/playwright/services/user-api-helper.ts:31 → repo/packages/testing/playwright/services/user-api-helper.ts:55repo/scripts/instance-seeding/seedInstance.mjs:10 → repo/scripts/instance-seeding/seedInstance.mjs:228repo/packages/cli/src/license/license.service.ts:78 → repo/packages/cli/src/license/license.service.ts:71repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:172 → repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:283 → repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28 → repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76 → repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:380 → repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401repo/packages/cli/src/oauth/oauth.service.ts:1067 → repo/packages/cli/src/oauth/oauth.service.ts:1096repo/packages/core/src/binary-data/azure-blob.manager.ts:64 → repo/packages/core/src/binary-data/azure-blob.manager.ts:66repo/packages/core/src/binary-data/object-store.manager.ts:78 → repo/packages/core/src/binary-data/object-store.manager.ts:80repo/packages/@n8n/cli/src/client.ts:48 → repo/packages/@n8n/cli/src/client.ts:89repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:334 → repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:148 → repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:105 → repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264 → repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328 → repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:41 → repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:31 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:29 → repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:25 → repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:29 → repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:208 → repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:48 → repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:591 → repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:28 → repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:172 → repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:36 → repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:126 → repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:37 → repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:23 → repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:187 → repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:90 → repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:432 → repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:958 → repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1019 → repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:556 → repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:45 → repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:55 → repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:47 → repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:35 → repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:23 → repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:32 → repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:109 → repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:248 → repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:33 → repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:137 → repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:86 → repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:36 → repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:56 → repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:51 → repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:65 → repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:30 → repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:79 → repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:111 → repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:26 → repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:43 → repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:24 → repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:25 → repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:44 → repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:293 → repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:33 → repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:222 → repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:73 → repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:72repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:92 → repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:89repo/packages/@n8n/computer-use/src/gateway-client.ts:308 → repo/packages/@n8n/computer-use/src/gateway-client.ts:302repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8 → repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25repo/packages/testing/containers/services/keycloak.ts:509 → repo/packages/testing/containers/services/keycloak.ts:520repo/packages/testing/containers/services/ngrok.ts:48 → repo/packages/testing/containers/services/ngrok.ts:85repo/packages/testing/playwright/reporters/metrics-reporter.ts:40 → repo/packages/testing/playwright/reporters/metrics-reporter.ts:75repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87 → repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49 → repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59 → repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56repo/packages/testing/playwright/services/api-helper.ts:662 → repo/packages/testing/playwright/services/api-helper.ts:660repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:225 → repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:223repo/packages/testing/playwright/services/public-api-helper.ts:164 → repo/packages/testing/playwright/services/public-api-helper.ts:182repo/packages/testing/playwright/services/user-api-helper.ts:31 → repo/packages/testing/playwright/services/user-api-helper.ts:39repo/packages/testing/playwright/services/user-api-helper.ts:31 → repo/packages/testing/playwright/services/user-api-helper.ts:55repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 → repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45</> First-Party Code
first-party (npm)
npm first-party await fetch(`${TELEMETRY_HOST}/v1/track`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
},
body: payload,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(url);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(resumeUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: payload,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
res = await fetch(webhookUrl, {
method: 'POST',
headers,
body: JSON.stringify({
pr_number: pr,
github_repo: repo,
git_sha: sha,
baseline_days: baselineDays,
metric_names: metrics,
}),
signal: AbortSignal.timeout(60_000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const comments = await fetch(
`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments?per_page=100`,
{ headers: ghHeaders },
).then((r) => r.json());
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await fetch(
`https://api.github.com/repos/${owner}/${repoName}/issues/comments/${existing.id}`,
{ method: 'PATCH', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const created = await fetch(
`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments`,
{ method: 'POST', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
).then((r) => r.json());
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(webhookUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Basic ${basicAuth}`,
},
body: JSON.stringify(payload),
signal: AbortSignal.timeout(5_000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
response = await fetch(url.toString(), { method, headers, body });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(url, {
method: 'POST',
headers,
body: JSON.stringify({
rootPath: this.dir,
tools,
hostIdentifier: `${os.userInfo().username}@${os.hostname()}`,
toolCategories: this.activeToolCategories,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(getOpenAiResponsesUrl(model.url), {
method: 'POST',
headers: {
Authorization: `Bearer ${model.apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(requestBody),
signal: abortSignal,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(new URL(path, this.config.baseUrl), {
headers: { Authorization: `Bearer ${this.config.apiKey}` },
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(new URL(path, this.config.baseUrl), {
method,
headers: {
Authorization: `Bearer ${this.config.apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.http.request({
url: 'https://enterprise.n8n.io/enterprise-trial',
method: 'POST',
body: {
licenseType: 'enterprise',
firstName: user.firstName,
lastName: user.lastName,
email: user.email,
instanceUrl: this.urlService.getWebhookBaseUrl(),
},
json: true,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const sent = await thread.post(await this.toPostable(params.descriptor, input.message, params));
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.http.request({
url: '/api/v4/secrets',
method: 'GET',
qs: {
projectId: this.settings.projectId,
environment: this.settings.environment,
secretPath: this.settings.secretPath,
},
json: true,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const requestResponse = await this.outboundHttp
.requests({ ssrf: 'disabled' }) // The destination URL is admin-configured, so SSRF protection is disabled.
.request(request);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const registerResult = await this.http.request({
url: registration_endpoint,
method: 'POST',
body: registerPayload,
json: true,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.azureBlobService.put(targetFileId, sourceFile, metadata);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.objectStoreService.put(targetFileId, sourceFile, metadata);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(POPULARITY_ENDPOINT, {
signal: AbortSignal.timeout(5000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const secureXToken = (await http.request({
url: `https://visibility.${region}.cisco.com/iroh/oauth2/token`,
method: 'POST',
auth: {
username: clientId,
password: clientSecret,
},
body: new URLSearchParams({
grant_type: 'client_credentials',
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Accept: 'application/json',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const secureEndpointToken = (await http.request({
url: `https://api.${region}.cisco.com/v3/access_tokens`,
method: 'POST',
body: new URLSearchParams({
grant_type: 'client_credentials',
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Accept: 'application/json',
Authorization: `Bearer ${secureXToken.access_token}`,
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const { access_token } = (await http.request({
url: 'https://oauth2.googleapis.com/token',
method: 'POST',
body: new URLSearchParams({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: signature,
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await http.request({
url: tokenUrl,
method: 'POST',
body: body.toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = (await http.request({
url: `${authUrl}/services/oauth2/token`,
method: 'POST',
body: new URLSearchParams({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: signature,
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token?: string; instance_url?: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(fullUri, {
method: 'GET',
headers,
signal: AbortSignal.timeout(2000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const credentialsResponse = await fetch(`https://sts.${region}.${getAwsDomain(region)}`, {
method: 'POST',
headers,
body: body.toString(),
signal: AbortSignal.timeout(2000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
responseData = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
response = await this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
response = await this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const request = this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const request = this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const request = this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const result = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers?.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
ctx.base = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await (this.helpers.request(options) as Promise<{ jwt: string }>);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const responseData = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const { headers, body } = await undiciRequest(formAction, {
method: 'POST',
headers: loginHeaders,
body: loginBody.toString(),
dispatcher: agent,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`http://${host}:${hostPort}/api/tunnels`);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(webhookUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Basic ${auth}`,
},
body: JSON.stringify(payload),
signal: AbortSignal.timeout(30000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
res = await fetch(url, { headers });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(`http://localhost:${VM_PORT}/api/v1/import`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: readFileSync(metricsFile),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(`http://localhost:${VL_PORT}/insert/jsonline`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: readFileSync(logsFile),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.request.post('/rest/login', {
data: {
emailOrLdapLoginId: credentials.email,
password: credentials.password,
},
maxRetries: 3,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.api.request.post(`${params.basePath ?? DEFAULT_ENDPOINT_BASE_PATH}/revoke`, {
form: {
token: params.token,
client_id: params.clientId,
...(params.tokenTypeHint && { token_type_hint: params.tokenTypeHint }),
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const acceptResponse = await isolatedContext.post('/rest/invitations/accept', {
data: { token, firstName, lastName, password },
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const inviteResponse = await this.api.request.post('/rest/invitations', {
data: [{ email: user.email, role: user.role }],
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const acceptResponse = await this.api.request.post('/rest/invitations/accept', {
data: {
token,
firstName: user.firstName,
lastName: user.lastName,
password: user.password,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(`${BASE}/api/v1${path}`, {
method,
headers: HEADERS,
body: body !== undefined ? JSON.stringify(body) : undefined,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await fetch(`${TELEMETRY_HOST}/v1/track`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
},
body: payload,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
tracker.track(inner);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(a);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(b);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(rejected);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(inner);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(Promise.resolve());
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.backgroundTasks.track(titlePromise);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.backgroundTasks.track(queued);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.tracker.track(queued);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { Event } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { Event } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDER_FAILED, {
...getPreviewTelemetryPayload(),
reason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDERED_SUCCESSFULLY,
getPreviewTelemetryPayload(),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.OPEN_IN_N8N_CLICKED, {
...getPreviewTelemetryPayload(),
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_COMPLETED, {
...getPreviewToolCallTelemetryPayload(requestId),
duration_ms: Math.max(0, Math.round(performance.now() - startedAt)),
outcome,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_CRASHED, {
...getPreviewTelemetryPayload(),
...(message ? { error_message: sanitizeTelemetryErrorMessage(message) } : {}),
source: WORKFLOW_PREVIEW_CRASH_SOURCES.PREVIEW_IFRAME_ERROR,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_REQUESTED,
getPreviewToolCallTelemetryPayload(requestId),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, {
app,
...getMcpClientTelemetryProperties(hostVersion.value),
error_message: sanitizeTelemetryErrorMessage(getErrorMessage(error)),
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(events.renderFailed, {
app,
...getMcpClientTelemetryProperties(hostVersion.value),
error_message: getConnectionErrorReason(connectionError.value),
reason: renderFailedReason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event', { boot_ms: 42 });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event', {
apiKey: 'secret-api-key',
error_message: 'Authorization: Bearer abc.def-ghi_jkl/mno=',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event', { reason: 'x' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.rudderStack?.track(
event,
{
...sanitizedProperties,
instance_id: this.config.instanceId,
version_cli: this.config.versionCli,
},
// Send a fake IP so RudderStack does not capture the user's real one.
{ context: { ip: '0.0.0.0' } },
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
temp.track();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { ErrorEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { ErrorEvent, Exception } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User hit concurrency limit', {
threshold: CLOUD_TEMP_PRODUCTION_LIMIT - capacity,
concurrencyQueue: type,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(maskIp(input)).toBe(expected);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'GET' }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
setPostHogProxyHeaders(proxyReq, createReq({ method: 'GET' }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'POST', rawBody }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
await controller.track(req, res, next);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Eval collection created', {
user_id: user.id,
workflow_id: workflowId,
collection_id: collection.id,
evaluation_config_id: input.evaluationConfigId,
version_count: input.versions.length,
existing_run_count: existingRunIds.length,
new_run_count: runsStartedIds.length,
dataset_id: this.extractDatasetId(config),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Eval collection deleted', {
user_id: user.id,
workflow_id: workflowId,
collection_id: collectionId,
runs_unlinked: runsUnlinked,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Eval collection insights generated', {
user_id: user.id,
workflow_id: workflowId,
collection_id: collectionId,
model_used: response.modelUsed,
duration_ms: Date.now() - startMs,
status: response.status,
regressions_found: response.insights.regressions.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User ran test', {
user_id: user.id,
run_id: testRun.id,
workflow_id: workflowId,
run_type: runType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Test run finished', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted a run', { run_id: testRunId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User cancelled a test case', {
run_id: req.params.id,
case_id: caseId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI mcp connected', {
user_id: userId,
server_slug: serverSlug,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI mcp disconnected', {
user_id: userId,
server_slug: serverSlug,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Project settings updated', {
user_id: userId,
role,
project_id: projectId,
members: members?.map(({ userId: user_id, role }) => ({ user_id, role })),
otel_project_custom_tags_count: otelProjectCustomTagsCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted project', {
user_id: userId,
role,
project_id: projectId,
removal_type: removalType,
target_project_id: targetProjectId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created project', {
user_id: userId,
role,
uiContext,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated source control settings', {
branch_name: branchName,
read_only_instance: readOnlyInstance,
repo_type: repoType,
connected,
connection_type: connectionType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User started pull via UI', {
user_id: userId,
workflow_updates: workflowUpdates,
workflow_conflicts: workflowConflicts,
cred_conflicts: credConflicts,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User finished pull via UI', {
user_id: userId,
workflow_updates: workflowUpdates,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User pulled via API', {
workflow_updates: workflowUpdates,
forced,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User started push via UI', {
user_id: userId,
workflows_eligible: workflowsEligible,
workflows_eligible_with_conflicts: workflowsEligibleWithConflicts,
creds_eligible: credsEligible,
creds_eligible_with_conflicts: credsEligibleWithConflicts,
variables_eligible: variablesEligible,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User finished push via UI', {
user_id: userId,
workflows_eligible: workflowsEligible,
workflows_pushed: workflowsPushed,
creds_pushed: credsPushed,
variables_pushed: variablesPushed,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance attempted to refresh license', {
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User registered for license community plus', {
user_id: userId,
email,
licenseKey,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created variable', {
user_id: user.id,
...(projectId && { project_id: projectId }),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated variable', {
user_id: user.id,
...(projectId && { project_id: projectId }),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted variable', {
user_id: user.id,
...(projectId && { project_id: projectId }),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated external secrets settings', {
user_id: userId,
vault_type: vaultType,
is_valid: isValid,
is_new: isNew,
error_message: errorMessage,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User reloaded external secrets', {
vault_type: vaultType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created external secrets connection', {
user_id: userId,
user_role: userRole,
vault_type: vaultType,
scope: projects.length === 0 ? 'global' : 'project',
project_ids: projects.map((project) => project.id),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated external secrets connection', {
user_id: userId,
user_role: userRole,
vault_type: vaultType,
scope: projects.length === 0 ? 'global' : 'project',
project_ids: projects.map((project) => project.id),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted external secrets connection', {
user_id: userId,
user_role: userRole,
vault_type: vaultType,
scope: projects.length === 0 ? 'global' : 'project',
project_ids: projects.map((project) => project.id),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User toggled external secrets system roles', {
user_id: userId,
enabled,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('API key created', {
user_id: user.id,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('API key deleted', {
user_id: user.id,
public_api: publicApi,
is_own: isOwn,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('API key rotated', {
user_id: user.id,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('cnr package install finished', {
user_id: user.id,
input_string: inputString,
package_name: packageName,
success,
package_version: packageVersion,
package_node_names: packageNodeNames,
package_author: packageAuthor,
package_author_email: packageAuthorEmail,
failure_reason: failureReason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('cnr package updated', {
user_id: user.id,
package_name: packageName,
package_version_current: packageVersionCurrent,
package_version_new: packageVersionNew,
package_node_names: packageNodeNames,
package_author: packageAuthor,
package_author_email: packageAuthorEmail,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('cnr package deleted', {
user_id: user.id,
package_name: packageName,
package_version: packageVersion,
package_node_names: packageNodeNames,
package_author: packageAuthor,
package_author_email: packageAuthorEmail,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created credentials', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
project_id: projectId,
project_type: projectType,
uiContext,
is_private: isDynamic ?? false,
uses_external_secrets: usesExternalSecrets ?? false,
jwe_enabled: jweEnabled ?? false,
credential_supports_managed_auth: supportsManagedAuth ?? false,
credential_uses_managed_auth: usesManagedAuth ?? false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated cred sharing', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
user_id_sharer: userIdSharer,
user_ids_sharees_added: userIdsShareesAdded,
sharees_removed: shareesRemoved,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated credentials', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
is_private: isDynamic ?? false,
uses_external_secrets: usesExternalSecrets ?? false,
jwe_enabled: jweEnabled ?? false,
credential_supports_managed_auth: supportsManagedAuth ?? false,
credential_uses_managed_auth: usesManagedAuth ?? false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted credentials', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User disconnected own credential connection', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created end-user credential', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
project_id: projectId,
project_type: projectType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User made credential end-user', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User made credential fixed', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User cleared end-user credential connections', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted end-user credential', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User connected to end-user credential', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
credential_supports_managed_auth: supportsManagedAuth ?? false,
credential_uses_managed_auth: usesManagedAuth ?? false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Ldap general sync finished', {
type,
succeeded,
users_synced: usersSynced,
error,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated Ldap settings', {
user_id: userId,
loginIdAttribute,
firstNameAttribute,
lastNameAttribute,
emailAttribute,
ldapIdAttribute,
searchPageSize,
searchTimeout,
synchronizationEnabled,
synchronizationInterval,
loginLabel,
loginEnabled,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Ldap login sync failed', { error });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User login failed since ldap disabled', { user_ud: userId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Sso user project access update', {
user_id: userId,
projects_removed: projectsRemoved,
projects_added: projectsAdded,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Sso user instance role update', { user_id: userId, role });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created workflow', {
user_id: user.id,
workflow_id: workflow.id,
node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
public_api: publicApi,
project_id: projectId,
project_type: projectType,
meta: JSON.stringify(workflow.meta),
otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
uiContext,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User archived workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User unarchived workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User activated workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
source,
private_credentials_count: privateCredentialsCount,
private_credential_types: privateCredentialTypes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deactivated workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
deactivated_version_id: deactivatedVersionId,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated workflow sharing', {
workflow_id: workflowId,
user_id_sharer: userIdSharer,
user_id_list: userIdList,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User imported n8n package', {
user_id: user.id,
workflow_conflict_policy: options.workflowConflictPolicy,
workflow_id_policy: options.workflowIdPolicy,
credential_matching_mode: options.credentialMatchingMode,
credential_missing_mode: options.credentialMissingMode,
workflow_publishing_policy: options.workflowPublishingPolicy,
workflows_created: counts.workflows.created,
workflows_updated: counts.workflows.updated,
workflows_skipped: counts.workflows.skipped,
credentials_matched: counts.credentials.matched,
credentials_created: counts.credentials.created,
credentials_required: counts.credentials.requirements,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User exported n8n package', {
user_id: user.id,
workflow_count: counts.workflows,
folder_count: counts.folders,
credential_count: counts.credentials,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User package export failed', {
user_id: user.id,
reason,
workflow_count: workflowIds?.length ?? 0,
folder_count: folderIds?.length ?? 0,
project_count: projectIds?.length ?? 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User package import failed', {
user_id: user.id,
reason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User saved workflow', {
user_id: user.id,
workflow_id: workflow.id,
node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
notes_count_overlapping: overlappingCount,
notes_count_non_overlapping: notesCount - overlappingCount,
version_cli: N8N_VERSION,
num_tags: workflow.tags?.length ?? 0,
public_api: publicApi,
sharing_role: userRole,
meta: JSON.stringify(workflow.meta),
workflow_edited_no_pos: workflowEditedNoPos,
credential_edited: credentialEdited,
ai_builder_assisted: aiBuilderAssisted ?? false,
credential_resolver_id: credentialResolverId,
identity_extractor_changed: identityExtractorChanged,
redaction_policy: redactionPolicy,
private_credentials_count: privateCredentialsCount,
private_credential_types: privateCredentialTypes,
otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User ran out of free AI credits');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Manual node exec finished', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Manual workflow exec finished', manualExecEventProperties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance started', {
...info,
earliest_workflow_created: firstWorkflow?.createdAt,
otel,
settings_managed_by_env_vars: settingsManagedByEnvVars,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Session started', { session_id: pushRef });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User instance stopped');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Owner finished instance setup', { user_id: userId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Workflow first prod success', {
project_id: projectId,
workflow_id: workflowId,
user_id: userId ?? undefined,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance first prod failure', {
project_id: projectId,
workflow_id: workflowId,
user_id: userId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Workflow first data fetched', {
user_id: userId,
workflow_id: workflowId,
node_type: nodeType,
node_id: nodeId,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User changed role', {
user_id: userId,
target_user_id: targetUserId,
target_user_new_role: targetUserNewRole,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved user', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved all users', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved execution', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved all executions', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved workflow', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved workflow version', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved all workflows', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User changed personal settings', {
user_id: user.id,
fields_changed: fieldsChanged,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted user', {
user_id: user.id,
public_api: publicApi,
target_user_old_status: targetUserOldStatus,
migration_strategy: migrationStrategy,
target_user_id: targetUserId,
migration_user_id: migrationUserId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User invited new user', {
user_id: user.id,
target_user_id: targetUserId,
public_api: publicApi,
email_sent: emailSent,
invitee_role: inviteeRole,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User signed up', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User responded to personalization questions', personalizationSurveyData);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance failed to send transactional email to user', {
user_id: user.id,
message_type: messageType,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User sent transactional email', {
user_id: userId,
message_type: messageType,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User clicked invite link from email', {
user_id: invitee.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User clicked password reset link from email', {
user_id: user.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User requested password reset while logged out', {
user_id: user.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance compacted workflow history', {
workflows_processed: workflowsProcessed,
total_versions_seen: totalVersionsSeen,
total_versions_deleted: totalVersionsDeleted,
window_start_iso: new Date(windowStartIso),
window_end_iso: new Date(windowEndIso),
error_count: errorCount,
compaction_start_time_iso: compactionStartTime,
compaction_duration_ms: durationMs,
compaction_batch_delay_ms: this.globalConfig.workflowHistoryCompaction.batchDelayMs,
compaction_batch_size: this.globalConfig.workflowHistoryCompaction.batchSize,
compaction_trimming_optimizing_time_window_hours:
this.globalConfig.workflowHistoryCompaction.optimizingTimeWindowHours,
compaction_trimming_time_window_days:
this.globalConfig.workflowHistoryCompaction.trimmingTimeWindowDays,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated instance policies', {
user_id: user.id,
[settingName]: value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User confirmed reveal data', {
user_id: user.id,
execution_id: executionId,
workflow_id: workflowId,
redaction_policy: redactionPolicy,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created custom role', {
user_id: userId,
role_slug: roleSlug,
scopes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated custom role', {
user_id: userId,
role_slug: roleSlug,
scopes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted custom role', {
user_id: userId,
role_slug: roleSlug,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User imported workflows via server cli', {
active_state: activeState,
workflow_count: workflowCount,
separate,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User exported workflows via server cli', {
selector,
published,
separate,
backup,
workflow_count: workflowCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User hit data table storage limit', {
total_bytes: size.totalBytes,
max_bytes: this.globalConfig.dataTable.maxSize,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI Browser connected', { user_id: userId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder credits claimed', {
instance_id: this.instanceSettings.instanceId,
user_id: user.id,
thread_id: threadId,
agent_run_id: dedupeId,
status,
success: false,
error_message: getErrorMessage(error),
attempted_usage: usage,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder credits claimed', {
instance_id: this.instanceSettings.instanceId,
user_id: user.id,
thread_id: threadId,
agent_run_id: dedupeId,
status,
success: true,
credits_used: delta,
credits_claimed_total: creditsClaimed,
credits_quota: creditsQuota,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User exhausted assistant quota', {
instance_id: this.instanceSettings.instanceId,
user_id: user.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User connected to Computer Use', {
user_id: userId,
tool_groups: data.toolCategories.filter((c) => c.enabled).map((c) => c.name),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: threadId,
run_id: runId,
message_group_id: messageGroupId,
source: 'terminal_guard',
status: decision.status,
action: decision.action,
reason: decision.reason,
visibility_source: decision.visibilitySource,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: threadId,
run_id: outcome.runId,
message_group_id: outcome.messageGroupId,
task_id: outcome.taskId,
source: 'terminal_outcome_replay',
status: outcome.status,
action: published ? 'replay_event' : 'already-emitted',
visibility_source: 'background-outcome',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: threadId,
run_id: outcome.runId,
message_group_id: outcome.messageGroupId,
task_id: outcome.taskId,
source: 'terminal_outcome_replay',
status: outcome.status,
action,
visibility_source: 'background-outcome',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
thread_id: task.threadId,
run_id: task.runId,
task_id: task.taskId,
status: outcome.status,
phase: 'metadata',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: task.threadId,
run_id: task.runId,
message_group_id: task.messageGroupId,
task_id: task.taskId,
source: 'background_outcome',
status: outcome.status,
action: published ? 'emit' : 'already-emitted',
visibility_source: 'background-outcome',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
thread_id: task.threadId,
run_id: task.runId,
task_id: task.taskId,
status: outcome.status,
phase: 'snapshot',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder published workflow', {
thread_id: threadId,
workflow_id: workflowId,
executed_by: 'ai',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder created workflow', {
thread_id: threadId,
workflow_id: updated.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder modified workflow', {
thread_id: threadId,
workflow_id: workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder executed workflow', {
thread_id: threadId,
workflow_id: workflowId,
executed_by: 'ai',
pinned_node_count: Object.keys(runData.pinData ?? {}).length,
exec_type: runData.executionMode,
status,
...(error ? { error } : {}),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry?.track('instance_ai_workflow_verification_obligation', {
event,
thread_id: obligation.threadId,
run_id: obligation.runId,
task_id: obligation.taskId,
planned_task_id: obligation.plannedTaskId,
work_item_id: obligation.workItemId,
workflow_id: obligation.workflowId,
source: obligation.source,
policy: obligation.policy,
status: obligation.status,
readiness_status: obligation.readiness?.status,
setup_status: obligation.setupRequirement?.status,
has_evidence: obligation.evidence?.attempted === true,
evidence_success: obligation.evidence?.success,
blocking_reason: obligation.blockingReason,
...extra,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: threadId,
message: intermediateText,
is_intermediate: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: threadId,
message: outputText,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder satisfied user intent', {
thread_id: threadId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: opts.threadId,
message: intermediateText,
is_intermediate: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: opts.threadId,
message: outputText,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder satisfied user intent', {
thread_id: opts.threadId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder asked for input', {
thread_id: threadId,
input_thread_id: inputThreadId,
type,
num_steps: numSteps,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_run_finished', {
thread_id: threadId,
run_id: runId,
status: effectiveStatus,
...(userId ? { user_id: userId } : {}),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI mcp tool called', {
user_id: userId,
server_slug: serverSlug,
tool_name: toolName,
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import * as Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(MCP_PREVIEW_RENDER_REQUESTED_EVENT, {
user_id: user.id,
client_name: clientInfo?.name,
client_version: clientInfo?.version,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { PostHog } from 'posthog-node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId: 'test',
event: 'test',
properties: {},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId,
event,
properties,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId: instanceId,
event: 'Instance started',
properties: { instance_id: instanceId },
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId: '',
event: 'Some event',
properties: {},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { PostHog, FeatureFlagEvaluations } from 'posthog-node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(event, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
publicUser.featureFlags = await posthog.getFeatureFlags(publicUser);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, {});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, {});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Public API usage', {
user_id: userId,
total_calls: entry.total_calls,
first: entry.first,
endpoints: JSON.stringify(entry.endpoints),
user_agents: JSON.stringify(entry.user_agents),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('pulse', pulsePacket);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Workflow execution count', {
event_version: '2',
workflow_id: workflowId,
...this.executionCountsBuffer[workflowId],
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Agent execution count', {
event_version: '1',
agent_id,
...(user_id ? { user_id } : {}),
...counts,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Agent session metrics', {
event_version: '1',
agent_id: bucket.agent_id,
...bucket.configuration,
run_type: bucket.run_type,
turn_status: bucket.turn_status,
session_count: sessions.length,
turn_count: turnCount,
latency_ms_sum: latencyMsSum,
cost_sum: costSum,
tool_call_count_sum: toolCallCountSum,
num_skills_sum: numSkillsSum,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Workflow execution with end-user credentials', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Workflow execution errored', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.postHog?.track(payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
return this.rudderStack.track(rudderStackPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { ErrorEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { ErrorEvent, EventHint } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { NodeOptions } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { StartSpanOptions } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { StartSpanOptions } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type {
StartSpanOptions as SentryStartSpanOptions,
SpanContextData as SentrySpanContextData,
SpanAttributes as SentrySpanAttributes,
} from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User autocompleted code', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on RAG callout', {
node_type: options.telemetry.nodeType ?? null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted tutorial template', {
template: templateId,
source: options.telemetry.source,
node_type: options.telemetry.nodeType ?? null,
section: options.telemetry.section ?? null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User tidied up canvas', {
source,
target,
nodes_count: result.nodes.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted workflow note', {
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted node', {
node_type: node.type,
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted workflow note', {
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User pasted nodes', {
workflow_id: workflowDocumentStore.value.workflowId,
node_graph_string: nodeGraph,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User duplicated nodes', {
workflow_id: workflowDocumentStore.value.workflowId,
node_graph_string: nodeGraph,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User imported workflow', {
source,
workflow_id: workflowDocumentStore.value.workflowId,
node_graph_string: nodeGraph,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User copied nodes', {
node_types: workflowData.nodes.map((node) => node.type),
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked chat open button', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted workflow template', {
source: 'workflow',
template_id: tryToParseNumber(templateId),
wf_template_repo_session_id: templatesStore.previousSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { captureException } from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User claimed OpenAI credits', { source });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked sidebar add variable button');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked sidebar add data table button');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(`User hit ${type}`, { commands_length: 1, commands: [command.name] });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(`User hit ${type}`, {
commands_length: command.commands.length,
commands: command.commands.map((c) => c.name),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry?.track('User hit undo in NDV', { node_type: activeNode.type });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked execute node button', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User set node enabled status', {
node_type: node.type,
is_enabled: node.disabled,
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked upgrade CTA', {
source,
isTrial: userIsTrialing,
deploymentType,
trialDaysLeft,
executionsLeft,
workflowsLeft,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Ndv data pinning success', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Ndv data pinning failure', {
pinning_source: source,
node_type: targetNode?.type,
push_ref: rootStore.pushRef,
data_size: stringSizeInBytes(data.value),
view: displayMode,
run_index: runIndex,
error_type: errorType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User unpinned ndv data', {
node_type: targetNode?.type,
push_ref: rootStore.pushRef,
run_index: runIndex,
source,
data_size: stringSizeInBytes(data.value),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened read-only execution', {
workflow_id: data.workflowData.id,
execution_mode: data.mode,
execution_finished: data.finished,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed test AI workflow', {
status: data.status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed tutorial template', {
template: templateId,
status: data.status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance FE emitted paired item error', eventData);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Manual exec errored', {
error_title: pushData.data.error.message,
node_type: node?.type,
node_type_version: node?.typeVersion,
node_id: node?.id,
node_graph_string: JSON.stringify(
TelemetryHelpers.generateNodesGraph(
workflowDocumentStore.serialize(),
workflowHelpers.getNodeTypes(),
{
isCloudDeployment: settingsStore.isCloudDeployment,
},
).nodeGraph,
),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked execute workflow button', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance FE emitted error', {
error_title: params.title,
error_message: messageForTelemetry,
caused_by_credential: causedByCredential(messageForTelemetry),
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance FE emitted error', {
error_title: title,
error_description: message,
error_message: error.message,
caused_by_credential: causedByCredential(error.message),
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User set workflow active status', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User started nodes to sub-workflow extraction', {
node_count: nodeCount,
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User extracted nodes to sub-workflow', {
node_count: nodeCount,
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
`User opened workflow from onboarding template with ID ${workflowData.meta.onboardingId}`,
{ workflow_id: id },
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User attempted to save locked workflow', {
workflowId: currentWorkflow,
sharing_role: getWorkflowProjectRole(currentWorkflow),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User saved new workflow from template', {
template_id: tryToParseNumber(String(templateId)),
workflow_id: workflowData.id,
wf_template_repo_session_id: templatesStore.previousSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type * as Sentry from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import * as Sentry from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Session started', { session_id: rootStore.pushRef });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.rudderStack.track(event, updatedProperties, {
context: {
// provide a fake IP address to instruct RudderStack to not use the user's IP address
ip: '0.0.0.0',
},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
usePostHog().capture(event, updatedProperties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Ai code generation finished', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Ai Transform code generation finished', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('User toggled n8n reference option', {
node: nodeType,
toValue: change.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled favorite', {
action: 'removed',
resource_type: resourceType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled favorite', {
action: 'added',
resource_type: resourceType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view sub pane', {
pane: 'input',
newState: wasOpen ? 'hidden' : 'visible',
isSubNode: isSubNodeSelected.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view sub pane', {
pane: 'output',
newState: wasOpen ? 'hidden' : 'visible',
isSubNode: isSubNodeSelected.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init(flags);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.getVariant('test')).toEqual(flags[TEST]);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.capture('Test event', { test: 'value' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.capture('Test event', {
test: 'value',
$groups: {
organization: 'n8n',
},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init(flags);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.getVariant('test')).toEqual('override');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.hasPendingFeatureFlags()).toBe(true);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const waitForFlags = posthog.waitForFeatureFlags().then(() => {
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.hasPendingFeatureFlags()).toBe(false);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.getVariant('test')).toEqual('variant');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
name,
variant,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked to open community node update modal', {
source,
package_name: packageName,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled sidebar', {
expanded: !sidebarMenuCollapsed.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track("User clicked on what's new notification", {
article_id: articleId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created AI templates starter collection', {
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed AI templates starter collection callout');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened AI template workflow', {
template,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed AI template', {
template,
status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('App selection page viewed');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('App selection search performed', {
search_term: searchTerm,
result_count: resultCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('App selection completed', {
connected_count: connectedCount.value,
connected_apps: connectedApps,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User submitted empty state builder prompt', {
prompt_length: prompt.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User imported workflow from empty state', {
node_count: workflowData.nodes?.length ?? 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User was recommended personalized templates', {
templateIds,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on personalized template callout', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed personalized template callout', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on personalization card');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed personalization modal');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed personalization tooltip');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed personalization tooltip');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template from modal', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on templates repo from modal');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
name: PERSONALIZED_TEMPLATES_V3.name,
variant,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created ready to run workflows', {
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed ready to run workflows callout');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened ready to run workflow', {
template,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed ready to run workflow', {
template,
status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User visited resource center');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on resource center tile', { section, type, id });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding entry point viewed',
getTelemetryPayload({
surface,
entry_point: entryPoint,
mcp_access_enabled: mcpAccessEnabled,
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding opportunity viewed',
getTelemetryPayload({
surface,
entry_point: entryPoint,
eligible: true,
surface_available: surfaceAvailable,
suppressed_by: suppressedBy,
mcp_access_enabled: mcpAccessEnabled,
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding opened',
getTelemetryPayload({
surface,
...(payload.entryPoint ? { entry_point: payload.entryPoint } : {}),
...(payload.mcpAccessEnabled !== undefined
? { mcp_access_enabled: payload.mcpAccessEnabled }
: {}),
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding dismissed',
getTelemetryPayload({
surface,
...(payload.activeClient ? { active_client: payload.activeClient } : {}),
...(payload.enabledDuringThisOpen !== undefined
? { enabled_during_this_open: payload.enabledDuringThisOpen }
: {}),
...(payload.mcpAccessEnabled !== undefined
? { mcp_access_enabled: payload.mcpAccessEnabled }
: {}),
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('MCP onboarding enable clicked', getTelemetryPayload({ surface }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('MCP onboarding enabled', getTelemetryPayload({ surface }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding enable failed',
getTelemetryPayload({ surface, error_type: errorType }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('MCP onboarding client selected', getTelemetryPayload({ surface, client }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding setup shown',
getTelemetryPayload({ surface, client, setup_type: setupType }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding copied parameter',
getTelemetryPayload({ surface, client, parameter }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on node minicard', {
tool,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User visited template recommendation modal tab', {
tool,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template recommendation tile', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template recommendation video', {
name,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template recommendation see more', {
type,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
usePostHog().getVariant(EXTRA_TEMPLATE_LINKS_EXPERIMENT.name) ===
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
useTelemetry().track('User clicked on templates', {
role: useCloudPlanStore().currentUserCloudInfo?.role,
active_workflow_count: useWorkflowsListStore().activeWorkflows.length,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created agent', {
agent_id: agent.id,
source: options.telemetrySource,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, props);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User started adding agent tool',
withAgent({ tool_type: toolType, source: 'manual' }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User added agent tool',
withAgent({
tool_type: ref.type,
has_approval: ref.requireApproval ?? false,
...identityProps(ref),
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User added agent tool',
withAgent({
tool_type: 'mcpServer',
has_approval: false,
server_name: server.name,
authentication: server.authentication,
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User edited agent tool',
withAgent({ tool_type: ref.type, ...identityProps(ref) }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User removed agent tool',
withAgent({ tool_type: ref.type, ...identityProps(ref) }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Assistant session started', {
chat_session_id: currentSessionId.value,
task: chatSessionTask.value,
node_type: chatSessionError.value?.node.type,
credential_type: chatSessionCredType.value?.name,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed node after assistant suggestion', {
task: chatSessionTask.value,
chat_session_id: currentSessionId.value,
success: false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed node after assistant suggestion', {
task: chatSessionTask.value,
chat_session_id: currentSessionId.value,
success: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User sent message in Assistant', {
message,
is_quick_reply: isQuickReply,
chat_session_id: currentSessionId.value,
message_number: usersMessages.value.length,
task: chatSessionTask.value,
allow_sending_parameter_values: allowSendingParameterValues.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened assistant', {
source,
task,
has_existing_session,
instance_id: rootStore.instanceId,
workflow_id: workflowId,
canvas_status: canvasStatus,
node_type: chatSessionError.value?.node?.type,
error: chatSessionError.value?.error,
chat_session_id: currentSessionId.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('End of response from builder', {
user_message_id: userMessageId,
workflow_id: routeWorkflowId.value,
session_id: trackingSessionId.value,
tab_visible: document.visibilityState === 'visible',
code_builder: isCodeBuilder.value,
mode: builderMode.value,
...(planApproved ? { plan_approved: true } : {}),
...getWorkflowModifications(currentStreamingMessage.value),
...payload,
...getTodosToTrack(),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User submitted builder message', trackingPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.chatSent', {
focused_count: focusedCount,
has_deictic_ref: hasDeicticRef,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Workflow builder journey', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.added', {
source,
node_count: nodeTypes.length,
node_types: nodeTypes,
...(source === 'mention' && options?.mentionQueryLength !== undefined
? { mention_query_length: options.mentionQueryLength }
: {}),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method,
removed_count: 1,
remaining_count: confirmedNodes.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'clear_all',
removed_count: previousCount,
remaining_count: 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'clear_all',
removed_count: previousCount,
remaining_count: confirmedNodes.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'workflow_changed',
removed_count: previousCount,
remaining_count: 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'node_deleted',
removed_count: deletedConfirmedCount,
remaining_count: confirmedNodes.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User sent chat hub message', {
...flattenModel(agent.model),
is_custom: agent.model.provider === 'custom-agent',
chat_session_id: sessionId,
mode,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User edited chat hub message', {
...flattenModel(agent.model),
is_custom: agent.model.provider === 'custom-agent',
chat_session_id: sessionId,
chat_message_id: editId,
mode,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User regenerated chat hub message', {
...flattenModel(agent.model),
is_custom: agent.model.provider === 'custom-agent',
chat_session_id: sessionId,
chat_message_id: retryId,
mode,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created agent', { ...flattenModel(payload) });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened floating chat panel', { source: 'canvas' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User popped out floating chat panel', { source: 'canvas' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User ran evaluation', {
workflow_id: workflowId,
run_id: dispatched?.testRunId ?? null,
metric_count: wizardStore.selectedMetricKeys.length,
custom_check_count: wizardStore.customChecks.length,
slice_mode: wizardStore.isSliceMode,
trigger,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI opened from editor', {
source,
workflow_id: workflowId,
execution_id: executionId ?? null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI opened from editor', {
source,
workflow_id: null,
execution_id: null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI opened from editor', {
source,
workflow_id: null,
execution_id: null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed new builder workflow', {
thread_id: threadId,
instance_id: rootStore.instanceId,
workflow_id: workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder generation stalled', { thread_id: threadId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User finished providing input', {
thread_id: threadId,
input_thread_id: conf.inputThreadId ?? '',
instance_id: rootStore.instanceId,
type: 'approval',
provided_inputs: [
{
label: conf.message,
options: ['approve', 'deny', 'approve_always'],
option_chosen: 'approve_auto',
},
],
skipped_inputs: [],
auto_resolved: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User sent builder message', {
thread_id: threadId,
instance_id: rootStore.instanceId,
is_first_message: isFirstMessage,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI Connect Browser Use modal opened');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI Install Chrome Browser Extension button clicked');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI Open Browser Use Extension button clicked');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI mcp modal opened');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI mcp settings opened', { server_slug: serverSlug });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestions shown', createBasePayload(context));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI quick examples opened', {
...createBasePayload(context),
suggestion_id: context.suggestionId,
position: context.position,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestions cycled', {
...context.telemetryPayload,
suggestion_catalog_version: resolveSuggestionCatalogVersion(context),
visible_suggestion_ids: context.visibleSuggestionIds,
cycle_count: context.cycleCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestion selected', {
...createBasePayload(context),
suggestion_id: context.suggestionId,
suggestion_kind: context.suggestionKind,
position: context.position,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestion submitted', {
...createBasePayload(context),
suggestion_id: context.suggestionId,
suggestion_kind: context.suggestionKind,
position: context.position,
prompt_modified: context.promptModified,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User rated workflow generation', {
thread_id: threadId,
response_id: responseId,
helpful: payload.rating === 'up',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User submitted workflow generation feedback', {
thread_id: threadId,
response_id: responseId,
feedback: payload.feedback,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI workflow setup step shown', getStepTelemetryPayload(step));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'Instance AI workflow setup step handled',
getStepTelemetryPayload(step, outcome),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User finished providing input', {
...getSetupTelemetryContext(),
provided_inputs: provided,
skipped_inputs: skipped,
explicitly_skipped_inputs: explicitlySkipped,
num_tasks: deps.sections.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User gave MCP access to workflow', { workflow_id: workflowId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled MCP access', { state: enabled });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted data table column', {
column_id: columnId,
column_type: columnToDelete.cellDataType,
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User renamed data table column', {
column_id: columnId,
column_type: columnToRename.cellDataType,
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User added data table column', {
column_id: newColumn.id,
column_type: newColumn.type,
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User added row to data table', {
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User edited data table content', {
data_table_id: dataTableId,
column_id: colDef.colId,
column_type: colDef.cellDataType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted rows in data table', {
data_table_id: dataTableId,
deleted_row_count: idsToDelete.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created credentials', {
credential_type: credential.type,
credential_id: credential.id,
workflow_id: workflowsStore.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User saved credentials', trackProperties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked quick connect button', {
source,
credential_type: credentialTypeName,
node_type: nodeType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked debug execution button', {
instance_id: useRootStore().instanceId,
exec_status: isFullExecutionResponse(execution) ? execution.status : '',
override_pinned_data: pinnableNodes.length === pinnings,
all_exec_data_imported: missingNodeNames.length === 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
metadata.parentExecution
? 'User clicked parent execution button'
: 'User clicked inspect sub-workflow',
{
view,
},
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened read-only execution', {
workflow_id: data.workflowData.id,
execution_mode: data.mode,
execution_finished: data.finished,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked reveal data', {
workflow_id: workflowDocumentStore.value.workflowId,
execution_id: workflowExecutionStateStore.value.activeExecution?.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view', { new_state: 'attached' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view', {
new_state: wasOpen ? 'collapsed' : 'attached',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view', { new_state: 'floating' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User selected node in log view', {
node_type: value.node.type,
node_id: value.node.id,
execution_id: execution.value?.id,
workflow_id: execution.value?.workflowData.id,
subworkflow_depth: getDepth(value),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User selected canvas group in log view', {
group_id: value.group.id,
node_count: value.group.nodeIds.length,
execution_id: execution.value?.id,
workflow_id: execution.value?.workflowData.id,
subworkflow_depth: getDepth(value),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked review variables');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked review credentials');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed node with schema preview', {
node_id: id,
node_type: type,
node_version: typeVersion,
node_resource: resource,
node_operation: operation,
schema_preview: JSON.stringify(result.result),
output_schema: JSON.stringify(generateJsonSchema(pushEvent.data.data?.main?.[0]?.[0]?.json)),
workflow_id: workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { captureException } from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User duplicated role', {
role_id: item.slug,
role_name: item.displayName,
permissions: item.scopes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('user started cnr package install', {
input_string: props.packageName,
has_quick_connect: props.telemetry.hasQuickConnect,
source: props.telemetry.source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User updated provisioning settings', {
instance_id: useRootStore().instanceId,
authentication_method: protocol,
assignment_method: getTelemetryAssignmentMethod(roleAssignment.value),
role_mapping_method: getTelemetryRoleMappingMethod(mappingMethod.value),
instance_rule_count: ruleSaveResult?.instanceRuleCount ?? 0,
project_rule_count: ruleSaveResult?.projectRuleCount ?? 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed command bar command', {
command_id: item.id,
command_section: item.section,
view,
parent_command_id: parentItem?.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked retry execution button', {
workflow_id: workflowId.value,
execution_id: activeExecution.value.id,
retry_type: loadWorkflow ? 'current' : 'original',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User exported workflow', { workflow_id: workflowData.id });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { captureException } from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, {
...properties,
nodes_panel_session_id: nodePanelSessionId.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User grouped nodes', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User ungrouped nodes', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User collapsed group', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User expanded group', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed ready to run AI workflow', {
status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed ready to run AI workflow successfully');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User claimed OpenAI credits');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened ready to run AI workflow', {
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed template detail', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed template cell', {
tileNumber,
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User closed cred setup', {
completed: false,
creds_filled: 0,
creds_needed: credentialUsages.value.length,
workflow_id: null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User closed cred setup', {
completed: true,
creds_filled: numFilledCredentials.value,
creds_needed: credentialUsages.value.length,
workflow_id: createdWorkflow.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted workflow template', {
source: 'workflow',
template_id: tryToParseNumber(templateId.value),
wf_template_repo_session_id: templatesStore.currentSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User saved new workflow from template', {
template_id: tryToParseNumber(templateId.value),
workflow_id: createdWorkflow.id,
wf_template_repo_session_id: templatesStore.currentSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened cred setup', { source });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { Event } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 2392 low-confidence finding(s)
await fetch(`${TELEMETRY_HOST}/v1/track`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
},
body: payload,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
writeFileSync(join(repoDir, 'shared.ts'), 'shared\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(repoDir, 'pr-only.ts'), 'pr\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(repoDir, 'shared.ts'), 'shared\ndrift-from-master\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(repoDir, 'shared.ts'), 'shared\npr-edit\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalStep = process.env.CI_FILTER_DEEPEN_STEP;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(builderDir, 'shared.ts'), 'shared\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(builderDir, 'pr-only.ts'), 'pr\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(builderDir, 'shared.ts'), `shared\ndrift ${i}\n`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CI_FILTER_DEEPEN_STEP = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalStep === undefined) delete process.env.CI_FILTER_DEEPEN_STEP;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.CI_FILTER_DEEPEN_STEP = originalStep;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalStep = process.env.CI_FILTER_DEEPEN_STEP;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalMax = process.env.CI_FILTER_MAX_DEEPEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(builderDir, 'shared.ts'), 'shared\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(builderDir, 'pr-only.ts'), 'pr\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(builderDir, 'shared.ts'), `shared\ndrift ${i}\n`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CI_FILTER_DEEPEN_STEP = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CI_FILTER_MAX_DEEPEN = '2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalStep === undefined) delete process.env.CI_FILTER_DEEPEN_STEP;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.CI_FILTER_DEEPEN_STEP = originalStep;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalMax === undefined) delete process.env.CI_FILTER_MAX_DEEPEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.CI_FILTER_MAX_DEEPEN = originalMax;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(repoDir, 'main.ts'), 'main\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(repoDir, 'feature.ts'), 'feature\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.INPUT_JOB_RESULTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.INPUT_JOB_RESULTS = JSON.stringify(jobResults);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.INPUT_JOB_RESULTS = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let step = Number(process.env.CI_FILTER_DEEPEN_STEP) || 200;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const maxDeepen = Number(process.env.CI_FILTER_MAX_DEEPEN) || 20_000;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(shallowPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputFile = process.env.GITHUB_OUTPUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
maxCount = Number(process.env.CI_FILTER_MAX_CHANGED_FILES) || 1000,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const filtersInput = process.env.INPUT_FILTERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseRef = process.env.INPUT_BASE_REF;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = process.env.INPUT_JOB_RESULTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mode = process.env.INPUT_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const releaseType = /** @type { import('semver').ReleaseType | "experimental" } */ (
process.env.RELEASE_TYPE
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rootPkgJson = JSON.parse(await readFile(resolve(rootDir, 'package.json'), 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await readFile(resolve(rootDir, 'pnpm-workspace.yaml'), 'utf-8').catch(() => ''),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const prNumber = process.env.PR_NUMBER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const headSha = process.env.HEAD_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseSha = process.env.BASE_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isMergeGroup = process.env.IS_MERGE_GROUP === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = `${process.env.CLA_API}?checkContributor=${encodeURIComponent(login)}`;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const issue_number = Number(process.env.PR_NUMBER);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const allSigned = process.env.ALL_SIGNED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const allSigned = process.env.ALL_SIGNED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const unsigned = (process.env.UNSIGNED ?? '').split(',').filter(Boolean);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const errored = (process.env.ERRORED ?? '').split(',').filter(Boolean);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const unlinked = JSON.parse(process.env.UNLINKED || '[]');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const prNumber = process.env.PR_NUMBER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.CLA_SIGN_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: /** @type {string} */ (process.env.HEAD_SHA),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
context: /** @type {string} */ (process.env.STATUS_CONTEXT),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const issue_number = Number(process.env.PR_NUMBER);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const allSigned = process.env.ALL_SIGNED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const unsigned = (process.env.UNSIGNED ?? '').split(',').filter(Boolean);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const errored = (process.env.ERRORED ?? '').split(',').filter(Boolean);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const unlinked = JSON.parse(process.env.UNLINKED || '[]');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const MARKER = /** @type {string} */ (process.env.COMMENT_MARKER);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Like many open source projects, we ask that you sign our [Contributor License Agreement](${process.env.CLA_SIGN_URL}) before we can accept your contribution.`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const task = process.env.INPUT_TASK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const useRaw = process.env.USE_RAW_PROMPT === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envFile = process.env.GITHUB_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const resumeUrl = process.env.RESUME_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const executionFile = process.env.EXECUTION_FILE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const claudeOutcome = process.env.CLAUDE_OUTCOME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sessionId = process.env.CLAUDE_SESSION_ID ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const branchName = process.env.BRANCH_NAME ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const execution = JSON.parse(readFileSync(executionFile, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ORG = process.env.GHCR_ORG || 'n8n-io';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const REPO = process.env.GHCR_REPO || 'n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawEventData = await fs.readFile(eventPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pullRequestEnv = process.env.PULL_REQUEST_ID;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_EVENT_PATH = './fixtures/mock-github-event.json';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.PULL_REQUEST_ID = '123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.PULL_REQUEST_ID = '#123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.PULL_REQUEST_ID = '123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.PULL_REQUEST_ID = 'abc-123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ADDITIONAL_TAGS = process.env.ADDITIONAL_TAGS ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const force = process.env.FORCE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(readFileSync('./package.json', 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.githubOutput = process.env.GITHUB_OUTPUT || null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
event: getArg('event') || process.env.GITHUB_EVENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pr: getArg('pr') || process.env.GITHUB_PR_NUMBER,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
branch: getArg('branch') || process.env.GITHUB_REF_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.githubOwner = process.env.GITHUB_REPOSITORY_OWNER || 'n8n-io';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.dockerUsername = process.env.DOCKER_USERNAME || 'n8nio';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.githubOutput = process.env.GITHUB_OUTPUT || null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const githubOutput = process.env.GITHUB_OUTPUT || null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nTag = process.env.N8N_TAG || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runnersTag = process.env.RUNNERS_TAG || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const distrolessTag = process.env.DISTROLESS_TAG || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile, readFile, copyFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...JSON.parse(await readFile(packageFile, 'utf-8')),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(fs.readFileSync(eventPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const v = process.env[variableName];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const path = process.env.GITHUB_OUTPUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_TOKEN = 'token';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REPOSITORY = 'n8n-io/n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(path, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const stable = process.env['STABLE_VERSION'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const beta = process.env['BETA_VERSION'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const v1 = process.env['V1_VERSION'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUrl = process.env.QA_METRICS_COMMENT_WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const repo = process.env.GITHUB_REPOSITORY ?? 'n8n-io/n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sha = process.env.GITHUB_SHA?.slice(0, 8) ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const user = process.env.QA_METRICS_WEBHOOK_USER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pass = process.env.QA_METRICS_WEBHOOK_PASSWORD;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const token = process.env.GITHUB_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const match = (process.env.GITHUB_REF ?? '').match(/refs\/pull\/(\d+)/);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dryRun = process.env.DRY_RUN === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summary = JSON.parse(readFileSync(join(runsDir, files.at(-1)), 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? JSON.parse(readFileSync(buildManifestPath, 'utf-8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? JSON.parse(readFileSync(dockerManifestPath, 'utf-8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.GITHUB_REF || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runId = process.env.GITHUB_RUN_ID || null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: process.env.GITHUB_SHA?.slice(0, 8) || null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
branch: process.env.GITHUB_HEAD_REF || process.env.GITHUB_REF_NAME || null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId && process.env.GITHUB_REPOSITORY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
job: process.env.GITHUB_JOB || null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workflow: process.env.GITHUB_WORKFLOW || null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
attempt: process.env.GITHUB_RUN_ATTEMPT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
provider: !process.env.CI
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.RUNNER_ENVIRONMENT === 'github-hosted'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const token = process.env.NPM_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = JSON.parse(readFileSync(results, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify(report));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const res = await fetch('https://slack.com/api/chat.postMessage', {
method: 'POST',
headers: {
'Content-Type': 'application/json; charset=utf-8',
Authorization: `Bearer ${token}`,
},
body: JSON.stringify(payload),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const token = process.env.SLACK_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GH_TOKEN) return process.env.GH_TOKEN.trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GITHUB_TOKEN) return process.env.GITHUB_TOKEN.trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GITHUB_REPOSITORY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DRY_RUN === 'false' || process.env.DRY_RUN === '0') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DRY_RUN === 'true' || process.env.DRY_RUN === '1') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = [...(values.exclude ?? []), process.env.EXCLUDE_BRANCHES ?? ''];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const res = await fetch(`${API}/graphql`, {
method: 'POST',
headers: { ...ctx.headers, 'Content-Type': 'application/json' },
body: JSON.stringify({ query, variables }),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const staleDays = Number(values.days ?? process.env.STALE_DAYS ?? 100);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
throw new Error(`Invalid --days value: ${values.days ?? process.env.STALE_DAYS}`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const repo = process.env.GITHUB_REPOSITORY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const token = process.env.GH_TOKEN || process.env.GITHUB_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const { writeFileSync } = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(filePath, JSON.stringify(packageJson, null, 2) + '\n', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream, createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.OPENAI_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(OUT_PATH, JSON.stringify(fixture));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PG_URL = process.env.PG_VECTOR_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_URL = process.env.QDRANT_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Boolean(process.env[envVar]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isReplayMode = Boolean(process.env.CI);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PG_URL = process.env.PG_VECTOR_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_URL = process.env.QDRANT_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const IS_RECORD_MODE = process.env.VCR_MODE === 'record';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const IS_REPLAY_MODE = Boolean(process.env.CI);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PG_URL = process.env.PG_VECTOR_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_URL = process.env.QDRANT_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path.resolve(__dirname, '../fixtures/bulk-vector-fixture.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/index.ts', 'console.log("hello")');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/README.md', '# Project');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/data.json', '{"key": "value", "count": 42}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/source.txt', 'alpha');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/remove-me/old.txt', 'remove this');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile(
'/project/config.ts',
[
'export const region = "OLD_REGION";',
'export const owner = "OLD_OWNER";',
'export const status = "OLD_STATUS";',
].join('\n'),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.LANGCHAIN_TRACING_V2).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile('/test');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fs.readFile('/test')).rejects.toThrow();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(filesystem.readFile('/workspace/file.txt')).resolves.toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile('/workspace/nested/file.txt', 'hello', { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile('/workspace/file.txt', { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await this.readFile(src);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await this.writeFile(dest, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/log.txt', 'line1\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await memFs.readFile('/log.txt', { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/original.txt', 'original');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await memFs.readFile('/copy.txt', { encoding: 'utf-8' })).toBe('original');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await memFs.readFile('/moved.txt', { encoding: 'utf-8' })).toBe('original');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/deep/nested/file.txt', 'data');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(memFs.readFile('/nonexistent')).rejects.toThrow('ENOENT');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 ??= 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://proxy:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://proxy:9090';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://https-proxy:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://http-proxy:9090';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(MODELS_DEV_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(skillDir, 'SKILL.md'),
`---
name: workflow-builder
description: Build workflows.
---
Use the workflow SDK.`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(skillDir, 'references', 'guide.md'), 'Guide text');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(skillDir, 'examples', 'slack.workflow.ts'), 'export default {};');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(intentSkillDir, 'SKILL.md'),
`---
name: intent-recognition
description: Classify intent.
---
Classify automation intent.`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(intentSkillDir, 'references', 'taxonomy.md'), 'Taxonomy text');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(workflowSkillDir, 'SKILL.md'),
`---
name: workflow-builder
description: Build workflows.
---
Use the workflow SDK.`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, lstatSync, readdirSync, readFileSync, statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content: readFileSync(join(skill.directory, normalizedPath), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(skillPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha256: createHash('sha256').update(readFileSync(abs)).digest('hex'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await client.readFile(sandboxId, path);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await client.writeFile(sandboxId, path, content, options?.overwrite ?? true);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(input.path, editedContent, { overwrite: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(input.path, {
encoding: (input.encoding ?? 'utf-8') as BufferEncoding,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(input.path, editedContent, { overwrite: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(input.path, input.content, { recursive: input.recursive });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OPENAI_API_KEY = 'sk-proj-1234567890';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = 'sk-proj-1234567890';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('https://example.com');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.http_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.https_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_AI_TIMEOUT_MAX;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://http-proxy.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.http_proxy = 'http://http-proxy-lowercase.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'https://https-proxy.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy = 'https://https-proxy-lowercase.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = httpProxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = httpsProxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'localhost,127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '*.internal.company.com,localhost';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'localhost,127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.no_proxy = 'localhost';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_TIMEOUT_MAX = '300000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.http_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.https_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('https://api.openai.com/v1');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('http://api.example.com/data');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'localhost,127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pdfBuffer = readFileSync(
join(__dirname, '../../../../../nodes-base/nodes/ReadPdf/test/sample.pdf'),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(variant) => `// ── mode: ${variant.mode} ──\n${readFileSync(variant.filePath, 'utf-8')}`,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(pathResult.filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const DEFAULT_TIMEOUT = parseInt(process.env.N8N_AI_TIMEOUT_MAX ?? '3600000', 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_VECTOR_STORE_MAX_MEMORY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed = parseInt(process.env.N8N_VECTOR_STORE_MAX_MEMORY, 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_VECTOR_STORE_TTL_HOURS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed = parseInt(process.env.N8N_VECTOR_STORE_TTL_HOURS, 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_DATASET_NAME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(csvPath, content, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(promptPath, 'utf-8')).toBe('Create a test workflow');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const workflow = jsonParse<ParsedWorkflow>(fs.readFileSync(workflowPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(errorPath, 'utf-8')).toBe('Generation failed: timeout');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.LANGSMITH_DATASET_NAME ?? 'workflow-builder-canvas-prompts';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.GITHUB_ACTIONS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
trigger: process.env.GITHUB_EVENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId: process.env.GITHUB_RUN_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rows = parseCsv(readFileSync(resolvedPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, '', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, lines.join('\n') + '\n', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'prompt.txt'), result.prompt, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(exampleDir, 'workflow.json'),
JSON.stringify(workflowForExport, null, 2),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'code.ts'), result.generatedCode, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'response.txt'), result.agentTextResponse, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(exampleDir, 'feedback.json'),
JSON.stringify(feedbackOutput, null, 2),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'error.txt'), result.error, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(outputDir, 'summary.json'),
JSON.stringify(summaryOutput, null, 2),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_TRACING = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envValue = process.env.LANGSMITH_MINIMAL_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(summaryPath, summaryContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(generatedPath, JSON.stringify(generatedWorkflow)),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(groundTruthPath, JSON.stringify(groundTruthWorkflow)),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envConcurrency = process.env.EVALUATION_CONCURRENCY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.GENERATE_TEST_CASES === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envCount = process.env.GENERATE_TEST_CASES_COUNT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const disabledNodesEnv = process.env.N8N_EVALS_DISABLED_NODES ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const nodesData = readFileSync(nodesPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, readFileSync, readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(join(entryPath, nodeFile), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(schemaFile, 'utf-8')) as Record<string, unknown>;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsedConcurrency = parseInt(process.env.CONCURRENCY ?? '', 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(summaryPath, summaryLines.join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputFile, markdownContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envConfig = { apiKey: process.env.N8N_AI_ANTHROPIC_KEY ?? '' };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envMinLength = parseInt(process.env.N8N_PASSWORD_MIN_LENGTH ?? '', 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_COLOR;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_COLOR = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_COLOR;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
private readonly noColor = process.env.NO_COLOR !== undefined && process.env.NO_COLOR !== '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_COLOR !== 'false' && process.env.NO_COLOR !== '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'instance-ai';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'insights';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'insights,invalidModule';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights,invalidModule';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dir = process.env.NODE_ENV === 'test' && srcDirExists ? 'src' : 'dist';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.HTTP_PROXY) process.env.HTTP_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.HTTPS_PROXY) process.env.HTTPS_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.ALL_PROXY === true) process.env.ALL_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.ALL_PROXY && env.ALL_PROXY !== true) process.env.ALL_PROXY = env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.NO_PROXY) process.env.NO_PROXY = env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(validateUrl).toHaveBeenCalledWith(new URL(`${baseUrl}/ok`));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL('https://api.example.com/data');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = readFileSync(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
savedEnv[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://127.0.0.1:1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://127.0.0.1:1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1,localhost';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = savedEnv[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (isProxyVar(key)) delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://env-proxy:3128';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://env-proxy:3128';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://env-proxy:3128';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HTTP_PROXY: process.env.HTTP_PROXY ?? process.env.http_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HTTPS_PROXY: process.env.HTTPS_PROXY ?? process.env.https_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NO_PROXY: process.env.NO_PROXY ?? process.env.no_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ALL_PROXY: process.env.ALL_PROXY ?? process.env.all_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNoProxy = process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNoProxyLower = process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[name] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'example.com,internal.net';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com,internal.net');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.com,internal.net');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1, localhost, example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('localhost,127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.no_proxy = 'internal.lan';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBe('127.0.0.1,localhost,internal.lan');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,internal.lan');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBe('internal.lan');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'first.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('first.example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'second.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,second.example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('second.example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'api.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ALL_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'api.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = readFileSync(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value: process.env[name],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[name] = captured.value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const lower = process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const upper = process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = merged;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.no_proxy = merged;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.http_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ALL_PROXY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.all_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const templateDb = dbType === 'postgresdb' ? process.env.N8N_TEST_TEMPLATE_DB : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nTag = argv.n8nDockerTag || process.env.N8N_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const benchmarkTag = argv.benchmarkDockerTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const k6ApiToken = argv.k6ApiToken || process.env.K6_API_TOKEN || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
argv.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
argv.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseRunDir = argv.runDir || process.env.RUN_DIR || '/n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseCert = argv.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseActivationKey = process.env.N8N_LICENSE_ACTIVATION_KEY || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseTenantId = argv.n8nLicenseTenantId || process.env.N8N_LICENSE_TENANT_ID || '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATH: process.env.PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nTag = args.n8nTag || process.env.N8N_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const benchmarkTag = args.benchmarkTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const k6ApiToken = args.k6ApiToken || process.env.K6_API_TOKEN || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
args.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
args.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseCert = args.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(credentialFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(workflowFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(dataTableFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(scenarioManifestPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testScript = fs.readFileSync(fullTestScriptPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summaryReport = fs.readFileSync(summaryReportPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_URL = 'https://env.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_API_KEY = 'env_key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_URL = 'https://env.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_API_KEY = 'env_key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_API_KEY = 'env_key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(0, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(flags.file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, archive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = fs.readFileSync(flags.file);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(skillSource, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existing = fs.readFileSync(targetFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, stripped);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existing = fs.readFileSync(targetFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, stripped);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', {
mode: 0o600,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
url: flags.url ?? process.env.N8N_URL ?? config.url,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
apiKey: flags.apiKey ?? process.env.N8N_API_KEY ?? config.apiKey,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_GATEWAY_ALLOWED_ORIGINS = 'https://from-env.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[`${ENV_PREFIX}${name}`];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const logLevel = envString('LOG_LEVEL') ?? process.env.LOG_LEVEL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(dir, 'settings.json'), JSON.stringify(initial), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, 'not-json', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, existing, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(initialSettings, null, 2), {
encoding: 'utf-8',
mode: 0o600,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(this.filePath, JSON.stringify(this.persistent, null, 2), {
encoding: 'utf-8',
mode: 0o600,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, existing, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(resolvedReadablePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(resolvedWritablePath, content.replace(oldString, newString), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(resolvedPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(baseDir, 'binary.dat'), Buffer.from([0xff, 0xfe, 0xfd, 0xfc]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(fullPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(resolvedPath, content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.WAYLAND_DISPLAY && !process.env.DISPLAY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalWaylandDisplay = process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDisplay = process.env.DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WAYLAND_DISPLAY = originalWaylandDisplay;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DISPLAY = originalDisplay;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WAYLAND_DISPLAY = 'wayland-0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DISPLAY = ':0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DISPLAY = ':0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = process.env.N8N_DB_PING_TIMEOUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (envName in process.env) return process.env[envName];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const filePath = process.env[`${envName}_FILE`];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const value = readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const original = readFileSync(indexPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(indexPath, lines.join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(targetFile, migrationTemplate(className));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const args = { command: null, dbType: null, docker: !!process.env.CI };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TYPE = 'sqlite';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_SQLITE_DATABASE = file;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TABLE_PREFIX = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TYPE = 'postgresdb';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_HOST = conn.host;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_PORT = String(conn.port);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_DATABASE = conn.database;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_USER = conn.username;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_PASSWORD = conn.password;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_SCHEMA = conn.schema;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TABLE_PREFIX = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const externalHost = process.env.DB_POSTGRESDB_HOST ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
port: Number(process.env.DB_POSTGRESDB_PORT ?? '5432'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
username: process.env.DB_POSTGRESDB_USER ?? 'postgres',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
password: process.env.DB_POSTGRESDB_PASSWORD ?? 'postgres',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
database: process.env.DB_POSTGRESDB_DATABASE ?? 'postgres',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_DB_PING_TIMEOUT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(this.privateKeyPath, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(this.publicKeyPath, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(this.privateKeyPath, privateKey, { encoding: 'utf8', mode: 0o600 }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(this.publicKeyPath, publicKey, { encoding: 'utf8', mode: 0o600 }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const surveyFile = readFileSync(filename, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'test') return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'test') return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const migrationsPruningEnabled = process.env.MIGRATIONS_PRUNING_ENABLED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
'unused-imports/no-unused-imports': process.env.NODE_ENV === 'development' ? 'warn' : 'error',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
'n8n-local-rules/no-skipped-tests': process.env.NODE_ENV === 'development' ? 'warn' : 'error',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.CI === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(packageJsonPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceCode = readFileSync(credentialFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceCode = readFileSync(nodeFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await readFile(path.join(dir, BUNDLE_RELATIVE_PATH), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(resolve(rootDir, filepath), formattedSchema);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = jsonParse<unknown>(readFileSync(join(WORKFLOWS_DIR, file), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnv[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = originalEnv[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_SHA = '357e949547671e2cd1c017eb4e7c809cd55bd121';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature-branch';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_HEAD_REF = 'should-not-be-used';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME = '30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_HEAD_REF = 'feature-x';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME = '30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME = 'master';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = '30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature//thing';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GITHUB_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature-x';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'should-not-be-used';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnv[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = originalEnv[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_EVENT_NAME = 'pull_request_review';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_RUN_ID = '12345';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature-x';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_REVISION_ID = '357e949547671e2cd1c017eb4e7c809cd55bd121';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF = 'refs/pull/30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify(makeSeed()));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify({ messages: [{ id: 'm1' }] }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify({ messages: [] }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdirSync, readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdirSync, readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, readFileSync, rmSync, statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const logged = readFileSync(String(result.logFile), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed: unknown = JSON.parse(readFileSync(path, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, rmSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify(content));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, '{ this is not json');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, JSON.stringify(entries), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const VERIFIER_DEBUG = process.env.N8N_EVAL_VERIFIER_DEBUG === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (validated.buildViaMcp && !process.env.LANGSMITH_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.manifestPath, JSON.stringify(manifest, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.statsPath, JSON.stringify(stats, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
console.log(readFileSync(args.manifestPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.GITHUB_ACTIONS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
trigger: process.env.GITHUB_EVENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId: process.env.GITHUB_RUN_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
commitSha: process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
prNumber: process.env.GITHUB_REF?.match(/refs\/pull\/(\d+)\//)?.[1],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GITHUB_ACTIONS !== 'true') return undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sha = process.env.GITHUB_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(summaryPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(resultsPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(args.out, html, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdirSync, unlinkSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasLangSmith = Boolean(process.env.LANGSMITH_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const commitSha = process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(jsonPath, JSON.stringify(report, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
prCommentPath,
formatComparisonMarkdown(evaluation, outcome, {
commitSha,
slugByTestCase,
rerun,
gate,
passMetrics: { passAtK: metrics.passAtK, passHatK: metrics.passHatK },
experimentUrl,
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, readFileSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(tmpPath, JSON.stringify({ mcpServers: { [serverName]: block } }), { mode: 0o600 });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(logFile, stdout || stderr || fallback);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(exampleIdsFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
baseUrl: get('--base-url') ?? process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(absolute, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(workflowPath, JSON.stringify(record.workflow, null, 2), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(jsonlPath, lines.join('\n') + '\n', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(csvPath, [csvHeader, ...csvRows].join('\n') + '\n', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(outputDir, 'summary.json'),
JSON.stringify(summary, null, 2),
'utf8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(reportFile, html, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(summaryPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(resultsPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(args.reportFile, html, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const loginEmail = email ?? process.env.N8N_EVAL_EMAIL ?? '[email protected]';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const loginPassword = password ?? process.env.N8N_EVAL_PASSWORD ?? 'PlaywrightTest123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'README.md'), '# hello');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'docs', 'workflow.md'), '...');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'readme.txt'), '...');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(outside, 'secret.md'), 'should not be readable');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(parent, 'sibling.md'), '# sibling');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'leftover.md'), '# still here');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'project', 'briefing.md'), '# moved');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'doc.md'), '# Architecture\n\nThis describes the workflow.');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'doc.md'), 'random unrelated content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'doc.md'), '# Architecture only');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(join(dataDir, file), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(reportPath, JSON.stringify(report, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(htmlPath, renderHtml(report), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await readFile(absPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = jsonParse<RunReport>(readFileSync(inputPath, 'utf-8'), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, renderHtml(report), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(fixturePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envToken = template.envVar ? process.env[template.envVar] : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const DEFAULT_MODEL = process.env.N8N_INSTANCE_AI_EVAL_MODEL ?? 'anthropic/claude-sonnet-4-6';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.ANTHROPIC_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return jsonParse<T>(readFileSync(filePath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
model: (process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-5.5').split('/').at(-1) ?? 'gpt-5.5',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, JSON.stringify(requestBody, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = JSON.parse(readFileSync(filePath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_ENDPOINT ?? process.env.LANGCHAIN_ENDPOINT ?? US_DEFAULT_ENDPOINT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homeKey = process.env.LANGSMITH_API_KEY ?? process.env.LANGCHAIN_API_KEY ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const usHost = bareHost(process.env.LANGSMITH_ENDPOINT_US ?? US_DEFAULT_ENDPOINT);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const usKey = process.env.LANGSMITH_API_KEY_US ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = JSON.parse(readFileSync(path, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = process.env.N8N_EVAL_MAX_CONCURRENT_SCENARIOS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(
filePath,
JSON.stringify(
{
timestamp,
workflowId: input.workflowId,
testCaseName: input.testCaseName,
scenarioName: input.scenarioName,
passed: input.passed,
result: input.result ?? null,
verificationResults: input.verificationResults,
verifierAttempts: input.verifierAttempts,
buildTrace: input.buildTrace ?? null,
},
null,
2,
),
'utf8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(jsonPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(reportPath, html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(reportDir, 'workflow-eval-llm-debug.html'), html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(reportPath, html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(reportDir, 'workflow-eval-report.html'), html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
modelId: process.env.N8N_INSTANCE_AI_EVAL_MODEL,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
baseUrl: process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(join(DATA_DIR, file), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_VERSION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.DAYTONA_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiUrl = process.env.DAYTONA_API_URL || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseImage = process.env.SANDBOX_IMAGE || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdirSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(target, renderFile(agent, variant), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
entry.content ?? (await readFile(join(referenceSourceDir, entry.fileName), 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const skill = readFileSync(
join(INSTANCE_AI_SKILLS_DIR, 'workflow-builder', 'SKILL.md'),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = enabledModules;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalE2ETests = process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = originalE2ETests;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(registry.byUrl.get(GOOGLE_OAUTH_URL)?.title).toBe('Google: OAuth2 single service');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
expect(registry.byUrl.get(FIGMA_CREDENTIALS_URL)?.title).toBe('Figma credentials');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if (process.env.E2E_TESTS !== 'true' || allowList === undefined) return undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(
join(INSTANCE_AI_SKILLS_DIR, POST_BUILD_FLOW_SKILL_ID, 'SKILL.md'),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithTracing = process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithProject = process.env.LANGSMITH_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangChainProject = process.env.LANGCHAIN_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalTraceInternal = process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = 'test-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_TRACING = originalLangSmithTracing;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_PROJECT = originalLangSmithProject;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_PROJECT = originalLangChainProject;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = originalTraceInternal;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.LANGSMITH_TRACING).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.LANGCHAIN_TRACING_V2).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_PROJECT = 'instance-ai-evals';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_ENDPOINT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_ENDPOINT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DIAGNOSTICS_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithTracing = process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = 'test-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_TRACING = originalLangSmithTracing;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.LANGSMITH_PROJECT ?? process.env.LANGCHAIN_PROJECT ?? DEFAULT_PROJECT_NAME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (readBooleanEnvFlag(process.env.N8N_DIAGNOSTICS_ENABLED) === false) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 ?? process.env.LANGSMITH_TRACING,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_ENDPOINT ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_ENDPOINT ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INTERNAL === 'true' ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INCLUDE_INTERNAL === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return extractPackageVersion(JSON.parse(await readFile(packageJsonPath, 'utf8')));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'instance-ai';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'instance-ai,agents';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = ' instance-ai, agents ';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL_API_KEY = 'generic-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = 'provider-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OPENAI_API_KEY = 'openai-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(process.env.N8N_ENABLED_MODULES ?? '')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_EVAL_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const providerKey = providerKeyEnv ? process.env[providerKeyEnv] : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(provider === 'anthropic' ? process.env.N8N_AI_ANTHROPIC_KEY : undefined) ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = process.env.N8N_INSTANCE_AI_MODEL_URL?.trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cachedArchive = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cachedEtag = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cachedSha = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"pre-existing"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"orphan"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(blockedArchivePath, 'block'), '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const etagOnDisk = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), corruptArchive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'deadbeef'.repeat(8));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), legacyArchive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"legacy-etag"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(legacyArchive));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const channelOnDisk = await fsp.readFile(path.join(cacheDir, 'channel.txt'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"latest-etag"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(archive));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'latest');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TEMPLATES_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '6';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = 'banana';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '-4';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_URL = 'https://example.com/v2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await lazyWorkspace.filesystem?.readFile('/workspace/report.md');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await lazyWorkspace.filesystem?.readFile('/workspace/report.md');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await lazyWorkspace.filesystem?.readFile('/workspace/report.md');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[LINK_WORKSPACE_SDK_ENV];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[LINK_WORKSPACE_SDK_ENV] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLinkSdk = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await workspace.filesystem?.writeFile('src/workflow.ts', 'code', { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workspace.filesystem?.readFile('/workspace/builders/agent-2/src/workflow.ts'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(readFile(join(stagingDir, 'skills/demo/SKILL.md'), 'utf-8')).resolves.toBe(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(readFile(join(first.stagingDir, 'package.json'), 'utf-8')).resolves.toBe(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(results[0].stagingDir, 'skills/post-build-flow/SKILL.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(results[0].stagingDir, 'knowledge-base/templates/example.ts'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'skills/data-table-manager/SKILL.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(
join(stagingDir, 'skills/data-table-manager/references/data-table-playbook.md'),
'utf-8',
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'skills/registry.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'skills/.manifest.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/best-practices/index.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/.manifest.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = await fsp.readFile(archivePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fsp.readFile(path.join(this.cacheDir, ETAG_FILENAME), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fsp.readFile(path.join(this.cacheDir, SHA256_FILENAME), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = (await fsp.readFile(path.join(this.cacheDir, CHANNEL_FILENAME), 'utf-8')).trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(tmp, contents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = process.env.N8N_INSTANCE_AI_TEMPLATES_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hoursRaw = process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const disabled = process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await (await this.getFilesystem()).readFile(path, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await (await this.getFilesystem()).writeFile(path, content, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const v = process.env[ENV_FLAG];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tarball = await readFile(tarballPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const linkFlag = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(path, content, { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(path, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await this.filesystem.readFile(resolvePath(this.root, path), options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await this.filesystem.writeFile(resolvePath(this.root, path), content, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(targetPath, content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return decodeWorkspaceFileContent(await filesystem.readFile(filePath, { encoding: 'utf-8' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await workspace.filesystem.writeFile(filePath, content, { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
require('fs').writeFileSync('./dist/cjs/package.json', '{"type":"commonjs"}', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
require('fs').writeFileSync('./dist/esm/package.json', '{"type":"module"}', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
img.addRepresentation({ scaleFactor: 1.0, buffer: fs.readFileSync(path1x) });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
img.addRepresentation({ scaleFactor: 2.0, buffer: fs.readFileSync(path2x) });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const html = await readFile(join(getPackageRoot(), 'dist', 'apps', fileName), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) as PackageJson;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'edge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_TRANSPORT = 'stdio';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_PORT = '4000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'firefox';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_PORT = '5000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return readFileSync(path).toString('base64');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const programFiles = process.env.ProgramFiles ?? 'C:\\Program Files';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const programFilesX86 = process.env['ProgramFiles(x86)'] ?? 'C:\\Program Files (x86)';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const localAppData = process.env.LOCALAPPDATA ?? path.join(os.homedir(), 'AppData\\Local');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[`${ENV_PREFIX}${envKey}`];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/icons/icon.png`, 'fake-png-content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/assets/logo.svg`, '<svg>fake-svg</svg>');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/__schema__/node.json`, '{"fake": "schema"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'regular-package',
version: '1.0.0',
// No n8n field - this makes it an invalid n8n package
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/nodes/icons/node1.png`, 'fake-node1-png');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/nodes/subdir/__schema__/schema.json`, '{"node": "schema"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/assets/images/logo.svg`, '<svg>logo</svg>');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/dist/old-file.js`, 'old content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(eslintConfigPath, newConfig, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const eslintConfig = await fs.readFile(eslintConfigPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs
.readFile('package.json', 'utf-8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'regular-package',
version: '1.0.0',
// No n8n field - this makes it an invalid n8n package
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const expectedConfig = await fs.readFile(templatePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const currentConfig = await fs.readFile(eslintConfigPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.RELEASE_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.RELEASE_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.RELEASE_MODE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GITHUB_ACTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(workflowPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(workflowPath, originalContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(workflowPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = Boolean(process.env.GITHUB_ACTIONS);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const templateContent = await fs.readFile(templatePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(dest, rendered);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(pkgPath, packageJsonWithOverrides);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(pkgPath, packageJsonWithLifecycleScript);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(pkgPath, packageJsonWithOverrides);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, newContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(fullPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(fullPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(fullPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/package.json`, JSON.stringify(packageConfig, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/eslint.config.mjs`, DEFAULT_ESLINT_CONFIG);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/eslint.config.mjs`, options.eslintConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, contents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0 darwin x64';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'yarn/1.22.19 npm/? node/v18.16.0 darwin x64';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'npm/9.5.1 node/v18.16.0 darwin x64 workspaces/false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'pnpm/8.6.0 yarn/1.22.19 npm/9.5.1 node/v18.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'yarn/1.22.19 npm/9.5.1 node/v18.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'node/v18.16.0 darwin x64';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/yarn.lock`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/yarn.lock`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ua = process.env['npm_config_user_agent'] ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.COVERAGE_ENABLED === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI === 'true' ? ['cobertura'] : ['text-summary'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(tempDbPath, bufferString);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('https://my-mcp-endpoint.ai/sse');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL('https://my-mcp-endpoint.ai/sse');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await expect(customFetch!(new URL('https://allowed.example/sse'), {} as any)).rejects.toThrow(
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.ENABLE_OBSERVABILITY = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY === 'true' &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
fullPath,
typeof contents === 'string' ? contents : JSON.stringify(contents, null, 2),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_RUNNERS_TASK_BROKER_URI = 'http://127.0.0.1:5679';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync('package.json', 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
scriptPath,
`const Module = require("module");
if (process.env.NODE_PATH) { Module._initPaths(); }
try {
require("${packageName}");
console.log(JSON.stringify({ success: true }));
} catch (e) {
console.log(JSON.stringify({ success: false, error: e.message }));
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
scriptNoInitPath,
`process.env.NODE_PATH = "${nodeModulesPath}";
try {
require("${packageName}");
console.log(JSON.stringify({ success: true }));
} catch (e) {
console.log(JSON.stringify({ success: false, error: e.message }));
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'test') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_PATH) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.PGTZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export { ReadStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(filename);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(path, data, (err) => {
if (err) fail(err);
ok();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(potentialPackageJson, 'utf8', (err, data) => {
if (err != null) accept(null);
else {
try {
accept(JSON.parse(data));
} catch (err) {
accept(null);
}
}
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.COVERAGE_ENABLED === 'true' && vitestConfig.test?.coverage) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI === 'true' && coverage.provider === 'v8') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI !== 'true') return {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.COVERAGE_ENABLED === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI === 'true' ? 'lcov' : 'text-summary',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, entry.getData());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, JSON.stringify(workflow, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
code = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, JSON.stringify(json, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, code);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(jsonPath, 'utf8')) as WorkflowJSON;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(nodesJsonPath, JSON.stringify(nodes));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hashBefore = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(nodesJsonPath, JSON.stringify([modifiedNode]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hashAfter = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tsContent = await fs.promises.readFile(path.join(nodeDir, 'v1.ts'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(fs.readFileSync(sdkPackageJsonPath, 'utf-8')) as { version: string };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.promises.readFile(nodesJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existingHash = await fs.promises.readFile(hashFilePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(hashFilePath, inputHash);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = jsonParse<{ name: string }>(fs.readFileSync(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(indexFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const schemaContent = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const schemaContent = fs.readFileSync(schemaPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.promises.readFile(jsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await Promise.all(batch.map((f) => fs.promises.writeFile(f.path, f.content)));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(outputDir, 'index.ts'), indexContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(DEV_OUTPUT_PATH, 'index.ts'), placeholderContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(generatedPath, code, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const WORKER_ID = process.env.VITEST_POOL_ID ?? '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(generatorPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const storedHash = fs.readFileSync(STAMP_FILE, 'utf-8').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(STAMP_FILE, hash);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_CONFIG_DIR = process.env.NODE_CONFIG_DIR || path.join(__dirname, 'config');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODEJS_PREFER_IPV4 === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, readFile, readdir, writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(join(dir, file), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(outputPath, `${JSON.stringify(records, null, 2)}\n`, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, existsSync, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const publicApiEnabled = process.env.N8N_PUBLIC_API_DISABLED !== 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.resolve(ROOT_DIR, 'dist/timezones.json'), JSON.stringify({ data }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(OUTPUT_FILE, bundle, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const { mkdtempSync, writeFileSync } = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
p,
'module.exports = { workflow: { create: [(...args) => globalThis.__extHookFn(...args)] } };',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNodePath = process.env.NODE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NODE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = originalNodePath;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = existingPath;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH).toContain(existingPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH?.endsWith(existingPath)).toBe(true);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NODE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH).toBe(modulePaths.join(delimiter));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH).not.toContain('undefined');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_OBSERVABILITY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('false');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('false');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_OBSERVABILITY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = 'custom-value';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('custom-value');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
key: await readFile(this.sslKey, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cert: await readFile(this.sslCert, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalPreviewMode = process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = originalPreviewMode;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalPreviewMode = process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = originalPreviewMode;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, buffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, oversizedBuffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = await readFile(sourcePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const onDisk = await fs.readFile(join(storagePath, 'a/b/c/blob.json'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempPath, body);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(readPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.EXECUTIONS_PROCESS === 'own') process.exit(-1);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fs.readFileSync(flags.ids, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fs.readFileSync(flags.skipList, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, this.formatJsonOutput(results));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const output = process.env.GITHUB_OUTPUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fs.readFileSync(fileName, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fileName, serializedData);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filename, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filename, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jsonParse<Partial<CredentialsEntity>>(fs.readFileSync(file, { encoding: 'utf8' })),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(inputPath, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(path, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const workflow = jsonParse<IWorkflowToImport>(fs.readFileSync(file, { encoding: 'utf8' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream, createWriteStream, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
environment: process.env.ENVIRONMENT || 'development',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
serverName: process.env.DEPLOYMENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEvalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEvalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEvalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.EXTERNAL_FRONTEND_HOOKS_URLS = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PERSONALIZATION_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ENABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SKIP_STATISTICS_EVENTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = readFileSync(fileName, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(aiAssistantPackageJsonPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(workflowSdkPackageJsonPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[WORKFLOW_REVIEWS_ENV_FEATURE_FLAG] === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const { mkdtempSync, writeFileSync } = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(p, JSON.stringify({ translation: 'string' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(licenseFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { access } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, utimes, open, rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runOnSqlite = (process.env.DB_TYPE ?? 'sqlite') === 'sqlite';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envValue = process.env[d.envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env[ENV_VAR] = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[ENV_VAR] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[ENV_VAR] = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env[ENV_VAR] = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[ENV_VAR] = '3';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) return 'env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path.join(__dirname, './mock-data/workflow.under-test.json'), { encoding: 'utf-8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '5';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, lines.join('\n') + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { appendFileSync, existsSync, rmSync, renameSync, openSync, closeSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { stat } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream, existsSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(stalePath, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const onDisk = await fs.readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(bundlePath, 'invalid json{{{', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(badPath, 'invalid json{{{', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempPath, serialized, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(bundlePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fsPromises from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = [module.paths.join(delimiter), process.env.NODE_PATH]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[CUSTOM_EXTENSION_ENV] !== undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync('/proc/self/smaps_rollup', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync('/proc/self/smaps_rollup', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(textFilePath, 'hello world');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(pdfFilePath, '%PDF-1.4');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(firstPath, 'hello');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(secondPath, 'world');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filePath, 'hello');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, 'x');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, 'hello world');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
for (const key of ENV_KEYS) delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const key = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, 'fixtures/slack/basic.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, 'fixtures/telegram/basic.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtemp, rm, writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fetch('https://api.telegram.org/bot123456:secret/sendMessage', {
method: 'POST',
headers: requestHeaders,
body: '{}',
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await writeFile(filePath, 'x', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, '../../../__tests__/fixtures/linear/recorded-session.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, '../../../__tests__/fixtures/slack/recorded-session.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, '../../../__tests__/fixtures/telegram/basic.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(
join(__dirname, '../../../__tests__/fixtures/telegram/recorded-session.json'),
'utf8',
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, readFile, readdir, rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.N8N_AGENT_INTEGRATION_RECORDING_REF ?? 'local';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.enabled ?? process.env.N8N_AGENT_INTEGRATION_RECORDING_ENABLED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AGENT_INTEGRATION_RECORDING_SESSION_ID ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(join(this.recordingDir, file), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.libraryBundle = readFileSync(LIBRARY_BUNDLE_PATH, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DOTENV_CONFIG_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalValue = process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = originalValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.QUEUE_WORKER_MAX_STALLED_COUNT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.QUEUE_WORKER_MAX_STALLED_COUNT = '10';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnvValue = process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = originalEnvValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODES_EXCLUDE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.QUEUE_WORKER_MAX_STALLED_COUNT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_RUNNERS_TASK_TIMEOUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_RUNNERS_TASK_TIMEOUT = '300';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_UNVERIFIED_PACKAGES_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES === undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES === undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS !== 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_RUNNERS_TASK_TIMEOUT !== undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_UNVERIFIED_PACKAGES_ENABLED === undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile, unlink } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = file.buffer ?? (await readFile(file.path));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_SKIP_CHAT_WORKFLOW_CLEANUP !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'community-packages';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights,community-packages,mcp';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights,mcp';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMMUNITY_PACKAGES_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const environment = process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const environment = process.env.ENVIRONMENT === 'staging' ? 'staging' : 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJsonContent = await readFile(packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existingContent = await readFile(this.packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, writeFileSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(tempDir, filename), content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsPromises from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, readdir, stat, unlink } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const original = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (original === undefined) delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = original;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
savedApiKey = process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CONTEXT7_API_KEY = savedApiKey;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CONTEXT7_API_KEY = 'test-api-key-123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const original = process.env.N8N_INSTANCE_AI_EVAL_TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (original === undefined) delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_INSTANCE_AI_EVAL_TIMING = original;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_EVAL_TIMING = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readonly enabled = process.env.N8N_INSTANCE_AI_EVAL_TIMING === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_EVAL_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, readFileSync, readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(join(entryPath, nodeFile), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(schemaFile, 'utf-8')) as Record<string, unknown>;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasHttpProxy = Boolean(process.env.HTTPS_PROXY || process.env.HTTP_PROXY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const promise = readFile(filePath, 'utf-8').then((json) =>
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!tracing && process.env.E2E_TESTS === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
${readFileSync(variant.filePath, 'utf-8')}`,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDevUrl = process.env.N8N_MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVERS_DEV_URL = originalDevUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'dev';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'dev';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
switch (process.env.ENVIRONMENT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_MCP_SERVERS_DEV_URL || MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_MCP_SERVER_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVER_RATE_LIMIT = '500';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVER_RATE_LIMIT = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVER_RATE_LIMIT = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const requiresHttps = process.env.NODE_ENV !== 'development' && !isLocalhost(hostname);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', JSON.stringify(manifest));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`workflows/wf-${idx}/workflow.json`, JSON.stringify(wf));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'manifest.json',
JSON.stringify({
packageFormatVersion: '99',
exportedAt: new Date().toISOString(),
sourceN8nVersion: '1.0.0',
sourceId: 'bad-manifest',
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'manifest.json',
JSON.stringify({
packageFormatVersion: '99',
exportedAt: new Date().toISOString(),
sourceN8nVersion: '1.0.0',
sourceId: 'integration-test-source',
workflows: [{ id: 'wf-x', name: 'X', target: 'workflows/wf-x' }],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'workflows/wf-x/workflow.json',
JSON.stringify(serializedWorkflow({ id: 'wf-x', name: 'X' })),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'manifest.json',
JSON.stringify({
packageFormatVersion: FORMAT_VERSION,
exportedAt: new Date().toISOString(),
sourceN8nVersion: '1.0.0',
sourceId: 'integration-test-source',
workflows: [{ id: 'wf-missing', name: 'Missing', target: 'workflows/nowhere-to-be-found' }],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await reader.readFile(path);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
request.writer.writeFile(
`${target}/credential.json`,
JSON.stringify(this.credentialSerializer.serialize(credential), null, '\t'),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`${target}/folder.json`, JSON.stringify(serialized, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`${target}/project.json`, JSON.stringify(serialized, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
request.writer.writeFile(`${target}/workflow.json`, JSON.stringify(serialized, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', JSON.stringify(manifest));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/my-workflow-abc/workflow.json', workflowJson);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(reader.readFile('workflows/my-workflow-abc/workflow.json')).resolves.toEqual(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/a/workflow.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/b/workflow.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{not-json');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('oversized.bin', 'x'.repeat(500));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('oversized.bin', 'x'.repeat(500));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`workflows/wf-${i}/workflow.json`, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/wf-abc/workflow.json', '{"id":"abc"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/x/workflow.json', '{"id":"x"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('./workflows/wf/workflow.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', JSON.stringify(manifest, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_OAUTH2_JWE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT = '100';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT = '200';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '300';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT = '400';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT = '500';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resource: new URL('https://n8n.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resource: new URL('https://attacker.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resource: new URL('https://n8n.example.com/mcp-server/http/'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://n8n.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://attacker.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://n8n.example.com/mcp-server/http/'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
secure: process.env.NODE_ENV === 'production',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (key.startsWith('N8N_OTEL_')) delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_ENABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path.join(BASE_DIR, 'nodes-base/dist/known/nodes.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
saved[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[OTEL_ENV_VARS[key]] !== undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_QUICK_CONNECT_OPTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = config;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_QUICK_CONNECT_OPTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_QUICK_CONNECT_OPTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.http_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.https_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.all_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'github.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { accessSync, constants as fsConstants } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile, writeFile, access, mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath2, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(knownHostsPath, 'github.com ssh-rsa AAAA...\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fsWriteFile(fileName, JSON.stringify(sanitizedWorkflow, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(fileName, JSON.stringify(sanitizedVariables, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(filePath, JSON.stringify(exportableDataTable, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(
fileName,
JSON.stringify(
{
folders: newFolders,
},
null,
2,
),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(fileName, JSON.stringify({ tags: [], mappings: [] }, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(
fileName,
JSON.stringify(
{
// overwrite all tags
tags: tags.map((tag) => ({ id: tag.id, name: tag.name })),
mappings: mappingsToKeep.concat(mappingsOfAllowedWorkflows),
},
null,
2,
),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fsWriteFile(filePath, JSON.stringify(stub, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fsWriteFile(fileName, JSON.stringify(sanitizedProject, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { accessSync, constants as fsConstants, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return jsonParse<ExportedFolders>(await fsReadFile(file, { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return jsonParse<ExportableDataTable[]>(await fsReadFile(file, { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(variablesFile[0], { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fsReadFile(file, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
}>(await fsReadFile(foldersFile[0], { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(tagsFile[0], { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fsReadFile(file, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fsReadFile(file, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
}>(await fsReadFile(candidate.file, { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm as fsRm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, normalizedKey, { mode: 0o600 });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await readFile(this.sshKeyName + '.pub', { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.join(this.gitFolder, '/README.md'), SOURCE_CONTROL_README);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mockAuthUrl = new URL('https://provider.com/auth?client_id=123');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const mockAuthUrl = new URL(
'https://provider.com/auth?client_id=123&redirect_uri=http://localhost:5678/callback',
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const discoveryUrl = new URL('https://example.com/.well-known/openid-configuration');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://issuer.example.com/.well-known/openid-configuration'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
discoveryEndpoint: new URL('http://n8n.io/not-set'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const originalEnv = process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_TOKEN_EXCHANGE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { Dirent } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdir, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const translation = await readFile(translationPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'TRUE';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const value = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK?.toLowerCase() ?? 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const spec = await fs.readFile(openApiSpecPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const swaggerThemeCss = await fs.readFile(swaggerThemePath, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
operationHandlers: process.env.VITEST
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const doc = columnNameYmlSchema.parse(parse(fs.readFileSync(ymlPath, 'utf8')));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { access as fsAccess } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (inDevelopment && process.env.N8N_DEV_RELOAD === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(packageDir, 'package.json'),
JSON.stringify({
name: 'n8n-nodes-base',
version: '1.0.0',
n8n: { nodes: [], credentials: [] },
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(packageDir, 'dist', 'known', 'nodes.json'),
JSON.stringify({
httpRequest: {
className: 'HttpRequest',
sourcePath: 'dist/nodes/HttpRequest/HttpRequest.node.js',
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(packageDir, 'dist', 'known', 'credentials.json'), JSON.stringify({}));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(packageDir, 'dist', 'types', 'nodes.json'),
JSON.stringify([nodeTypeDescription]),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(packageDir, 'dist', 'types', 'credentials.json'), JSON.stringify([]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '7';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdir, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = 'https://example.com/';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = '"https://example.com/"';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = 'https://old.example.com/';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = 'https://old.example.com/';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const keyFileContent = await readFile(keyFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const previewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const previewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
nodeEnv: process.env.NODE_ENV,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
builtIn: process.env.NODE_FUNCTION_ALLOW_BUILTIN?.split(',') ?? undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
external: process.env.NODE_FUNCTION_ALLOW_EXTERNAL?.split(',') ?? undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
!!this.globalConfig.aiAssistant.baseUrl || !!process.env.N8N_AI_ANTHROPIC_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdir, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const keyFileContent = await readFile(keyFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await readFile(migrationsFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const migrationsFileContent = await readFile(migrationsFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.globalConfig.webhookUrl || this.trimQuotes(process.env.WEBHOOK_URL) || this.baseUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'custom value';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'custom value';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATH: process.env.PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HOME: process.env.HOME ?? process.env.USERPROFILE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_PATH: process.env.NODE_PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GENERIC_TIMEZONE: process.env.GENERIC_TIMEZONE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_FUNCTION_ALLOW_BUILTIN: process.env.NODE_FUNCTION_ALLOW_BUILTIN,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_FUNCTION_ALLOW_EXTERNAL: process.env.NODE_FUNCTION_ALLOW_EXTERNAL,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_SENTRY_DSN: process.env.N8N_SENTRY_DSN,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_VERSION: process.env.N8N_VERSION,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ENVIRONMENT: process.env.ENVIRONMENT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DEPLOYMENT_NAME: process.env.DEPLOYMENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_INSECURE_MODE: process.env.N8N_RUNNERS_INSECURE_MODE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT: process.env.N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN: process.env.N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATH: process.env.PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HOME: process.env.HOME ?? process.env.USERPROFILE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_STDLIB_ALLOW: process.env.N8N_RUNNERS_STDLIB_ALLOW,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_EXTERNAL_ALLOW: process.env.N8N_RUNNERS_EXTERNAL_ALLOW,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS: process.env.N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_BUILTINS_DENY: process.env.N8N_RUNNERS_BUILTINS_DENY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_BLOCK_RUNNER_ENV_ACCESS: process.env.N8N_BLOCK_RUNNER_ENV_ACCESS,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const includedContent = await readFile(pathJoin(templatesDir, match[1]), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawMarkup = await readFile(pathJoin(templatesDir, `${templateName}.mjml`), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const markup = await readFile(templatePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.ENABLE_OBSERVABILITY === undefined || process.env.ENABLE_OBSERVABILITY === '') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === undefined ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const AI_REQUEST_TIMEOUT_MS = resolveTimeoutMs(process.env.N8N_AI_TIMEOUT_MAX);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { FileHandle } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { open, readFile, readdir, mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(fullPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isHealthEndpointCustomized = process.env.N8N_ENDPOINT_HEALTH !== undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalOffloadManualExecutionsToWorkers = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = originalOffloadManualExecutionsToWorkers;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filePath, payload, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const {
existsSync,
promises: { writeFile },
} = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
} = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(filePath, 'utf-8')) as IWorkflowBase &
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'filesystem';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/custom/storage/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/path/one';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/path/two';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/same/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/same/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'invalid-mode';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/custom/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DEFAULT_BINARY_DATA_MODE = 's3';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/storage/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'super-secret';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DEFAULT_BINARY_DATA_MODE = 'invalid-mode';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '1024';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = 'not-a-number';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '2048';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_BINARY_DATA_SIGNING_SECRET;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'env-pinned-secret';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceFile = await fs.readFile(sourcePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BINARY_DATA_SIGNING_SECRET) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binaryData.data = await readFile(filePath, { encoding: BINARY_ENCODING });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, bufferOrStream);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await jsonParse(await fs.readFile(filePath, { encoding: 'utf-8' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(metadata), { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceFile = await fs.readFile(sourcePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = '5';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CODE_ENABLE_STDOUT === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CODE_ENABLE_STDOUT === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(
`${temporaryDir}/${setBinaryDataBufferResponse.id?.replace('filesystem-v2:', '')}`,
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[CONFIG_FILES] = '/path/to/config1,/path/to/config2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[CUSTOM_EXTENSION_ENV] = '/path/to/extensions1;/path/to/extensions2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BINARY_DATA_STORAGE_PATH] = '/path/to/binary/storage';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[UM_EMAIL_TEMPLATES_INVITE] = '/path/to/invite/templates';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[UM_EMAIL_TEMPLATES_PWRESET] = '/path/to/pwreset/templates';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fileHandle.writeFile(content, { encoding: 'binary' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[CONFIG_FILES]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(...process.env[CONFIG_FILES].split(','));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[CUSTOM_EXTENSION_ENV]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[BINARY_DATA_STORAGE_PATH]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(process.env[BINARY_DATA_STORAGE_PATH]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[UM_EMAIL_TEMPLATES_INVITE]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_INVITE]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[UM_EMAIL_TEMPLATES_PWRESET]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_PWRESET]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_ID = 'env-pinned-id';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_HMAC_SIGNATURE_SECRET = 'env-pinned-hmac';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_HMAC_SIGNATURE_SECRET,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cgroupV1 = readFileSync('/proc/self/cgroup', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cgroupV2 = readFileSync('/proc/self/mountinfo', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(this.settingsFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hmacSignatureSecretFromEnv = process.env.N8N_HMAC_SIGNATURE_SECRET;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(this.settingsFile, JSON.stringify(this.settings, null, '\t'), {
mode: this.enforceSettingsFilePermissions.enforce ? 0o600 : undefined,
encoding: 'utf-8',
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isEnvVarSet = !!process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(file, nodeSource(version));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(nodeFile, nodeSource(2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(nodeFile, nodeSource(2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(nodeFile, nodeSource(2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.join(dir, 'package.json'), JSON.stringify({ name, version: '1.0.0' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileString = readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileString = await readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const storagePath = process.env.N8N_STORAGE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const binaryDataStoragePath = process.env.N8N_BINARY_DATA_STORAGE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_STORAGE_PATH) return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BINARY_DATA_STORAGE_PATH) return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const shouldMigrate = process.env.N8N_MIGRATE_FS_STORAGE_PATH === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(jsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_POPULARITY_ENDPOINT ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const FAIL_ON_ERROR = process.env.N8N_FAIL_ON_POPULARITY_FETCH_ERROR === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(OUTPUT_FILE, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(OUTPUT_FILE, JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
server.urlPrefix = process.env.API_URL || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
server.post('/rest/:any', async () => ({}));
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await post(N8N_API_BASE_URL, CONTACT_EMAIL_SUBMISSION_ENDPOINT, {
instance_id: instanceId,
user_id: `${instanceId}#${currentUser.id}`,
email,
agree,
agree_updates: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(BASE_FORUM_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const source = readFileSync(
'src/features/ai/instanceAi/components/InstanceAiPreviewTabBar.vue',
'utf8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { access } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { copyFile, mkdir, readFile, writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tsConfigString = await readFile(tsconfigPath, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path, JSON.stringify(tsConfig, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { copyFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const getEnv = (key: string): string | undefined => process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const envGetter = (key: string): string | undefined => process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tokenResponse = await fetch(`${baseUrl}/api/token`, {
method: 'PUT',
headers: {
'X-aws-ec2-metadata-token-ttl-seconds': '21600',
'User-Agent': 'n8n-aws-credential',
},
signal: AbortSignal.timeout(2000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const roleResponse = await fetch(`${baseUrl}/meta-data/iam/security-credentials/`, {
method: 'GET',
headers,
signal: AbortSignal.timeout(2000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
authToken = (await readFile(authTokenFile, 'utf-8')).trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const token = (await readFile(webIdentityTokenFile, 'utf8')).trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_AWS_LEGACY_SIGNER === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_VERSION) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_VERSION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const BASE_URL = process.env.AIRTOP_BASE_URL ?? 'https://api.airtop.ai/api/v1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const BASE_URL_V2 = process.env.AIRTOP_BASE_URL_V2 ?? 'https://api.airtop.ai/api/v2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.AIRTOP_HOOKS_BASE_URL ?? 'https://api.airtop.ai/api/hooks';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile as fsWriteFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(path, binaryDataBuffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile as fsReadFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile as fsReadFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const workflowJson = await fsReadFile(resolvedPath, { encoding: 'utf8' }).catch(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const alasqlSource = await readFile(alasqlBundlePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workbook = xlsxReadFile(binaryPath, xlsxOptions);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(binaryFile.path, uploadData);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { stat } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(nodeFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
changedFiles: parseChangedFiles(process.env.CODE_HEALTH_CHANGED_FILES),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
addedFiles: parseChangedFiles(process.env.CODE_HEALTH_ADDED_FILES),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, 'export {};\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(abs, source, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pkg = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as OnDiskPackageJson;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_LICENSE_TENANT_ID) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extraEnvs.push({ name: 'N8N_LICENSE_TENANT_ID', value: process.env.N8N_LICENSE_TENANT_ID });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_LICENSE_ACTIVATION_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value: process.env.N8N_LICENSE_ACTIVATION_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_LICENSE_CERT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extraEnvs.push({ name: 'N8N_LICENSE_CERT', value: process.env.N8N_LICENSE_CERT });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(kubeConfigPath, namedKubeconfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(defaultKubeconfig, merged);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(values['url-file'], stack.baseUrl);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(values['kubeconfig-file'], stack.kubeConfigPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.CI || os.platform() !== 'linux') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (failures.length > 0 && process.env.STRICT_IMAGE_PULL === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(devEnvFilePath(), lines.join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_ENCRYPTION_KEY: process.env.N8N_ENCRYPTION_KEY ?? 'test-encryption-key',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LICENSE_TENANT_ID: process.env.N8N_LICENSE_TENANT_ID ?? '1001',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LICENSE_ACTIVATION_KEY: process.env.N8N_LICENSE_ACTIVATION_KEY ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LICENSE_CERT: process.env.N8N_LICENSE_CERT ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.N8N_LICENSE_ACTIVATION_KEY && !process.env.N8N_LICENSE_CERT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const authToken = process.env.NGROK_AUTHTOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(processedExpectation, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.GITHUB_REF ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: process.env.GITHUB_SHA?.slice(0, 8) ?? 'local',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
branch: process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME ?? 'local',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId: process.env.GITHUB_RUN_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
job: process.env.GITHUB_JOB,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workflow: process.env.GITHUB_WORKFLOW,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
attempt: process.env.GITHUB_RUN_ATTEMPT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.CI) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.RUNNER_ENVIRONMENT === 'github-hosted') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const repo = process.env.GITHUB_REPOSITORY ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let value = process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = process.env.N8N_DOCKER_IMAGE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tsconfig.json'),
JSON.stringify({
compilerOptions: {
target: 'ES2020',
module: 'ESNext',
moduleResolution: 'node',
strict: true,
},
include: ['**/*.ts'],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'janitor.config.js'),
`module.exports = {
rootDir: '${tempDir}',
patterns: {
pages: ['pages/**/*.ts'],
components: [],
flows: [],
tests: ['tests/**/*.spec.ts'],
services: [],
fixtures: [],
helpers: [],
factories: [],
testData: [],
},
excludeFromPages: [],
facade: { file: 'pages/AppPage.ts', className: 'AppPage', excludeTypes: [] },
fixtureObjectName: 'app',
apiFixtureName: 'api',
rawApiPatterns: [],
flowLayerName: 'Composable',
architectureLayers: [],
rules: {},
};`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'CleanPage.ts'), 'export class CleanPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'VerbosePage.ts'),
'export class VerbosePage {}',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'BaselinePage.ts'),
'export class BaselinePage {}',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const attempt = Number(process.env.GITHUB_RUN_ATTEMPT ?? '1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
firstNonEmpty(options.url, process.env.JANITOR_FILTER_SHARD_URL) ?? DEFAULT_FILTER_SHARD_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runId = process.env.GITHUB_RUN_ID;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const includeRaw = fs.readFileSync(options.includeSpecsFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = JSON.parse(fs.readFileSync(metricsPath, 'utf-8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const env = process.env.CHANGED_FILES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const inputs = files.map((f) => ({ text: fs.readFileSync(f, 'utf8'), spec: f }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(options.outLcov, result.lcov);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(options.outMap, JSON.stringify(encodeImpactMap(result.impactMap)));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(root, 'pnpm-workspace.yaml'),
`packages:\n${opts.patterns.map((p) => ` - '${p}'`).join('\n')}\n`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(root, 'package.json'), JSON.stringify({ name: 'monorepo-root' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(pkgDir, 'package.json'), JSON.stringify(pkg));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(root, 'turbo.json'),
JSON.stringify({
tasks: Object.fromEntries(opts.turboTasks.map((t) => [t.taskId, { inputs: t.inputs }])),
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(path, 'utf-8')) as T;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(parseYaml(readFileSync(wsFile, 'utf-8')) as { packages?: string[] } | null)?.packages ?? [];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const currentContent = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, '.janitor-baseline.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tsconfig.json'),
JSON.stringify({
compilerOptions: {
target: 'ES2020',
module: 'ESNext',
moduleResolution: 'node',
strict: true,
},
include: ['**/*.ts'],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'workflows', 'simple-webhook.json'),
JSON.stringify({ name: 'Simple Webhook' }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'workflows', 'complex-flow.json'),
JSON.stringify({ name: 'Complex Flow' }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'workflows', 'test-workflow.json'),
JSON.stringify({ name: 'Test' }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(testFilePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'tsconfig.json'), JSON.stringify(tsconfig, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(pagesDir, 'TestPage.ts'), 'export class TestPage { foo() {} }');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'TestClass.ts'),
`export class TestClass {
publicMethod() { return 1; }
private privateMethod() { return 2; }
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
doc = parse(readFileSync(lockPath, 'utf8')) as typeof doc;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return existsSync(abs) ? readFileSync(abs, 'utf8') : '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(pkgDir, 'package.json'), JSON.stringify({ name: 'some-pkg' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', '.gitkeep'), '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'tests', '.gitkeep'), '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tsconfig.json'),
JSON.stringify({
compilerOptions: {
target: 'ES2020',
module: 'ESNext',
moduleResolution: 'node',
strict: true,
skipLibCheck: true,
noEmit: true,
},
include: ['**/*.ts'],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'package.json'),
JSON.stringify({
name: 'tcr-test',
scripts: {
typecheck: 'tsc --noEmit',
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'NewPage.ts'), 'export class NewPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'TestPage.ts'), 'export class TestPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'TestPage.ts'),
'export class TestPage { modified() {} }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(newDir, 'new-feature.spec.ts'),
'import { test } from "@playwright/test"; test("new feature", () => {});',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(newDir, 'staged-feature.spec.ts'),
'export const test = { name: "staged feature test" };\n',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'package.json'),
JSON.stringify({ name: 'tcr-test', scripts: { typecheck: 'node -e ""' } }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'ToDelete.ts'),
'export class ToDelete { method() {} }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'OldName.ts'),
'export class OldName { method() {} }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'MethodClass.ts'),
`export class MethodClass {
existing() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'MethodClass.ts'),
`export class MethodClass {
existing() {}
newMethod() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'RemoveClass.ts'),
`export class RemoveClass {
keepMe() {}
removeMe() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'RemoveClass.ts'),
`export class RemoveClass {
keepMe() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'ModifyClass.ts'),
`export class ModifyClass {
myMethod() { return 1; }
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'ModifyClass.ts'),
`export class ModifyClass {
myMethod() { return 2; }
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), 'export class LargePage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), largeContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'SmallPage.ts'), 'export class SmallPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'SmallPage.ts'),
'export class SmallPage { x = 1; }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'OtherPage.ts'), 'export class OtherPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'PageA.ts'),
`import { PageB } from './PageB';
export class PageA {}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'PageB.ts'), 'export class PageB {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'DryRunPage.ts'), 'export class DryRunPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'ResultPage.ts'), 'export class ResultPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tests', 'example.spec.ts'),
'import { test } from "@playwright/test"; test("example", () => {});',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'FailPage.ts'), 'export class FailPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(headFile, 'corrupted');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CI === 'true' ? { pool: 'forks' as const, maxWorkers: '50%' } : {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseline = JSON.parse(readFileSync(BASELINE_PATH, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const current = JSON.parse(readFileSync(CURRENT_PATH, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync, readdirSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const wf = JSON.parse(readFileSync(join(inputDir, file), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, JSON.stringify(fixture, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const results = JSON.parse(readFileSync(resultsPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(baselinePath, JSON.stringify(results, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
plugins: [process.env.CODSPEED ? codspeedPlugin() : null].filter(Boolean),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const COVERAGE_ENABLED = process.env.COVERAGE_ENABLED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
recordKey: process.env.CURRENTS_RECORD_KEY ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
projectId: process.env.CURRENTS_PROJECT_ID ?? 'nHHLA5',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(specDir, `raw-${slugify(testInfo.testId)}.json`),
JSON.stringify({ result }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(specDir, '.spec'), spec);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = process.env.N8N_TEST_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.N8N_COVERAGE_DIR ? { coverageHostDir: process.env.N8N_COVERAGE_DIR } : {}),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_CONTAINERS_KEEPALIVE === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envBaseURL = process.env.N8N_BASE_URL ?? n8nContainer?.baseUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const client = process.env.LANGSMITH_API_KEY ? new Client() : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project_name: process.env.LANGSMITH_PROJECT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CONTAINER_TELEMETRY_VERBOSE === '1') return true;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const res = await fetch(QUARANTINE_WEBHOOK_URL, { signal: controller.signal });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if (process.env.CURRENTS_RECORD_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CURRENTS_RECORD_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(specDir, '.spec'), spec);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const resetE2eDb = process.env.RESET_E2E_DB;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ALLOW_CONTAINER_ONLY = process.env.PLAYWRIGHT_ALLOW_CONTAINER_ONLY === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_INSTANCE_AI_MODEL: process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-4o-mini',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.N8N_AI_OPENAI_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_AI_OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.LANGSMITH_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
LANGSMITH_API_KEY: process.env.LANGSMITH_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.ANTHROPIC_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.OPENROUTER_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OPENROUTER_API_KEY: process.env.OPENROUTER_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.CEREBRAS_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
CEREBRAS_API_KEY: process.env.CEREBRAS_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_INSTANCE_AI_SANDBOX_ENABLED: process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_SANDBOX_PROVIDER ?? 'daytona',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_INSTANCE_AI_SANDBOX_IMAGE: process.env.N8N_INSTANCE_AI_SANDBOX_IMAGE ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.DAYTONA_API_URL && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DAYTONA_API_URL: process.env.DAYTONA_API_URL,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.DAYTONA_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DAYTONA_API_KEY: process.env.DAYTONA_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IS_CI = !!process.env.CI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IS_DEV = !!process.env.N8N_EDITOR_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testEnv = process.env.N8N_TEST_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SKIP_WEB_SERVER = process.env.PLAYWRIGHT_SKIP_WEBSERVER === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
headless: process.env.SHOW_BROWSER !== 'true',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
currentsFixturesEnabled: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
['junit', { outputFile: process.env.PLAYWRIGHT_JUNIT_OUTPUT_NAME ?? 'results.xml' }],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.CURRENTS_RECORD_KEY ? [currentsReporter(currentsConfig)] : []),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { appendFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summaryPath = process.env.GITHUB_STEP_SUMMARY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.LANGSMITH_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const project = process.env.LANGSMITH_PROJECT ?? 'unset';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.webhookUrl = options.webhookUrl ?? process.env.QA_METRICS_WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.webhookUser = options.webhookUser ?? process.env.QA_METRICS_WEBHOOK_USER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.webhookPassword = options.webhookPassword ?? process.env.QA_METRICS_WEBHOOK_PASSWORD;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.GITHUB_REF ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runId = process.env.GITHUB_RUN_ID ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: (process.env.GITHUB_SHA ?? this.gitFallback('rev-parse HEAD'))?.slice(0, 8) ?? null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_HEAD_REF ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId && process.env.GITHUB_REPOSITORY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workflow: process.env.GITHUB_WORKFLOW ?? null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
job: process.env.GITHUB_JOB ?? null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
attempt: process.env.GITHUB_RUN_ATTEMPT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
provider: !process.env.CI
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.RUNNER_ENVIRONMENT === 'github-hosted'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.join(dir, `${label}-${i}.lcov`), transform(readFileSync(file, 'utf8'))),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE_ROOT_PREFIX = process.env.IMAGE_ROOT_PREFIX ?? '/usr/local/lib/node_modules/n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const name = JSON.parse(readFileSync(pkgJson, 'utf8')).name as string;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
source = readFileSync(r.bytesFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const map = JSON.parse(readFileSync(`${r.bytesFile}.map`, 'utf8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, existsSync, mkdirSync, copyFileSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
dockerfilePath,
`FROM ${targetImage}
COPY e2e.controller.js /usr/local/lib/node_modules/n8n/dist/controllers/e2e.controller.js
`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return readFileSync(attachment.path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summaryPath = process.env.GITHUB_STEP_SUMMARY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const TOKEN = process.env.CODECOV_API_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(sibling, 'specA', '.spec'), 'tests/e2e/x.spec.ts');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(allowPath, [...union].join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dir = process.env.N8N_COVERAGE_DIR;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
parsed = JSON.parse(readFileSync(file, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
JSON.parse(readFileSync(file, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
parsed = JSON.parse(readFileSync(join(dir, rf), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CURRENTS_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(OUTPUT_PATH, JSON.stringify(output, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const map = buildMap(parseLcov(readFileSync(lcovPath, 'utf8')), specId);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const diff = parseDiff(readFileSync(diffPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = JSON.parse(readFileSync(tracesFile, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
wrappedFile,
JSON.stringify({
data: traces,
total: traces.length,
limit: traces.length,
offset: 0,
errors: null,
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
body: readFileSync(metricsFile),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
body: readFileSync(logsFile),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const image = process.env.TEST_IMAGE_N8N ?? 'n8nio/n8n:local';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.ANTHROPIC_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BASE_URL) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
backendUrl = process.env.N8N_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
brokerPort = process.env.N8N_RUNNERS_BROKER_PORT ?? String(await getFreePort());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LOG_LEVEL: process.env.N8N_LOG_LEVEL ?? 'info',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const changedFiles = process.argv.slice(2).join(',') || process.env.CHANGED_FILES || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
allSpecs: process.env.ALL_SPECS_FILE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base: process.env.BASE_REF,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(p, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(p, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(laneDir, 'test-results.json'),
JSON.stringify(testResultsWithReports(specs)),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const written = JSON.parse(readFileSync(join(laneDir, looseFiles[0]), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(root, 'test-results.json'),
JSON.stringify({ suites: [{ specs: [{ tests: [{ results: [{ attachments: [] }] }] }] }] }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(root, 'test-results.json'), '{ not valid json');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
args['hardware-runner'] ?? process.env.SIZING_MATRIX_RUNNER ?? DEFAULT_HARDWARE.runner;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.SIZING_MATRIX_VCPU
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? Number(process.env.SIZING_MATRIX_VCPU)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.SIZING_MATRIX_RAM_GB
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? Number(process.env.SIZING_MATRIX_RAM_GB)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(join(REPO_ROOT, 'packages/cli/package.json'), 'utf8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const head = readFileSync(join(REPO_ROOT, '.git/HEAD'), 'utf8').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return readFileSync(join(REPO_ROOT, '.git', refPath), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const overrides = JSON.parse(readFileSync(path, 'utf8')) as SpecMapping;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CURRENTS_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outPath, buf);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
report = JSON.parse(readFileSync(file, 'utf8')) as JSONReport;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(laneDir, `${stem}.run-report.${index}.json`), body);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = JSON.parse(readFileSync(path, 'utf8')) as RunReport;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.out, JSON.stringify(matrix, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.markdownOut, renderMarkdown(matrix));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = readFileSync(workerCmd, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
unboundGrowthOutput = await readFile(or.analysisOutputFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shapeGrowthOutput = await readFile(sr.analysisOutputFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(reportPath, JSON.stringify(report, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(`${outputDir}/${label}-smaps-raw.txt`, data.raw);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(`${outputDir}/${label}-rss-breakdown.json`, JSON.stringify(summary, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_EDITOR_URL ?? process.env.N8N_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, JSON.stringify(baseline, null, '\t') + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_a', '.spec'), 'tests/e2e/a.spec.ts');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_a', 'raw-1.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'no_marker', 'raw-1.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'no_raw', '.spec'), 'x');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_jsonl', '.spec'), 'tests/e2e/b.spec.ts');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_jsonl', 'raw-1.jsonl'), '{}\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const spec = readFileSync(specMarker, 'utf8').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(outDir, `${slug}${suffix}.lcov`),
forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(p, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, '{not valid json,,,');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(interned));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed: unknown = JSON.parse(fs.readFileSync(mapFile, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseSpecList(fs.readFileSync(input.allSpecsFile, 'utf8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env: process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false' ? {} : process.env,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { PathLike } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_OPTIONS: process.env.NODE_OPTIONS
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? `${process.env.NODE_OPTIONS} ${NODE_OPTS}`
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(summaryPath, JSON.stringify(summary, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(path.join(templateDir, template), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(target, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.CI === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CI === 'true' && process.env.INCLUDE_TEST_CONTROLLER !== 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.FORCE_COLOR = isCI ? '0' : '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJsonContent = await fs.readFile(packageJsonPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(cliPackagePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(cliPackagePath, JSON.stringify(packageJson, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const generateLicenses = process.env.N8N_GENERATE_LICENSES === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_shamefully_hoist = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(file, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.FORCE_COLOR = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DOCKER_PLATFORM) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.DOCKER_PLATFORM;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const override = process.env.CONTAINER_ENGINE?.toLowerCase();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const noCache = process.env.DOCKER_BUILD_NO_CACHE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const withBaseImage = process.env.DOCKER_BUILD_BASE_IMAGE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const nodeVersion = process.env.NODE_VERSION || '24.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
imageBaseName: process.env.IMAGE_BASE_NAME || 'n8nio/n8n',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
imageTag: process.env.IMAGE_TAG || 'local',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
imageBaseName: process.env.RUNNERS_IMAGE_BASE_NAME || 'n8nio/runners',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawData = JSON.parse(readFileSync(compactDataPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fullData = JSON.parse(readFileSync(fullDataPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(OUTPUT_PATH, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const lucideJson = JSON.parse(readFileSync(LUCIDE_JSON_PATH, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cache = JSON.parse(readFileSync(CACHE_PATH, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(CACHE_PATH, JSON.stringify(cache, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(OUTPUT_PATH, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(resolve(pkgRootDir, 'package.json'), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const BASE = process.env.N8N_BASE_URL ?? 'http://localhost:5678';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const KEY = process.env.N8N_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const CLEAR = (process.env.CLEAR ?? 'false').toLowerCase() === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PERSONAL_WORKFLOWS = Number(process.env.WF_MULTIPLIER) || 50;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(SPDX_IDS_PATH, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(OVERRIDES_PATH, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(await readFile(path.join(dir, entry.name), 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
licenseText = (await readFile(licenseFile, 'utf-8')).trim() || null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(outputPath, JSON.stringify(enriched, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(dir, rel), JSON.stringify(json));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sbom = JSON.parse(await readFile(enriched, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = JSON.parse(readFileSync(path.join(HERE, 'spdx-license-ids.json'), 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = await readFile(path.join(resolvedPkgDir, candidate), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(OVERRIDES_PATH, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(outputPath, markdown);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(pkgDir, 'LICENSE'), 'PKGA LICENSE TEXT');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(pkgDir, 'LICENSE.md'), 'SCOPED PKGB TEXT');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(pkgDir, 'README.md'), 'not a license');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(pkgDir, 'CHANGELOG'), 'not a license');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(pkgDir, 'package.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path.join(pkgDir, 'COPYING'), 'COPYING IS A LICENSE');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(file, JSON.stringify(coverageMap));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return parseLedgerBody(readFileSync(ledgerFile, 'utf8')).rows;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceFile = (process.env.SOURCE_FILE ?? '').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const requestedMode = (process.env.REQUESTED_MODE ?? 'both').trim() || 'both';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const topNRaw = (process.env.TOP_N ?? '6').trim() || '6';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ledgerFile = (process.env.LEDGER_FILE ?? '').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const signalsFile = (process.env.SIGNALS_FILE ?? '').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const coverageFile = (process.env.COVERAGE_FILE ?? '').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const bootstrapRaw = (process.env.BOOTSTRAP_PACKAGES ?? '').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summary = JSON.parse(await readFile(summaryPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const signals = JSON.parse(await readFile(signalsPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(outPath, JSON.stringify({ ledger, events }, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(file, body(MULTI_PKG_FIXTURE));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(file, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(file, body(MULTI_PKG_FIXTURE));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const THRESHOLD = Number(process.env.STRYKER_THRESHOLD ?? 80);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(summaryJsonPath, JSON.stringify(summary, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = JSON.parse(await readFile(rawJsonPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(summaryJsonPath, JSON.stringify(summary, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(await readFile(resolved, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkgName = JSON.parse(await readFile(pkgJsonPath, 'utf8')).name;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI || process.env.DOCKER_BUILD) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.FORCE_COLOR = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const nodeOptions = process.env.NODE_OPTIONS
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? `${process.env.NODE_OPTIONS} --max-old-space-size=${mem}`
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.FORCE_COLOR = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const resolved = path.resolve(process.env[envVar] || path.join(rootDir, defaultRelPath));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
imageBaseName: process.env.IMAGE_BASE_NAME || 'n8nio/n8n',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
imageTag: process.env.IMAGE_TAG || 'local',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
trivyImage: process.env.TRIVY_IMAGE || 'aquasec/trivy:latest',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
severity: process.env.TRIVY_SEVERITY || 'CRITICAL,HIGH,MEDIUM,LOW',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
outputFormat: process.env.TRIVY_FORMAT || 'table',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
outputFile: process.env.TRIVY_OUTPUT || null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
scanTimeout: process.env.TRIVY_TIMEOUT || '10m',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ignoreUnfixed: process.env.TRIVY_IGNORE_UNFIXED === 'true',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
scanners: process.env.TRIVY_SCANNERS || 'vuln',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
quiet: process.env.TRIVY_QUIET === 'true',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.FORCE_COLOR = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE = process.env.SMOKE_IMAGE || 'n8nio/n8n:local';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ref: process.env.CLOUD_CHART_REF || 'main',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
chartPath: process.env.CLOUD_CHART_PATH || 'packages/instance-controller/charts/n8napp/n8n',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CLOUD_CHART_VALUES ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cloud = process.env.SMOKE_SKIP_CLOUD === 'true' ? [] : await fetchCloudInvocations();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.SMOKE_SKIP_CLOUD !== 'true' && cloud.length === 0) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(join(asDir, 'package.json'), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(join(dir, 'package.json'), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? JSON.parse(readFileSync(resultsFile, 'utf8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(resultsFile, `${JSON.stringify(data, null, 2)}\n`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.map((f) => JSON.parse(readFileSync(join(RESULTS_DIR, f), 'utf8')))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(out, `${md.join('\n')}\n`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/frontend/editor-ui
npm first-party const response = await fetch(POPULARITY_ENDPOINT, {
signal: AbortSignal.timeout(5000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
telemetry.track('User autocompleted code', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on RAG callout', {
node_type: options.telemetry.nodeType ?? null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted tutorial template', {
template: templateId,
source: options.telemetry.source,
node_type: options.telemetry.nodeType ?? null,
section: options.telemetry.section ?? null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User tidied up canvas', {
source,
target,
nodes_count: result.nodes.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted workflow note', {
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted node', {
node_type: node.type,
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted workflow note', {
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User pasted nodes', {
workflow_id: workflowDocumentStore.value.workflowId,
node_graph_string: nodeGraph,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User duplicated nodes', {
workflow_id: workflowDocumentStore.value.workflowId,
node_graph_string: nodeGraph,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User imported workflow', {
source,
workflow_id: workflowDocumentStore.value.workflowId,
node_graph_string: nodeGraph,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User copied nodes', {
node_types: workflowData.nodes.map((node) => node.type),
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked chat open button', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted workflow template', {
source: 'workflow',
template_id: tryToParseNumber(templateId),
wf_template_repo_session_id: templatesStore.previousSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { captureException } from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User claimed OpenAI credits', { source });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked sidebar add variable button');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked sidebar add data table button');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(`User hit ${type}`, { commands_length: 1, commands: [command.name] });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(`User hit ${type}`, {
commands_length: command.commands.length,
commands: command.commands.map((c) => c.name),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry?.track('User hit undo in NDV', { node_type: activeNode.type });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked execute node button', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User set node enabled status', {
node_type: node.type,
is_enabled: node.disabled,
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked upgrade CTA', {
source,
isTrial: userIsTrialing,
deploymentType,
trialDaysLeft,
executionsLeft,
workflowsLeft,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Ndv data pinning success', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Ndv data pinning failure', {
pinning_source: source,
node_type: targetNode?.type,
push_ref: rootStore.pushRef,
data_size: stringSizeInBytes(data.value),
view: displayMode,
run_index: runIndex,
error_type: errorType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User unpinned ndv data', {
node_type: targetNode?.type,
push_ref: rootStore.pushRef,
run_index: runIndex,
source,
data_size: stringSizeInBytes(data.value),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened read-only execution', {
workflow_id: data.workflowData.id,
execution_mode: data.mode,
execution_finished: data.finished,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed test AI workflow', {
status: data.status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed tutorial template', {
template: templateId,
status: data.status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance FE emitted paired item error', eventData);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Manual exec errored', {
error_title: pushData.data.error.message,
node_type: node?.type,
node_type_version: node?.typeVersion,
node_id: node?.id,
node_graph_string: JSON.stringify(
TelemetryHelpers.generateNodesGraph(
workflowDocumentStore.serialize(),
workflowHelpers.getNodeTypes(),
{
isCloudDeployment: settingsStore.isCloudDeployment,
},
).nodeGraph,
),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked execute workflow button', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance FE emitted error', {
error_title: params.title,
error_message: messageForTelemetry,
caused_by_credential: causedByCredential(messageForTelemetry),
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance FE emitted error', {
error_title: title,
error_description: message,
error_message: error.message,
caused_by_credential: causedByCredential(error.message),
workflow_id: workflowDocumentStore.value.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User set workflow active status', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User started nodes to sub-workflow extraction', {
node_count: nodeCount,
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User extracted nodes to sub-workflow', {
node_count: nodeCount,
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
`User opened workflow from onboarding template with ID ${workflowData.meta.onboardingId}`,
{ workflow_id: id },
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User attempted to save locked workflow', {
workflowId: currentWorkflow,
sharing_role: getWorkflowProjectRole(currentWorkflow),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User saved new workflow from template', {
template_id: tryToParseNumber(String(templateId)),
workflow_id: workflowData.id,
wf_template_repo_session_id: templatesStore.previousSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type * as Sentry from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import * as Sentry from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Session started', { session_id: rootStore.pushRef });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.rudderStack.track(event, updatedProperties, {
context: {
// provide a fake IP address to instruct RudderStack to not use the user's IP address
ip: '0.0.0.0',
},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
usePostHog().capture(event, updatedProperties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Ai code generation finished', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Ai Transform code generation finished', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('User toggled n8n reference option', {
node: nodeType,
toValue: change.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled favorite', {
action: 'removed',
resource_type: resourceType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled favorite', {
action: 'added',
resource_type: resourceType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view sub pane', {
pane: 'input',
newState: wasOpen ? 'hidden' : 'visible',
isSubNode: isSubNodeSelected.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view sub pane', {
pane: 'output',
newState: wasOpen ? 'hidden' : 'visible',
isSubNode: isSubNodeSelected.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init(flags);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.getVariant('test')).toEqual(flags[TEST]);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.capture('Test event', { test: 'value' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.capture('Test event', {
test: 'value',
$groups: {
organization: 'n8n',
},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init(flags);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.getVariant('test')).toEqual('override');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthog.init();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.hasPendingFeatureFlags()).toBe(true);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const waitForFlags = posthog.waitForFeatureFlags().then(() => {
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.hasPendingFeatureFlags()).toBe(false);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(posthog.getVariant('test')).toEqual('variant');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
name,
variant,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked to open community node update modal', {
source,
package_name: packageName,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled sidebar', {
expanded: !sidebarMenuCollapsed.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track("User clicked on what's new notification", {
article_id: articleId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created AI templates starter collection', {
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed AI templates starter collection callout');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened AI template workflow', {
template,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed AI template', {
template,
status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('App selection page viewed');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('App selection search performed', {
search_term: searchTerm,
result_count: resultCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('App selection completed', {
connected_count: connectedCount.value,
connected_apps: connectedApps,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User submitted empty state builder prompt', {
prompt_length: prompt.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User imported workflow from empty state', {
node_count: workflowData.nodes?.length ?? 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User was recommended personalized templates', {
templateIds,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on personalized template callout', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed personalized template callout', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on personalization card');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed personalization modal');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed personalization tooltip');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed personalization tooltip');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template from modal', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on templates repo from modal');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
name: PERSONALIZED_TEMPLATES_V3.name,
variant,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created ready to run workflows', {
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User dismissed ready to run workflows callout');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened ready to run workflow', {
template,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed ready to run workflow', {
template,
status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User visited resource center');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on resource center tile', { section, type, id });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding entry point viewed',
getTelemetryPayload({
surface,
entry_point: entryPoint,
mcp_access_enabled: mcpAccessEnabled,
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding opportunity viewed',
getTelemetryPayload({
surface,
entry_point: entryPoint,
eligible: true,
surface_available: surfaceAvailable,
suppressed_by: suppressedBy,
mcp_access_enabled: mcpAccessEnabled,
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding opened',
getTelemetryPayload({
surface,
...(payload.entryPoint ? { entry_point: payload.entryPoint } : {}),
...(payload.mcpAccessEnabled !== undefined
? { mcp_access_enabled: payload.mcpAccessEnabled }
: {}),
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding dismissed',
getTelemetryPayload({
surface,
...(payload.activeClient ? { active_client: payload.activeClient } : {}),
...(payload.enabledDuringThisOpen !== undefined
? { enabled_during_this_open: payload.enabledDuringThisOpen }
: {}),
...(payload.mcpAccessEnabled !== undefined
? { mcp_access_enabled: payload.mcpAccessEnabled }
: {}),
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('MCP onboarding enable clicked', getTelemetryPayload({ surface }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('MCP onboarding enabled', getTelemetryPayload({ surface }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding enable failed',
getTelemetryPayload({ surface, error_type: errorType }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('MCP onboarding client selected', getTelemetryPayload({ surface, client }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding setup shown',
getTelemetryPayload({ surface, client, setup_type: setupType }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'MCP onboarding copied parameter',
getTelemetryPayload({ surface, client, parameter }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on node minicard', {
tool,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User visited template recommendation modal tab', {
tool,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template recommendation tile', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template recommendation video', {
name,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked on template recommendation see more', {
type,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
usePostHog().getVariant(EXTRA_TEMPLATE_LINKS_EXPERIMENT.name) ===
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
useTelemetry().track('User clicked on templates', {
role: useCloudPlanStore().currentUserCloudInfo?.role,
active_workflow_count: useWorkflowsListStore().activeWorkflows.length,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created agent', {
agent_id: agent.id,
source: options.telemetrySource,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, props);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User started adding agent tool',
withAgent({ tool_type: toolType, source: 'manual' }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User added agent tool',
withAgent({
tool_type: ref.type,
has_approval: ref.requireApproval ?? false,
...identityProps(ref),
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User added agent tool',
withAgent({
tool_type: 'mcpServer',
has_approval: false,
server_name: server.name,
authentication: server.authentication,
}),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User edited agent tool',
withAgent({ tool_type: ref.type, ...identityProps(ref) }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'User removed agent tool',
withAgent({ tool_type: ref.type, ...identityProps(ref) }),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Assistant session started', {
chat_session_id: currentSessionId.value,
task: chatSessionTask.value,
node_type: chatSessionError.value?.node.type,
credential_type: chatSessionCredType.value?.name,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed node after assistant suggestion', {
task: chatSessionTask.value,
chat_session_id: currentSessionId.value,
success: false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed node after assistant suggestion', {
task: chatSessionTask.value,
chat_session_id: currentSessionId.value,
success: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User sent message in Assistant', {
message,
is_quick_reply: isQuickReply,
chat_session_id: currentSessionId.value,
message_number: usersMessages.value.length,
task: chatSessionTask.value,
allow_sending_parameter_values: allowSendingParameterValues.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened assistant', {
source,
task,
has_existing_session,
instance_id: rootStore.instanceId,
workflow_id: workflowId,
canvas_status: canvasStatus,
node_type: chatSessionError.value?.node?.type,
error: chatSessionError.value?.error,
chat_session_id: currentSessionId.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('End of response from builder', {
user_message_id: userMessageId,
workflow_id: routeWorkflowId.value,
session_id: trackingSessionId.value,
tab_visible: document.visibilityState === 'visible',
code_builder: isCodeBuilder.value,
mode: builderMode.value,
...(planApproved ? { plan_approved: true } : {}),
...getWorkflowModifications(currentStreamingMessage.value),
...payload,
...getTodosToTrack(),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User submitted builder message', trackingPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.chatSent', {
focused_count: focusedCount,
has_deictic_ref: hasDeicticRef,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Workflow builder journey', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.added', {
source,
node_count: nodeTypes.length,
node_types: nodeTypes,
...(source === 'mention' && options?.mentionQueryLength !== undefined
? { mention_query_length: options.mentionQueryLength }
: {}),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method,
removed_count: 1,
remaining_count: confirmedNodes.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'clear_all',
removed_count: previousCount,
remaining_count: 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'clear_all',
removed_count: previousCount,
remaining_count: confirmedNodes.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'workflow_changed',
removed_count: previousCount,
remaining_count: 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('ai.focusedNodes.removed', {
method: 'node_deleted',
removed_count: deletedConfirmedCount,
remaining_count: confirmedNodes.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User sent chat hub message', {
...flattenModel(agent.model),
is_custom: agent.model.provider === 'custom-agent',
chat_session_id: sessionId,
mode,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User edited chat hub message', {
...flattenModel(agent.model),
is_custom: agent.model.provider === 'custom-agent',
chat_session_id: sessionId,
chat_message_id: editId,
mode,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User regenerated chat hub message', {
...flattenModel(agent.model),
is_custom: agent.model.provider === 'custom-agent',
chat_session_id: sessionId,
chat_message_id: retryId,
mode,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created agent', { ...flattenModel(payload) });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened floating chat panel', { source: 'canvas' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User popped out floating chat panel', { source: 'canvas' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User ran evaluation', {
workflow_id: workflowId,
run_id: dispatched?.testRunId ?? null,
metric_count: wizardStore.selectedMetricKeys.length,
custom_check_count: wizardStore.customChecks.length,
slice_mode: wizardStore.isSliceMode,
trigger,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHog = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI opened from editor', {
source,
workflow_id: workflowId,
execution_id: executionId ?? null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI opened from editor', {
source,
workflow_id: null,
execution_id: null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI opened from editor', {
source,
workflow_id: null,
execution_id: null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed new builder workflow', {
thread_id: threadId,
instance_id: rootStore.instanceId,
workflow_id: workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder generation stalled', { thread_id: threadId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User finished providing input', {
thread_id: threadId,
input_thread_id: conf.inputThreadId ?? '',
instance_id: rootStore.instanceId,
type: 'approval',
provided_inputs: [
{
label: conf.message,
options: ['approve', 'deny', 'approve_always'],
option_chosen: 'approve_auto',
},
],
skipped_inputs: [],
auto_resolved: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User sent builder message', {
thread_id: threadId,
instance_id: rootStore.instanceId,
is_first_message: isFirstMessage,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI Connect Browser Use modal opened');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI Install Chrome Browser Extension button clicked');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI Open Browser Use Extension button clicked');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI mcp modal opened');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI mcp settings opened', { server_slug: serverSlug });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestions shown', createBasePayload(context));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI quick examples opened', {
...createBasePayload(context),
suggestion_id: context.suggestionId,
position: context.position,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestions cycled', {
...context.telemetryPayload,
suggestion_catalog_version: resolveSuggestionCatalogVersion(context),
visible_suggestion_ids: context.visibleSuggestionIds,
cycle_count: context.cycleCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestion selected', {
...createBasePayload(context),
suggestion_id: context.suggestionId,
suggestion_kind: context.suggestionKind,
position: context.position,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI prompt suggestion submitted', {
...createBasePayload(context),
suggestion_id: context.suggestionId,
suggestion_kind: context.suggestionKind,
position: context.position,
prompt_modified: context.promptModified,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User rated workflow generation', {
thread_id: threadId,
response_id: responseId,
helpful: payload.rating === 'up',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User submitted workflow generation feedback', {
thread_id: threadId,
response_id: responseId,
feedback: payload.feedback,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Instance AI workflow setup step shown', getStepTelemetryPayload(step));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
'Instance AI workflow setup step handled',
getStepTelemetryPayload(step, outcome),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User finished providing input', {
...getSetupTelemetryContext(),
provided_inputs: provided,
skipped_inputs: skipped,
explicitly_skipped_inputs: explicitlySkipped,
num_tasks: deps.sections.value.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User gave MCP access to workflow', { workflow_id: workflowId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled MCP access', { state: enabled });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted data table column', {
column_id: columnId,
column_type: columnToDelete.cellDataType,
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User renamed data table column', {
column_id: columnId,
column_type: columnToRename.cellDataType,
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User added data table column', {
column_id: newColumn.id,
column_type: newColumn.type,
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User added row to data table', {
data_table_id: dataTableId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User edited data table content', {
data_table_id: dataTableId,
column_id: colDef.colId,
column_type: colDef.cellDataType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User deleted rows in data table', {
data_table_id: dataTableId,
deleted_row_count: idsToDelete.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User created credentials', {
credential_type: credential.type,
credential_id: credential.id,
workflow_id: workflowsStore.workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User saved credentials', trackProperties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked quick connect button', {
source,
credential_type: credentialTypeName,
node_type: nodeType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked debug execution button', {
instance_id: useRootStore().instanceId,
exec_status: isFullExecutionResponse(execution) ? execution.status : '',
override_pinned_data: pinnableNodes.length === pinnings,
all_exec_data_imported: missingNodeNames.length === 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
metadata.parentExecution
? 'User clicked parent execution button'
: 'User clicked inspect sub-workflow',
{
view,
},
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened read-only execution', {
workflow_id: data.workflowData.id,
execution_mode: data.mode,
execution_finished: data.finished,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked reveal data', {
workflow_id: workflowDocumentStore.value.workflowId,
execution_id: workflowExecutionStateStore.value.activeExecution?.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view', { new_state: 'attached' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view', {
new_state: wasOpen ? 'collapsed' : 'attached',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User toggled log view', { new_state: 'floating' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User selected node in log view', {
node_type: value.node.type,
node_id: value.node.id,
execution_id: execution.value?.id,
workflow_id: execution.value?.workflowData.id,
subworkflow_depth: getDepth(value),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User selected canvas group in log view', {
group_id: value.group.id,
node_count: value.group.nodeIds.length,
execution_id: execution.value?.id,
workflow_id: execution.value?.workflowData.id,
subworkflow_depth: getDepth(value),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked review variables');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked review credentials');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed node with schema preview', {
node_id: id,
node_type: type,
node_version: typeVersion,
node_resource: resource,
node_operation: operation,
schema_preview: JSON.stringify(result.result),
output_schema: JSON.stringify(generateJsonSchema(pushEvent.data.data?.main?.[0]?.[0]?.json)),
workflow_id: workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { captureException } from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User duplicated role', {
role_id: item.slug,
role_name: item.displayName,
permissions: item.scopes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('user started cnr package install', {
input_string: props.packageName,
has_quick_connect: props.telemetry.hasQuickConnect,
source: props.telemetry.source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User updated provisioning settings', {
instance_id: useRootStore().instanceId,
authentication_method: protocol,
assignment_method: getTelemetryAssignmentMethod(roleAssignment.value),
role_mapping_method: getTelemetryRoleMappingMethod(mappingMethod.value),
instance_rule_count: ruleSaveResult?.instanceRuleCount ?? 0,
project_rule_count: ruleSaveResult?.projectRuleCount ?? 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed command bar command', {
command_id: item.id,
command_section: item.section,
view,
parent_command_id: parentItem?.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User clicked retry execution button', {
workflow_id: workflowId.value,
execution_id: activeExecution.value.id,
retry_type: loadWorkflow ? 'current' : 'original',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User exported workflow', { workflow_id: workflowData.id });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { captureException } from '@sentry/vue';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, {
...properties,
nodes_panel_session_id: nodePanelSessionId.value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User grouped nodes', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User ungrouped nodes', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User collapsed group', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User expanded group', buildProperties(group, source));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const postHogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed ready to run AI workflow', {
status,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User executed ready to run AI workflow successfully');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User claimed OpenAI credits');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened ready to run AI workflow', {
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
const posthogStore = usePostHog();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed template detail', {
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User viewed template cell', {
tileNumber,
templateId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User closed cred setup', {
completed: false,
creds_filled: 0,
creds_needed: credentialUsages.value.length,
workflow_id: null,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User closed cred setup', {
completed: true,
creds_filled: numFilledCredentials.value,
creds_needed: credentialUsages.value.length,
workflow_id: createdWorkflow.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User inserted workflow template', {
source: 'workflow',
template_id: tryToParseNumber(templateId.value),
wf_template_repo_session_id: templatesStore.currentSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User saved new workflow from template', {
template_id: tryToParseNumber(templateId.value),
workflow_id: createdWorkflow.id,
wf_template_repo_session_id: templatesStore.currentSessionId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('User opened cred setup', { source });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 11 low-confidence finding(s)
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_POPULARITY_ENDPOINT ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const FAIL_ON_ERROR = process.env.N8N_FAIL_ON_POPULARITY_FETCH_ERROR === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(OUTPUT_FILE, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(OUTPUT_FILE, JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
server.urlPrefix = process.env.API_URL || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
server.post('/rest/:any', async () => ({}));
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await post(N8N_API_BASE_URL, CONTACT_EMAIL_SUBMISSION_ENDPOINT, {
instance_id: instanceId,
user_id: `${instanceId}#${currentUser.id}`,
email,
agree,
agree_updates: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(BASE_FORUM_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const source = readFileSync(
'src/features/ai/instanceAi/components/InstanceAiPreviewTabBar.vue',
'utf8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/cli
npm first-party await this.http.request({
url: 'https://enterprise.n8n.io/enterprise-trial',
method: 'POST',
body: {
licenseType: 'enterprise',
firstName: user.firstName,
lastName: user.lastName,
email: user.email,
instanceUrl: this.urlService.getWebhookBaseUrl(),
},
json: true,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const sent = await thread.post(await this.toPostable(params.descriptor, input.message, params));
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.http.request({
url: '/api/v4/secrets',
method: 'GET',
qs: {
projectId: this.settings.projectId,
environment: this.settings.environment,
secretPath: this.settings.secretPath,
},
json: true,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const requestResponse = await this.outboundHttp
.requests({ ssrf: 'disabled' }) // The destination URL is admin-configured, so SSRF protection is disabled.
.request(request);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const registerResult = await this.http.request({
url: registration_endpoint,
method: 'POST',
body: registerPayload,
json: true,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
this.telemetry.track('User hit concurrency limit', {
threshold: CLOUD_TEMP_PRODUCTION_LIMIT - capacity,
concurrencyQueue: type,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expect(maskIp(input)).toBe(expected);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'GET' }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
setPostHogProxyHeaders(proxyReq, createReq({ method: 'GET' }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'POST', rawBody }));
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
await controller.track(req, res, next);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Eval collection created', {
user_id: user.id,
workflow_id: workflowId,
collection_id: collection.id,
evaluation_config_id: input.evaluationConfigId,
version_count: input.versions.length,
existing_run_count: existingRunIds.length,
new_run_count: runsStartedIds.length,
dataset_id: this.extractDatasetId(config),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Eval collection deleted', {
user_id: user.id,
workflow_id: workflowId,
collection_id: collectionId,
runs_unlinked: runsUnlinked,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Eval collection insights generated', {
user_id: user.id,
workflow_id: workflowId,
collection_id: collectionId,
model_used: response.modelUsed,
duration_ms: Date.now() - startMs,
status: response.status,
regressions_found: response.insights.regressions.length,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User ran test', {
user_id: user.id,
run_id: testRun.id,
workflow_id: workflowId,
run_type: runType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Test run finished', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted a run', { run_id: testRunId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User cancelled a test case', {
run_id: req.params.id,
case_id: caseId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI mcp connected', {
user_id: userId,
server_slug: serverSlug,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI mcp disconnected', {
user_id: userId,
server_slug: serverSlug,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Project settings updated', {
user_id: userId,
role,
project_id: projectId,
members: members?.map(({ userId: user_id, role }) => ({ user_id, role })),
otel_project_custom_tags_count: otelProjectCustomTagsCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted project', {
user_id: userId,
role,
project_id: projectId,
removal_type: removalType,
target_project_id: targetProjectId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created project', {
user_id: userId,
role,
uiContext,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated source control settings', {
branch_name: branchName,
read_only_instance: readOnlyInstance,
repo_type: repoType,
connected,
connection_type: connectionType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User started pull via UI', {
user_id: userId,
workflow_updates: workflowUpdates,
workflow_conflicts: workflowConflicts,
cred_conflicts: credConflicts,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User finished pull via UI', {
user_id: userId,
workflow_updates: workflowUpdates,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User pulled via API', {
workflow_updates: workflowUpdates,
forced,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User started push via UI', {
user_id: userId,
workflows_eligible: workflowsEligible,
workflows_eligible_with_conflicts: workflowsEligibleWithConflicts,
creds_eligible: credsEligible,
creds_eligible_with_conflicts: credsEligibleWithConflicts,
variables_eligible: variablesEligible,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User finished push via UI', {
user_id: userId,
workflows_eligible: workflowsEligible,
workflows_pushed: workflowsPushed,
creds_pushed: credsPushed,
variables_pushed: variablesPushed,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance attempted to refresh license', {
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User registered for license community plus', {
user_id: userId,
email,
licenseKey,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created variable', {
user_id: user.id,
...(projectId && { project_id: projectId }),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated variable', {
user_id: user.id,
...(projectId && { project_id: projectId }),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted variable', {
user_id: user.id,
...(projectId && { project_id: projectId }),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated external secrets settings', {
user_id: userId,
vault_type: vaultType,
is_valid: isValid,
is_new: isNew,
error_message: errorMessage,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User reloaded external secrets', {
vault_type: vaultType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created external secrets connection', {
user_id: userId,
user_role: userRole,
vault_type: vaultType,
scope: projects.length === 0 ? 'global' : 'project',
project_ids: projects.map((project) => project.id),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated external secrets connection', {
user_id: userId,
user_role: userRole,
vault_type: vaultType,
scope: projects.length === 0 ? 'global' : 'project',
project_ids: projects.map((project) => project.id),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted external secrets connection', {
user_id: userId,
user_role: userRole,
vault_type: vaultType,
scope: projects.length === 0 ? 'global' : 'project',
project_ids: projects.map((project) => project.id),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User toggled external secrets system roles', {
user_id: userId,
enabled,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('API key created', {
user_id: user.id,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('API key deleted', {
user_id: user.id,
public_api: publicApi,
is_own: isOwn,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('API key rotated', {
user_id: user.id,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('cnr package install finished', {
user_id: user.id,
input_string: inputString,
package_name: packageName,
success,
package_version: packageVersion,
package_node_names: packageNodeNames,
package_author: packageAuthor,
package_author_email: packageAuthorEmail,
failure_reason: failureReason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('cnr package updated', {
user_id: user.id,
package_name: packageName,
package_version_current: packageVersionCurrent,
package_version_new: packageVersionNew,
package_node_names: packageNodeNames,
package_author: packageAuthor,
package_author_email: packageAuthorEmail,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('cnr package deleted', {
user_id: user.id,
package_name: packageName,
package_version: packageVersion,
package_node_names: packageNodeNames,
package_author: packageAuthor,
package_author_email: packageAuthorEmail,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created credentials', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
project_id: projectId,
project_type: projectType,
uiContext,
is_private: isDynamic ?? false,
uses_external_secrets: usesExternalSecrets ?? false,
jwe_enabled: jweEnabled ?? false,
credential_supports_managed_auth: supportsManagedAuth ?? false,
credential_uses_managed_auth: usesManagedAuth ?? false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated cred sharing', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
user_id_sharer: userIdSharer,
user_ids_sharees_added: userIdsShareesAdded,
sharees_removed: shareesRemoved,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated credentials', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
is_private: isDynamic ?? false,
uses_external_secrets: usesExternalSecrets ?? false,
jwe_enabled: jweEnabled ?? false,
credential_supports_managed_auth: supportsManagedAuth ?? false,
credential_uses_managed_auth: usesManagedAuth ?? false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted credentials', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User disconnected own credential connection', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created end-user credential', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
project_id: projectId,
project_type: projectType,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User made credential end-user', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User made credential fixed', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User cleared end-user credential connections', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted end-user credential', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User connected to end-user credential', {
user_id: user.id,
user_role: user.role?.slug,
credential_type: credentialType,
credential_id: credentialId,
credential_supports_managed_auth: supportsManagedAuth ?? false,
credential_uses_managed_auth: usesManagedAuth ?? false,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Ldap general sync finished', {
type,
succeeded,
users_synced: usersSynced,
error,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated Ldap settings', {
user_id: userId,
loginIdAttribute,
firstNameAttribute,
lastNameAttribute,
emailAttribute,
ldapIdAttribute,
searchPageSize,
searchTimeout,
synchronizationEnabled,
synchronizationInterval,
loginLabel,
loginEnabled,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Ldap login sync failed', { error });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User login failed since ldap disabled', { user_ud: userId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Sso user project access update', {
user_id: userId,
projects_removed: projectsRemoved,
projects_added: projectsAdded,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Sso user instance role update', { user_id: userId, role });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created workflow', {
user_id: user.id,
workflow_id: workflow.id,
node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
public_api: publicApi,
project_id: projectId,
project_type: projectType,
meta: JSON.stringify(workflow.meta),
otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
uiContext,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User archived workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User unarchived workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User activated workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
source,
private_credentials_count: privateCredentialsCount,
private_credential_types: privateCredentialTypes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deactivated workflow', {
user_id: user.id,
workflow_id: workflowId,
public_api: publicApi,
deactivated_version_id: deactivatedVersionId,
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated workflow sharing', {
workflow_id: workflowId,
user_id_sharer: userIdSharer,
user_id_list: userIdList,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User imported n8n package', {
user_id: user.id,
workflow_conflict_policy: options.workflowConflictPolicy,
workflow_id_policy: options.workflowIdPolicy,
credential_matching_mode: options.credentialMatchingMode,
credential_missing_mode: options.credentialMissingMode,
workflow_publishing_policy: options.workflowPublishingPolicy,
workflows_created: counts.workflows.created,
workflows_updated: counts.workflows.updated,
workflows_skipped: counts.workflows.skipped,
credentials_matched: counts.credentials.matched,
credentials_created: counts.credentials.created,
credentials_required: counts.credentials.requirements,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User exported n8n package', {
user_id: user.id,
workflow_count: counts.workflows,
folder_count: counts.folders,
credential_count: counts.credentials,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User package export failed', {
user_id: user.id,
reason,
workflow_count: workflowIds?.length ?? 0,
folder_count: folderIds?.length ?? 0,
project_count: projectIds?.length ?? 0,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User package import failed', {
user_id: user.id,
reason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User saved workflow', {
user_id: user.id,
workflow_id: workflow.id,
node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
notes_count_overlapping: overlappingCount,
notes_count_non_overlapping: notesCount - overlappingCount,
version_cli: N8N_VERSION,
num_tags: workflow.tags?.length ?? 0,
public_api: publicApi,
sharing_role: userRole,
meta: JSON.stringify(workflow.meta),
workflow_edited_no_pos: workflowEditedNoPos,
credential_edited: credentialEdited,
ai_builder_assisted: aiBuilderAssisted ?? false,
credential_resolver_id: credentialResolverId,
identity_extractor_changed: identityExtractorChanged,
redaction_policy: redactionPolicy,
private_credentials_count: privateCredentialsCount,
private_credential_types: privateCredentialTypes,
otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User ran out of free AI credits');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Manual node exec finished', telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Manual workflow exec finished', manualExecEventProperties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance started', {
...info,
earliest_workflow_created: firstWorkflow?.createdAt,
otel,
settings_managed_by_env_vars: settingsManagedByEnvVars,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Session started', { session_id: pushRef });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User instance stopped');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Owner finished instance setup', { user_id: userId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Workflow first prod success', {
project_id: projectId,
workflow_id: workflowId,
user_id: userId ?? undefined,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance first prod failure', {
project_id: projectId,
workflow_id: workflowId,
user_id: userId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Workflow first data fetched', {
user_id: userId,
workflow_id: workflowId,
node_type: nodeType,
node_id: nodeId,
credential_type: credentialType,
credential_id: credentialId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User changed role', {
user_id: userId,
target_user_id: targetUserId,
target_user_new_role: targetUserNewRole,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved user', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved all users', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved execution', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved all executions', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved workflow', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved workflow version', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User retrieved all workflows', {
user_id: userId,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User changed personal settings', {
user_id: user.id,
fields_changed: fieldsChanged,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted user', {
user_id: user.id,
public_api: publicApi,
target_user_old_status: targetUserOldStatus,
migration_strategy: migrationStrategy,
target_user_id: targetUserId,
migration_user_id: migrationUserId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User invited new user', {
user_id: user.id,
target_user_id: targetUserId,
public_api: publicApi,
email_sent: emailSent,
invitee_role: inviteeRole,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User signed up', payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User responded to personalization questions', personalizationSurveyData);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance failed to send transactional email to user', {
user_id: user.id,
message_type: messageType,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User sent transactional email', {
user_id: userId,
message_type: messageType,
public_api: publicApi,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User clicked invite link from email', {
user_id: invitee.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User clicked password reset link from email', {
user_id: user.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User requested password reset while logged out', {
user_id: user.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance compacted workflow history', {
workflows_processed: workflowsProcessed,
total_versions_seen: totalVersionsSeen,
total_versions_deleted: totalVersionsDeleted,
window_start_iso: new Date(windowStartIso),
window_end_iso: new Date(windowEndIso),
error_count: errorCount,
compaction_start_time_iso: compactionStartTime,
compaction_duration_ms: durationMs,
compaction_batch_delay_ms: this.globalConfig.workflowHistoryCompaction.batchDelayMs,
compaction_batch_size: this.globalConfig.workflowHistoryCompaction.batchSize,
compaction_trimming_optimizing_time_window_hours:
this.globalConfig.workflowHistoryCompaction.optimizingTimeWindowHours,
compaction_trimming_time_window_days:
this.globalConfig.workflowHistoryCompaction.trimmingTimeWindowDays,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated instance policies', {
user_id: user.id,
[settingName]: value,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User confirmed reveal data', {
user_id: user.id,
execution_id: executionId,
workflow_id: workflowId,
redaction_policy: redactionPolicy,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User created custom role', {
user_id: userId,
role_slug: roleSlug,
scopes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User updated custom role', {
user_id: userId,
role_slug: roleSlug,
scopes,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User deleted custom role', {
user_id: userId,
role_slug: roleSlug,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User imported workflows via server cli', {
active_state: activeState,
workflow_count: workflowCount,
separate,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User exported workflows via server cli', {
selector,
published,
separate,
backup,
workflow_count: workflowCount,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User hit data table storage limit', {
total_bytes: size.totalBytes,
max_bytes: this.globalConfig.dataTable.maxSize,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI Browser connected', { user_id: userId });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder credits claimed', {
instance_id: this.instanceSettings.instanceId,
user_id: user.id,
thread_id: threadId,
agent_run_id: dedupeId,
status,
success: false,
error_message: getErrorMessage(error),
attempted_usage: usage,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder credits claimed', {
instance_id: this.instanceSettings.instanceId,
user_id: user.id,
thread_id: threadId,
agent_run_id: dedupeId,
status,
success: true,
credits_used: delta,
credits_claimed_total: creditsClaimed,
credits_quota: creditsQuota,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User exhausted assistant quota', {
instance_id: this.instanceSettings.instanceId,
user_id: user.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('User connected to Computer Use', {
user_id: userId,
tool_groups: data.toolCategories.filter((c) => c.enabled).map((c) => c.name),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: threadId,
run_id: runId,
message_group_id: messageGroupId,
source: 'terminal_guard',
status: decision.status,
action: decision.action,
reason: decision.reason,
visibility_source: decision.visibilitySource,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: threadId,
run_id: outcome.runId,
message_group_id: outcome.messageGroupId,
task_id: outcome.taskId,
source: 'terminal_outcome_replay',
status: outcome.status,
action: published ? 'replay_event' : 'already-emitted',
visibility_source: 'background-outcome',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: threadId,
run_id: outcome.runId,
message_group_id: outcome.messageGroupId,
task_id: outcome.taskId,
source: 'terminal_outcome_replay',
status: outcome.status,
action,
visibility_source: 'background-outcome',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
thread_id: task.threadId,
run_id: task.runId,
task_id: task.taskId,
status: outcome.status,
phase: 'metadata',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_response_decision', {
thread_id: task.threadId,
run_id: task.runId,
message_group_id: task.messageGroupId,
task_id: task.taskId,
source: 'background_outcome',
status: outcome.status,
action: published ? 'emit' : 'already-emitted',
visibility_source: 'background-outcome',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
thread_id: task.threadId,
run_id: task.runId,
task_id: task.taskId,
status: outcome.status,
phase: 'snapshot',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder published workflow', {
thread_id: threadId,
workflow_id: workflowId,
executed_by: 'ai',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder created workflow', {
thread_id: threadId,
workflow_id: updated.id,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder modified workflow', {
thread_id: threadId,
workflow_id: workflowId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Builder executed workflow', {
thread_id: threadId,
workflow_id: workflowId,
executed_by: 'ai',
pinned_node_count: Object.keys(runData.pinData ?? {}).length,
exec_type: runData.executionMode,
status,
...(error ? { error } : {}),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry?.track('instance_ai_workflow_verification_obligation', {
event,
thread_id: obligation.threadId,
run_id: obligation.runId,
task_id: obligation.taskId,
planned_task_id: obligation.plannedTaskId,
work_item_id: obligation.workItemId,
workflow_id: obligation.workflowId,
source: obligation.source,
policy: obligation.policy,
status: obligation.status,
readiness_status: obligation.readiness?.status,
setup_status: obligation.setupRequirement?.status,
has_evidence: obligation.evidence?.attempted === true,
evidence_success: obligation.evidence?.success,
blocking_reason: obligation.blockingReason,
...extra,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: threadId,
message: intermediateText,
is_intermediate: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: threadId,
message: outputText,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder satisfied user intent', {
thread_id: threadId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: opts.threadId,
message: intermediateText,
is_intermediate: true,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder sent message', {
thread_id: opts.threadId,
message: outputText,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder satisfied user intent', {
thread_id: opts.threadId,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Builder asked for input', {
thread_id: threadId,
input_thread_id: inputThreadId,
type,
num_steps: numSteps,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('instance_ai_run_finished', {
thread_id: threadId,
run_id: runId,
status: effectiveStatus,
...(userId ? { user_id: userId } : {}),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track('Instance AI mcp tool called', {
user_id: userId,
server_slug: serverSlug,
tool_name: toolName,
success,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import * as Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(MCP_PREVIEW_RENDER_REQUESTED_EVENT, {
user_id: user.id,
client_name: clientInfo?.name,
client_version: clientInfo?.version,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import { PostHog } from 'posthog-node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId: 'test',
event: 'test',
properties: {},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId,
event,
properties,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId: instanceId,
event: 'Instance started',
properties: { instance_id: instanceId },
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
ph.track({
userId: '',
event: 'Some event',
properties: {},
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { PostHog, FeatureFlagEvaluations } from 'posthog-node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.telemetry.track(event, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
publicUser.featureFlags = await posthog.getFeatureFlags(publicUser);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, {});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(eventName, {});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Public API usage', {
user_id: userId,
total_calls: entry.total_calls,
first: entry.first,
endpoints: JSON.stringify(entry.endpoints),
user_agents: JSON.stringify(entry.user_agents),
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('pulse', pulsePacket);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Workflow execution count', {
event_version: '2',
workflow_id: workflowId,
...this.executionCountsBuffer[workflowId],
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Agent execution count', {
event_version: '1',
agent_id,
...(user_id ? { user_id } : {}),
...counts,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Agent session metrics', {
event_version: '1',
agent_id: bucket.agent_id,
...bucket.configuration,
run_type: bucket.run_type,
turn_status: bucket.turn_status,
session_count: sessions.length,
turn_count: turnCount,
latency_ms_sum: latencyMsSum,
cost_sum: costSum,
tool_call_count_sum: toolCallCountSum,
num_skills_sum: numSkillsSum,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Workflow execution with end-user credentials', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.track('Workflow execution errored', properties);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.postHog?.track(payload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
return this.rudderStack.track(rudderStackPayload);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 668 low-confidence finding(s)
process.env.NODE_CONFIG_DIR = process.env.NODE_CONFIG_DIR || path.join(__dirname, 'config');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODEJS_PREFER_IPV4 === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, readFile, readdir, writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(join(dir, file), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(outputPath, `${JSON.stringify(records, null, 2)}\n`, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, existsSync, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const publicApiEnabled = process.env.N8N_PUBLIC_API_DISABLED !== 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.resolve(ROOT_DIR, 'dist/timezones.json'), JSON.stringify({ data }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(OUTPUT_FILE, bundle, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const { mkdtempSync, writeFileSync } = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
p,
'module.exports = { workflow: { create: [(...args) => globalThis.__extHookFn(...args)] } };',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNodePath = process.env.NODE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NODE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = originalNodePath;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = existingPath;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH).toContain(existingPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH?.endsWith(existingPath)).toBe(true);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NODE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH).toBe(modulePaths.join(delimiter));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_PATH).not.toContain('undefined');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_OBSERVABILITY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('false');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('false');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_OBSERVABILITY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = 'custom-value';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_OBSERVABILITY).toBe('custom-value');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
key: await readFile(this.sslKey, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cert: await readFile(this.sslCert, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalPreviewMode = process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = originalPreviewMode;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalPreviewMode = process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_PREVIEW_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = originalPreviewMode;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, buffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, oversizedBuffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = await readFile(sourcePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const onDisk = await fs.readFile(join(storagePath, 'a/b/c/blob.json'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempPath, body);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(readPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.EXECUTIONS_PROCESS === 'own') process.exit(-1);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fs.readFileSync(flags.ids, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fs.readFileSync(flags.skipList, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, this.formatJsonOutput(results));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const output = process.env.GITHUB_OUTPUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fs.readFileSync(fileName, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fileName, serializedData);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filename, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filename, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, fileContents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jsonParse<Partial<CredentialsEntity>>(fs.readFileSync(file, { encoding: 'utf8' })),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(inputPath, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(path, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const workflow = jsonParse<IWorkflowToImport>(fs.readFileSync(file, { encoding: 'utf8' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream, createWriteStream, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
environment: process.env.ENVIRONMENT || 'development',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
serverName: process.env.DEPLOYMENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEvalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEvalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEvalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.EXTERNAL_FRONTEND_HOOKS_URLS = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PERSONALIZATION_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ENABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SKIP_STATISTICS_EVENTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = readFileSync(fileName, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(aiAssistantPackageJsonPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(workflowSdkPackageJsonPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[WORKFLOW_REVIEWS_ENV_FEATURE_FLAG] === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const { mkdtempSync, writeFileSync } = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(p, JSON.stringify({ translation: 'string' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(licenseFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { access } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, utimes, open, rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runOnSqlite = (process.env.DB_TYPE ?? 'sqlite') === 'sqlite';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envValue = process.env[d.envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env[ENV_VAR] = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[ENV_VAR] = envValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[ENV_VAR] = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env[ENV_VAR] = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[ENV_VAR] = '3';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[ENV_VAR];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) return 'env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path.join(__dirname, './mock-data/workflow.under-test.json'), { encoding: 'utf-8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '5';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, lines.join('\n') + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { appendFileSync, existsSync, rmSync, renameSync, openSync, closeSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { stat } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream, existsSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(stalePath, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const onDisk = await fs.readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(bundlePath, 'invalid json{{{', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(badPath, 'invalid json{{{', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempPath, serialized, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(bundlePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fsPromises from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_PATH = [module.paths.join(delimiter), process.env.NODE_PATH]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[CUSTOM_EXTENSION_ENV] !== undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync('/proc/self/smaps_rollup', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync('/proc/self/smaps_rollup', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(textFilePath, 'hello world');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(pdfFilePath, '%PDF-1.4');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(firstPath, 'hello');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(secondPath, 'world');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filePath, 'hello');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, 'x');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, 'hello world');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
for (const key of ENV_KEYS) delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = 'sk-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const key = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, 'fixtures/slack/basic.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, 'fixtures/telegram/basic.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtemp, rm, writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fetch('https://api.telegram.org/bot123456:secret/sendMessage', {
method: 'POST',
headers: requestHeaders,
body: '{}',
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await writeFile(filePath, 'x', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, '../../../__tests__/fixtures/linear/recorded-session.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, '../../../__tests__/fixtures/slack/recorded-session.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(join(__dirname, '../../../__tests__/fixtures/telegram/basic.json'), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(
join(__dirname, '../../../__tests__/fixtures/telegram/recorded-session.json'),
'utf8',
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, readFile, readdir, rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.N8N_AGENT_INTEGRATION_RECORDING_REF ?? 'local';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.enabled ?? process.env.N8N_AGENT_INTEGRATION_RECORDING_ENABLED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AGENT_INTEGRATION_RECORDING_SESSION_ID ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(join(this.recordingDir, file), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.libraryBundle = readFileSync(LIBRARY_BUNDLE_PATH, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DOTENV_CONFIG_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalValue = process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = originalValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.QUEUE_WORKER_MAX_STALLED_COUNT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.QUEUE_WORKER_MAX_STALLED_COUNT = '10';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnvValue = process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = originalEnvValue;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODES_EXCLUDE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.QUEUE_WORKER_MAX_STALLED_COUNT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_RUNNERS_TASK_TIMEOUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_RUNNERS_TASK_TIMEOUT = '300';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_UNVERIFIED_PACKAGES_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES === undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES === undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS !== 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_RUNNERS_TASK_TIMEOUT !== undefined) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_UNVERIFIED_PACKAGES_ENABLED === undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile, unlink } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = file.buffer ?? (await readFile(file.path));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_SKIP_CHAT_WORKFLOW_CLEANUP !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'community-packages';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights,community-packages,mcp';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights,mcp';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_COMMUNITY_PACKAGES_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const environment = process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const environment = process.env.ENVIRONMENT === 'staging' ? 'staging' : 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJsonContent = await readFile(packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existingContent = await readFile(this.packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, writeFileSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(tempDir, filename), content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsPromises from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, readdir, stat, unlink } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const original = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (original === undefined) delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = original;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
savedApiKey = process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CONTEXT7_API_KEY = savedApiKey;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CONTEXT7_API_KEY = 'test-api-key-123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const original = process.env.N8N_INSTANCE_AI_EVAL_TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (original === undefined) delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
else process.env.N8N_INSTANCE_AI_EVAL_TIMING = original;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_EVAL_TIMING = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CONTEXT7_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readonly enabled = process.env.N8N_INSTANCE_AI_EVAL_TIMING === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_EVAL_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, readFileSync, readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(join(entryPath, nodeFile), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(schemaFile, 'utf-8')) as Record<string, unknown>;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasHttpProxy = Boolean(process.env.HTTPS_PROXY || process.env.HTTP_PROXY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const promise = readFile(filePath, 'utf-8').then((json) =>
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!tracing && process.env.E2E_TESTS === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
${readFileSync(variant.filePath, 'utf-8')}`,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDevUrl = process.env.N8N_MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ENVIRONMENT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVERS_DEV_URL = originalDevUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'staging';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'dev';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENVIRONMENT = 'dev';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
switch (process.env.ENVIRONMENT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_MCP_SERVERS_DEV_URL || MCP_SERVERS_DEV_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_MCP_SERVER_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVER_RATE_LIMIT = '500';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVER_RATE_LIMIT = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_SERVER_RATE_LIMIT = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalEnv = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'production';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const requiresHttps = process.env.NODE_ENV !== 'development' && !isLocalhost(hostname);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', JSON.stringify(manifest));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`workflows/wf-${idx}/workflow.json`, JSON.stringify(wf));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'manifest.json',
JSON.stringify({
packageFormatVersion: '99',
exportedAt: new Date().toISOString(),
sourceN8nVersion: '1.0.0',
sourceId: 'bad-manifest',
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'manifest.json',
JSON.stringify({
packageFormatVersion: '99',
exportedAt: new Date().toISOString(),
sourceN8nVersion: '1.0.0',
sourceId: 'integration-test-source',
workflows: [{ id: 'wf-x', name: 'X', target: 'workflows/wf-x' }],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'workflows/wf-x/workflow.json',
JSON.stringify(serializedWorkflow({ id: 'wf-x', name: 'X' })),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(
'manifest.json',
JSON.stringify({
packageFormatVersion: FORMAT_VERSION,
exportedAt: new Date().toISOString(),
sourceN8nVersion: '1.0.0',
sourceId: 'integration-test-source',
workflows: [{ id: 'wf-missing', name: 'Missing', target: 'workflows/nowhere-to-be-found' }],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await reader.readFile(path);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
request.writer.writeFile(
`${target}/credential.json`,
JSON.stringify(this.credentialSerializer.serialize(credential), null, '\t'),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`${target}/folder.json`, JSON.stringify(serialized, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`${target}/project.json`, JSON.stringify(serialized, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
request.writer.writeFile(`${target}/workflow.json`, JSON.stringify(serialized, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', JSON.stringify(manifest));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/my-workflow-abc/workflow.json', workflowJson);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(reader.readFile('workflows/my-workflow-abc/workflow.json')).resolves.toEqual(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/a/workflow.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/b/workflow.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{not-json');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('oversized.bin', 'x'.repeat(500));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('oversized.bin', 'x'.repeat(500));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile(`workflows/wf-${i}/workflow.json`, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/wf-abc/workflow.json', '{"id":"abc"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('workflows/x/workflow.json', '{"id":"x"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('./workflows/wf/workflow.json', '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writer.writeFile('manifest.json', JSON.stringify(manifest, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_OAUTH2_JWE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT = '100';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT = '200';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '300';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT = '400';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT = '500';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
resource: new URL('https://n8n.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resource: new URL('https://attacker.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resource: new URL('https://n8n.example.com/mcp-server/http/'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://n8n.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://attacker.example.com/mcp-server/http'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://n8n.example.com/mcp-server/http/'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
secure: process.env.NODE_ENV === 'production',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (key.startsWith('N8N_OTEL_')) delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_ENABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path.join(BASE_DIR, 'nodes-base/dist/known/nodes.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
saved[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[OTEL_ENV_VARS[key]] !== undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_QUICK_CONNECT_OPTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = config;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_QUICK_CONNECT_OPTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_QUICK_CONNECT_OPTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.http_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.https_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.all_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'github.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { accessSync, constants as fsConstants } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile, writeFile, access, mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(tempFilePath2, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(knownHostsPath, 'github.com ssh-rsa AAAA...\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fsWriteFile(fileName, JSON.stringify(sanitizedWorkflow, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(fileName, JSON.stringify(sanitizedVariables, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(filePath, JSON.stringify(exportableDataTable, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(
fileName,
JSON.stringify(
{
folders: newFolders,
},
null,
2,
),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(fileName, JSON.stringify({ tags: [], mappings: [] }, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(
fileName,
JSON.stringify(
{
// overwrite all tags
tags: tags.map((tag) => ({ id: tag.id, name: tag.name })),
mappings: mappingsToKeep.concat(mappingsOfAllowedWorkflows),
},
null,
2,
),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fsWriteFile(filePath, JSON.stringify(stub, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fsWriteFile(fileName, JSON.stringify(sanitizedProject, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { accessSync, constants as fsConstants, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return jsonParse<ExportedFolders>(await fsReadFile(file, { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return jsonParse<ExportableDataTable[]>(await fsReadFile(file, { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(variablesFile[0], { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fsReadFile(file, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
}>(await fsReadFile(foldersFile[0], { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(tagsFile[0], { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fsReadFile(file, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fsReadFile(file, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
}>(await fsReadFile(candidate.file, { encoding: 'utf8' }), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsReadFile(candidate.file, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm as fsRm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(tempFilePath, normalizedKey, { mode: 0o600 });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await readFile(this.sshKeyName + '.pub', { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.join(this.gitFolder, '/README.md'), SOURCE_CONTROL_README);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mockAuthUrl = new URL('https://provider.com/auth?client_id=123');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const mockAuthUrl = new URL(
'https://provider.com/auth?client_id=123&redirect_uri=http://localhost:5678/callback',
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callbackUrl = new URL('https://example.com/callback');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const discoveryUrl = new URL('https://example.com/.well-known/openid-configuration');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
new URL('https://issuer.example.com/.well-known/openid-configuration'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
discoveryEndpoint: new URL('http://n8n.io/not-set'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const originalEnv = process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = originalEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_ENV_FEAT_TOKEN_EXCHANGE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { Dirent } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdir, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const translation = await readFile(translationPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'TRUE';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const value = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK?.toLowerCase() ?? 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const spec = await fs.readFile(openApiSpecPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const swaggerThemeCss = await fs.readFile(swaggerThemePath, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
operationHandlers: process.env.VITEST
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const doc = columnNameYmlSchema.parse(parse(fs.readFileSync(ymlPath, 'utf8')));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { access as fsAccess } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (inDevelopment && process.env.N8N_DEV_RELOAD === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(packageDir, 'package.json'),
JSON.stringify({
name: 'n8n-nodes-base',
version: '1.0.0',
n8n: { nodes: [], credentials: [] },
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(packageDir, 'dist', 'known', 'nodes.json'),
JSON.stringify({
httpRequest: {
className: 'HttpRequest',
sourcePath: 'dist/nodes/HttpRequest/HttpRequest.node.js',
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(packageDir, 'dist', 'known', 'credentials.json'), JSON.stringify({}));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(packageDir, 'dist', 'types', 'nodes.json'),
JSON.stringify([nodeTypeDescription]),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(packageDir, 'dist', 'types', 'credentials.json'), JSON.stringify([]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '7';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_PREVIEW_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdir, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = 'https://example.com/';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = '"https://example.com/"';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = 'https://old.example.com/';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = 'https://old.example.com/';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WEBHOOK_URL = undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const keyFileContent = await readFile(keyFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const previewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const previewMode = process.env.N8N_PREVIEW_MODE === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
nodeEnv: process.env.NODE_ENV,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
builtIn: process.env.NODE_FUNCTION_ALLOW_BUILTIN?.split(',') ?? undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
external: process.env.NODE_FUNCTION_ALLOW_EXTERNAL?.split(',') ?? undefined,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
!!this.globalConfig.aiAssistant.baseUrl || !!process.env.N8N_AI_ANTHROPIC_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdir, readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const keyFileContent = await readFile(keyFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await readFile(migrationsFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const migrationsFileContent = await readFile(migrationsFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.globalConfig.webhookUrl || this.trimQuotes(process.env.WEBHOOK_URL) || this.baseUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'custom value';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[envVar] = 'custom value';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATH: process.env.PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HOME: process.env.HOME ?? process.env.USERPROFILE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_PATH: process.env.NODE_PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
GENERIC_TIMEZONE: process.env.GENERIC_TIMEZONE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_FUNCTION_ALLOW_BUILTIN: process.env.NODE_FUNCTION_ALLOW_BUILTIN,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NODE_FUNCTION_ALLOW_EXTERNAL: process.env.NODE_FUNCTION_ALLOW_EXTERNAL,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_SENTRY_DSN: process.env.N8N_SENTRY_DSN,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_VERSION: process.env.N8N_VERSION,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ENVIRONMENT: process.env.ENVIRONMENT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DEPLOYMENT_NAME: process.env.DEPLOYMENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_INSECURE_MODE: process.env.N8N_RUNNERS_INSECURE_MODE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT: process.env.N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN: process.env.N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATH: process.env.PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HOME: process.env.HOME ?? process.env.USERPROFILE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_STDLIB_ALLOW: process.env.N8N_RUNNERS_STDLIB_ALLOW,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_EXTERNAL_ALLOW: process.env.N8N_RUNNERS_EXTERNAL_ALLOW,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS: process.env.N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_RUNNERS_BUILTINS_DENY: process.env.N8N_RUNNERS_BUILTINS_DENY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_BLOCK_RUNNER_ENV_ACCESS: process.env.N8N_BLOCK_RUNNER_ENV_ACCESS,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const includedContent = await readFile(pathJoin(templatesDir, match[1]), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawMarkup = await readFile(pathJoin(templatesDir, `${templateName}.mjml`), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const markup = await readFile(templatePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.ENABLE_OBSERVABILITY === undefined || process.env.ENABLE_OBSERVABILITY === '') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === undefined ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const AI_REQUEST_TIMEOUT_MS = resolveTimeoutMs(process.env.N8N_AI_TIMEOUT_MAX);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream, mkdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { FileHandle } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { open, readFile, readdir, mkdir } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await readFile(fullPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isHealthEndpointCustomized = process.env.N8N_ENDPOINT_HEALTH !== undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalOffloadManualExecutionsToWorkers = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = originalOffloadManualExecutionsToWorkers;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/nodes-base
npm first-party const secureXToken = (await http.request({
url: `https://visibility.${region}.cisco.com/iroh/oauth2/token`,
method: 'POST',
auth: {
username: clientId,
password: clientSecret,
},
body: new URLSearchParams({
grant_type: 'client_credentials',
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Accept: 'application/json',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const secureEndpointToken = (await http.request({
url: `https://api.${region}.cisco.com/v3/access_tokens`,
method: 'POST',
body: new URLSearchParams({
grant_type: 'client_credentials',
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
Accept: 'application/json',
Authorization: `Bearer ${secureXToken.access_token}`,
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const { access_token } = (await http.request({
url: 'https://oauth2.googleapis.com/token',
method: 'POST',
body: new URLSearchParams({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: signature,
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await http.request({
url: tokenUrl,
method: 'POST',
body: body.toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = (await http.request({
url: `${authUrl}/services/oauth2/token`,
method: 'POST',
body: new URLSearchParams({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: signature,
}).toString(),
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
json: true,
timeout: TOKEN_REQUEST_TIMEOUT,
})) as { access_token?: string; instance_url?: string };
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(fullUri, {
method: 'GET',
headers,
signal: AbortSignal.timeout(2000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const credentialsResponse = await fetch(`https://sts.${region}.${getAwsDomain(region)}`, {
method: 'POST',
headers,
body: body.toString(),
signal: AbortSignal.timeout(2000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
lastSuccesfulUpdateReturn = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
responseData = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
response = await this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
response = await this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const request = this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const request = this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const request = this.helpers.request(requestOptions);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const result = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers?.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
ctx.base = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await (this.helpers.request(options) as Promise<{ jwt: string }>);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const responseData = await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.helpers.request(options);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 33 low-confidence finding(s)
const getEnv = (key: string): string | undefined => process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const envGetter = (key: string): string | undefined => process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tokenResponse = await fetch(`${baseUrl}/api/token`, {
method: 'PUT',
headers: {
'X-aws-ec2-metadata-token-ttl-seconds': '21600',
'User-Agent': 'n8n-aws-credential',
},
signal: AbortSignal.timeout(2000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const roleResponse = await fetch(`${baseUrl}/meta-data/iam/security-credentials/`, {
method: 'GET',
headers,
signal: AbortSignal.timeout(2000),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
authToken = (await readFile(authTokenFile, 'utf-8')).trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const token = (await readFile(webIdentityTokenFile, 'utf8')).trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_AWS_LEGACY_SIGNER === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_VERSION) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_VERSION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const BASE_URL = process.env.AIRTOP_BASE_URL ?? 'https://api.airtop.ai/api/v1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const BASE_URL_V2 = process.env.AIRTOP_BASE_URL_V2 ?? 'https://api.airtop.ai/api/v2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.AIRTOP_HOOKS_BASE_URL ?? 'https://api.airtop.ai/api/hooks';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile as fsWriteFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsWriteFile(path, binaryDataBuffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile as fsReadFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile as fsReadFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const workflowJson = await fsReadFile(resolvedPath, { encoding: 'utf8' }).catch(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const alasqlSource = await readFile(alasqlBundlePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workbook = xlsxReadFile(binaryPath, xlsxOptions);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(binaryFile.path, uploadData);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { stat } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { rm } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(nodeFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/core
npm first-party await this.azureBlobService.put(targetFileId, sourceFile, metadata);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
await this.objectStoreService.put(targetFileId, sourceFile, metadata);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
import type { ErrorEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { ErrorEvent, EventHint } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { NodeOptions } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { StartSpanOptions } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { StartSpanOptions } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type {
StartSpanOptions as SentryStartSpanOptions,
SpanContextData as SentrySpanContextData,
SpanAttributes as SentrySpanAttributes,
} from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type Sentry from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 108 low-confidence finding(s)
await writeFile(filePath, payload, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const {
existsSync,
promises: { writeFile },
} = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
} = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(filePath, 'utf-8')) as IWorkflowBase &
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'filesystem';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/custom/storage/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/path/one';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/path/two';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/same/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/same/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'invalid-mode';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_STORAGE_PATH = '/custom/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DEFAULT_BINARY_DATA_MODE = 's3';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/storage/path';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'super-secret';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DEFAULT_BINARY_DATA_MODE = 'invalid-mode';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '1024';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = 'not-a-number';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '2048';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_BINARY_DATA_SIGNING_SECRET;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'env-pinned-secret';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceFile = await fs.readFile(sourcePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BINARY_DATA_SIGNING_SECRET) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binaryData.data = await readFile(filePath, { encoding: BINARY_ENCODING });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, bufferOrStream);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await jsonParse(await fs.readFile(filePath, { encoding: 'utf-8' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(metadata), { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceFile = await fs.readFile(sourcePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = '5';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CODE_ENABLE_STDOUT === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CODE_ENABLE_STDOUT === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(
`${temporaryDir}/${setBinaryDataBufferResponse.id?.replace('filesystem-v2:', '')}`,
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[CONFIG_FILES] = '/path/to/config1,/path/to/config2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[CUSTOM_EXTENSION_ENV] = '/path/to/extensions1;/path/to/extensions2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BINARY_DATA_STORAGE_PATH] = '/path/to/binary/storage';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[UM_EMAIL_TEMPLATES_INVITE] = '/path/to/invite/templates';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[UM_EMAIL_TEMPLATES_PWRESET] = '/path/to/pwreset/templates';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fileHandle.writeFile(content, { encoding: 'binary' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[CONFIG_FILES]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(...process.env[CONFIG_FILES].split(','));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[CUSTOM_EXTENSION_ENV]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[BINARY_DATA_STORAGE_PATH]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(process.env[BINARY_DATA_STORAGE_PATH]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[UM_EMAIL_TEMPLATES_INVITE]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_INVITE]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env[UM_EMAIL_TEMPLATES_PWRESET]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_PWRESET]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_ID = 'env-pinned-id';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_HMAC_SIGNATURE_SECRET = 'env-pinned-hmac';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_HMAC_SIGNATURE_SECRET,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cgroupV1 = readFileSync('/proc/self/cgroup', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cgroupV2 = readFileSync('/proc/self/mountinfo', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(this.settingsFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hmacSignatureSecretFromEnv = process.env.N8N_HMAC_SIGNATURE_SECRET;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(this.settingsFile, JSON.stringify(this.settings, null, '\t'), {
mode: this.enforceSettingsFilePermissions.enforce ? 0o600 : undefined,
encoding: 'utf-8',
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isEnvVarSet = !!process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(file, nodeSource(version));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(nodeFile, nodeSource(2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(nodeFile, nodeSource(2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(nodeFile, nodeSource(2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.join(dir, 'package.json'), JSON.stringify({ name, version: '1.0.0' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileString = readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileString = await readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const storagePath = process.env.N8N_STORAGE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const binaryDataStoragePath = process.env.N8N_BINARY_DATA_STORAGE_PATH;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_STORAGE_PATH) return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BINARY_DATA_STORAGE_PATH) return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const shouldMigrate = process.env.N8N_MIGRATE_FS_STORAGE_PATH === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/playwright
npm first-party const response = await fetch(webhookUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
Authorization: `Basic ${auth}`,
},
body: JSON.stringify(payload),
signal: AbortSignal.timeout(30000),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
res = await fetch(url, { headers });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(`http://localhost:${VM_PORT}/api/v1/import`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: readFileSync(metricsFile),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const res = await fetch(`http://localhost:${VL_PORT}/insert/jsonline`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: readFileSync(logsFile),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await this.request.post('/rest/login', {
data: {
emailOrLdapLoginId: credentials.email,
password: credentials.password,
},
maxRetries: 3,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
return await this.api.request.post(`${params.basePath ?? DEFAULT_ENDPOINT_BASE_PATH}/revoke`, {
form: {
token: params.token,
client_id: params.clientId,
...(params.tokenTypeHint && { token_type_hint: params.tokenTypeHint }),
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const acceptResponse = await isolatedContext.post('/rest/invitations/accept', {
data: { token, firstName, lastName, password },
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const inviteResponse = await this.api.request.post('/rest/invitations', {
data: [{ email: user.email, role: user.role }],
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const acceptResponse = await this.api.request.post('/rest/invitations/accept', {
data: {
token,
firstName: user.firstName,
lastName: user.lastName,
password: user.password,
},
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 142 low-confidence finding(s)
export const COVERAGE_ENABLED = process.env.COVERAGE_ENABLED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
recordKey: process.env.CURRENTS_RECORD_KEY ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
projectId: process.env.CURRENTS_PROJECT_ID ?? 'nHHLA5',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(specDir, `raw-${slugify(testInfo.testId)}.json`),
JSON.stringify({ result }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(specDir, '.spec'), spec);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = process.env.N8N_TEST_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.N8N_COVERAGE_DIR ? { coverageHostDir: process.env.N8N_COVERAGE_DIR } : {}),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_CONTAINERS_KEEPALIVE === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envBaseURL = process.env.N8N_BASE_URL ?? n8nContainer?.baseUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const client = process.env.LANGSMITH_API_KEY ? new Client() : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
project_name: process.env.LANGSMITH_PROJECT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CONTAINER_TELEMETRY_VERBOSE === '1') return true;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const res = await fetch(QUARANTINE_WEBHOOK_URL, { signal: controller.signal });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if (process.env.CURRENTS_RECORD_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CURRENTS_RECORD_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(specDir, '.spec'), spec);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const resetE2eDb = process.env.RESET_E2E_DB;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ALLOW_CONTAINER_ONLY = process.env.PLAYWRIGHT_ALLOW_CONTAINER_ONLY === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_INSTANCE_AI_MODEL: process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-4o-mini',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.N8N_AI_OPENAI_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_AI_OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.LANGSMITH_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
LANGSMITH_API_KEY: process.env.LANGSMITH_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.ANTHROPIC_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.OPENROUTER_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
OPENROUTER_API_KEY: process.env.OPENROUTER_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.CEREBRAS_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
CEREBRAS_API_KEY: process.env.CEREBRAS_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_INSTANCE_AI_SANDBOX_ENABLED: process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_SANDBOX_PROVIDER ?? 'daytona',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_INSTANCE_AI_SANDBOX_IMAGE: process.env.N8N_INSTANCE_AI_SANDBOX_IMAGE ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.DAYTONA_API_URL && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DAYTONA_API_URL: process.env.DAYTONA_API_URL,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.DAYTONA_API_KEY && {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
DAYTONA_API_KEY: process.env.DAYTONA_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IS_CI = !!process.env.CI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IS_DEV = !!process.env.N8N_EDITOR_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testEnv = process.env.N8N_TEST_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SKIP_WEB_SERVER = process.env.PLAYWRIGHT_SKIP_WEBSERVER === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
headless: process.env.SHOW_BROWSER !== 'true',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
currentsFixturesEnabled: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
['junit', { outputFile: process.env.PLAYWRIGHT_JUNIT_OUTPUT_NAME ?? 'results.xml' }],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.CURRENTS_RECORD_KEY ? [currentsReporter(currentsConfig)] : []),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { appendFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summaryPath = process.env.GITHUB_STEP_SUMMARY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.LANGSMITH_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const project = process.env.LANGSMITH_PROJECT ?? 'unset';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.webhookUrl = options.webhookUrl ?? process.env.QA_METRICS_WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.webhookUser = options.webhookUser ?? process.env.QA_METRICS_WEBHOOK_USER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.webhookPassword = options.webhookPassword ?? process.env.QA_METRICS_WEBHOOK_PASSWORD;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.GITHUB_REF ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runId = process.env.GITHUB_RUN_ID ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: (process.env.GITHUB_SHA ?? this.gitFallback('rev-parse HEAD'))?.slice(0, 8) ?? null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_HEAD_REF ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId && process.env.GITHUB_REPOSITORY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workflow: process.env.GITHUB_WORKFLOW ?? null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
job: process.env.GITHUB_JOB ?? null,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
attempt: process.env.GITHUB_RUN_ATTEMPT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
provider: !process.env.CI
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.RUNNER_ENVIRONMENT === 'github-hosted'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path.join(dir, `${label}-${i}.lcov`), transform(readFileSync(file, 'utf8'))),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE_ROOT_PREFIX = process.env.IMAGE_ROOT_PREFIX ?? '/usr/local/lib/node_modules/n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const name = JSON.parse(readFileSync(pkgJson, 'utf8')).name as string;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
source = readFileSync(r.bytesFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const map = JSON.parse(readFileSync(`${r.bytesFile}.map`, 'utf8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, existsSync, mkdirSync, copyFileSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
dockerfilePath,
`FROM ${targetImage}
COPY e2e.controller.js /usr/local/lib/node_modules/n8n/dist/controllers/e2e.controller.js
`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return readFileSync(attachment.path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summaryPath = process.env.GITHUB_STEP_SUMMARY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const TOKEN = process.env.CODECOV_API_TOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(sibling, 'specA', '.spec'), 'tests/e2e/x.spec.ts');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(allowPath, [...union].join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dir = process.env.N8N_COVERAGE_DIR;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
parsed = JSON.parse(readFileSync(file, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
JSON.parse(readFileSync(file, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
parsed = JSON.parse(readFileSync(join(dir, rf), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CURRENTS_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(OUTPUT_PATH, JSON.stringify(output, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const map = buildMap(parseLcov(readFileSync(lcovPath, 'utf8')), specId);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const diff = parseDiff(readFileSync(diffPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = JSON.parse(readFileSync(tracesFile, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
wrappedFile,
JSON.stringify({
data: traces,
total: traces.length,
limit: traces.length,
offset: 0,
errors: null,
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
body: readFileSync(metricsFile),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
body: readFileSync(logsFile),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const image = process.env.TEST_IMAGE_N8N ?? 'n8nio/n8n:local';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.ANTHROPIC_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_BASE_URL) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
backendUrl = process.env.N8N_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
brokerPort = process.env.N8N_RUNNERS_BROKER_PORT ?? String(await getFreePort());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LOG_LEVEL: process.env.N8N_LOG_LEVEL ?? 'info',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const changedFiles = process.argv.slice(2).join(',') || process.env.CHANGED_FILES || '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
allSpecs: process.env.ALL_SPECS_FILE,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
base: process.env.BASE_REF,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(p, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(p, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(laneDir, 'test-results.json'),
JSON.stringify(testResultsWithReports(specs)),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const written = JSON.parse(readFileSync(join(laneDir, looseFiles[0]), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(root, 'test-results.json'),
JSON.stringify({ suites: [{ specs: [{ tests: [{ results: [{ attachments: [] }] }] }] }] }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(root, 'test-results.json'), '{ not valid json');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
args['hardware-runner'] ?? process.env.SIZING_MATRIX_RUNNER ?? DEFAULT_HARDWARE.runner;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.SIZING_MATRIX_VCPU
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? Number(process.env.SIZING_MATRIX_VCPU)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: process.env.SIZING_MATRIX_RAM_GB
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? Number(process.env.SIZING_MATRIX_RAM_GB)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(join(REPO_ROOT, 'packages/cli/package.json'), 'utf8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const head = readFileSync(join(REPO_ROOT, '.git/HEAD'), 'utf8').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return readFileSync(join(REPO_ROOT, '.git', refPath), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const overrides = JSON.parse(readFileSync(path, 'utf8')) as SpecMapping;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.CURRENTS_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outPath, buf);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
report = JSON.parse(readFileSync(file, 'utf8')) as JSONReport;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(laneDir, `${stem}.run-report.${index}.json`), body);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = JSON.parse(readFileSync(path, 'utf8')) as RunReport;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.out, JSON.stringify(matrix, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.markdownOut, renderMarkdown(matrix));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = readFileSync(workerCmd, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
unboundGrowthOutput = await readFile(or.analysisOutputFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shapeGrowthOutput = await readFile(sr.analysisOutputFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(reportPath, JSON.stringify(report, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(`${outputDir}/${label}-smaps-raw.txt`, data.raw);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(`${outputDir}/${label}-rss-breakdown.json`, JSON.stringify(summary, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_EDITOR_URL ?? process.env.N8N_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/instance-ai
npm first-party const response = await fetch(getOpenAiResponsesUrl(model.url), {
method: 'POST',
headers: {
Authorization: `Bearer ${model.apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(requestBody),
signal: abortSignal,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(new URL(path, this.config.baseUrl), {
headers: { Authorization: `Bearer ${this.config.apiKey}` },
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(new URL(path, this.config.baseUrl), {
method,
headers: {
Authorization: `Bearer ${this.config.apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 319 low-confidence finding(s)
const raw = jsonParse<unknown>(readFileSync(join(WORKFLOWS_DIR, file), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnv[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = originalEnv[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_SHA = '357e949547671e2cd1c017eb4e7c809cd55bd121';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature-branch';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_HEAD_REF = 'should-not-be-used';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME = '30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_HEAD_REF = 'feature-x';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME = '30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF_NAME = 'master';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = '30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature//thing';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GITHUB_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature-x';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'should-not-be-used';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnv[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = originalEnv[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_EVENT_NAME = 'pull_request_review';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_RUN_ID = '12345';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH = 'feature-x';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_REVISION_ID = '357e949547671e2cd1c017eb4e7c809cd55bd121';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_REF = 'refs/pull/30711/merge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify(makeSeed()));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify({ messages: [{ id: 'm1' }] }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify({ messages: [] }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdirSync, readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdirSync, readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, readFileSync, rmSync, statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const logged = readFileSync(String(result.logFile), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed: unknown = JSON.parse(readFileSync(path, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdtempSync, rmSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, JSON.stringify(content));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(path, '{ this is not json');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, JSON.stringify(entries), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const VERIFIER_DEBUG = process.env.N8N_EVAL_VERIFIER_DEBUG === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (validated.buildViaMcp && !process.env.LANGSMITH_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.manifestPath, JSON.stringify(manifest, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(args.statsPath, JSON.stringify(stats, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
console.log(readFileSync(args.manifestPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.GITHUB_ACTIONS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
trigger: process.env.GITHUB_EVENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId: process.env.GITHUB_RUN_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
commitSha: process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
prNumber: process.env.GITHUB_REF?.match(/refs\/pull\/(\d+)\//)?.[1],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GITHUB_ACTIONS !== 'true') return undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sha = process.env.GITHUB_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(summaryPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(resultsPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(args.out, html, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdirSync, unlinkSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasLangSmith = Boolean(process.env.LANGSMITH_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const commitSha = process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(jsonPath, JSON.stringify(report, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
prCommentPath,
formatComparisonMarkdown(evaluation, outcome, {
commitSha,
slugByTestCase,
rerun,
gate,
passMetrics: { passAtK: metrics.passAtK, passHatK: metrics.passHatK },
experimentUrl,
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, readFileSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(tmpPath, JSON.stringify({ mcpServers: { [serverName]: block } }), { mode: 0o600 });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(logFile, stdout || stderr || fallback);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(exampleIdsFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
baseUrl: get('--base-url') ?? process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(absolute, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(workflowPath, JSON.stringify(record.workflow, null, 2), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(jsonlPath, lines.join('\n') + '\n', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(csvPath, [csvHeader, ...csvRows].join('\n') + '\n', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(outputDir, 'summary.json'),
JSON.stringify(summary, null, 2),
'utf8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(reportFile, html, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(summaryPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(resultsPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(args.reportFile, html, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const loginEmail = email ?? process.env.N8N_EVAL_EMAIL ?? '[email protected]';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const loginPassword = password ?? process.env.N8N_EVAL_PASSWORD ?? 'PlaywrightTest123';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'README.md'), '# hello');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'docs', 'workflow.md'), '...');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'readme.txt'), '...');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(outside, 'secret.md'), 'should not be readable');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(parent, 'sibling.md'), '# sibling');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'leftover.md'), '# still here');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'project', 'briefing.md'), '# moved');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'doc.md'), '# Architecture\n\nThis describes the workflow.');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'doc.md'), 'random unrelated content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(join(dir, 'doc.md'), '# Architecture only');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(join(dataDir, file), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(reportPath, JSON.stringify(report, null, 2), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(htmlPath, renderHtml(report), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await readFile(absPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = jsonParse<RunReport>(readFileSync(inputPath, 'utf-8'), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, renderHtml(report), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await readFile(fixturePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envToken = template.envVar ? process.env[template.envVar] : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const DEFAULT_MODEL = process.env.N8N_INSTANCE_AI_EVAL_MODEL ?? 'anthropic/claude-sonnet-4-6';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.ANTHROPIC_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return jsonParse<T>(readFileSync(filePath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
model: (process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-5.5').split('/').at(-1) ?? 'gpt-5.5',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, JSON.stringify(requestBody, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = JSON.parse(readFileSync(filePath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_ENDPOINT ?? process.env.LANGCHAIN_ENDPOINT ?? US_DEFAULT_ENDPOINT,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homeKey = process.env.LANGSMITH_API_KEY ?? process.env.LANGCHAIN_API_KEY ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const usHost = bareHost(process.env.LANGSMITH_ENDPOINT_US ?? US_DEFAULT_ENDPOINT);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const usKey = process.env.LANGSMITH_API_KEY_US ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = JSON.parse(readFileSync(path, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = process.env.N8N_EVAL_MAX_CONCURRENT_SCENARIOS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(
filePath,
JSON.stringify(
{
timestamp,
workflowId: input.workflowId,
testCaseName: input.testCaseName,
scenarioName: input.scenarioName,
passed: input.passed,
result: input.result ?? null,
verificationResults: input.verificationResults,
verifierAttempts: input.verifierAttempts,
buildTrace: input.buildTrace ?? null,
},
null,
2,
),
'utf8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(jsonPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(reportPath, html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(reportDir, 'workflow-eval-llm-debug.html'), html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(reportPath, html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(reportDir, 'workflow-eval-report.html'), html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
modelId: process.env.N8N_INSTANCE_AI_EVAL_MODEL,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
baseUrl: process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(join(DATA_DIR, file), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.N8N_VERSION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.DAYTONA_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiUrl = process.env.DAYTONA_API_URL || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseImage = process.env.SANDBOX_IMAGE || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { mkdirSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(target, renderFile(agent, variant), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
entry.content ?? (await readFile(join(referenceSourceDir, entry.fileName), 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const skill = readFileSync(
join(INSTANCE_AI_SKILLS_DIR, 'workflow-builder', 'SKILL.md'),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = enabledModules;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalE2ETests = process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.E2E_TESTS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.E2E_TESTS = originalE2ETests;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(registry.byUrl.get(GOOGLE_OAUTH_URL)?.title).toBe('Google: OAuth2 single service');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
expect(registry.byUrl.get(FIGMA_CREDENTIALS_URL)?.title).toBe('Figma credentials');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if (process.env.E2E_TESTS !== 'true' || allowList === undefined) return undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = readFileSync(
join(INSTANCE_AI_SKILLS_DIR, POST_BUILD_FLOW_SKILL_ID, 'SKILL.md'),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithTracing = process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithProject = process.env.LANGSMITH_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangChainProject = process.env.LANGCHAIN_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalTraceInternal = process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = 'test-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_TRACING = originalLangSmithTracing;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_PROJECT = originalLangSmithProject;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_PROJECT = originalLangChainProject;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = originalTraceInternal;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.LANGSMITH_TRACING).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.LANGCHAIN_TRACING_V2).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_PROJECT = 'instance-ai-evals';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_ENDPOINT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_ENDPOINT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DIAGNOSTICS_ENABLED = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangSmithTracing = process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = 'test-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_TRACING = originalLangSmithTracing;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_DIAGNOSTICS_ENABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = 'false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.LANGSMITH_PROJECT ?? process.env.LANGCHAIN_PROJECT ?? DEFAULT_PROJECT_NAME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (readBooleanEnvFlag(process.env.N8N_DIAGNOSTICS_ENABLED) === false) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 ?? process.env.LANGSMITH_TRACING,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_ENDPOINT ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_ENDPOINT ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INTERNAL === 'true' ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TRACE_INCLUDE_INTERNAL === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return extractPackageVersion(JSON.parse(await readFile(packageJsonPath, 'utf8')));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_ENABLED_MODULES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'instance-ai';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'instance-ai,agents';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = ' instance-ai, agents ';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL_API_KEY = 'generic-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = 'provider-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OPENAI_API_KEY = 'openai-key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(process.env.N8N_ENABLED_MODULES ?? '')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_EVAL_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const providerKey = providerKeyEnv ? process.env[providerKeyEnv] : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(provider === 'anthropic' ? process.env.N8N_AI_ANTHROPIC_KEY : undefined) ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = process.env.N8N_INSTANCE_AI_MODEL_URL?.trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cachedArchive = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cachedEtag = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cachedSha = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"pre-existing"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"orphan"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(blockedArchivePath, 'block'), '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const etagOnDisk = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), corruptArchive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'deadbeef'.repeat(8));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), legacyArchive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"legacy-etag"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(legacyArchive));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const channelOnDisk = await fsp.readFile(path.join(cacheDir, 'channel.txt'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"latest-etag"');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(archive));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'latest');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TEMPLATES_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '6';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = 'banana';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '-4';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_TEMPLATES_URL = 'https://example.com/v2';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await lazyWorkspace.filesystem?.readFile('/workspace/report.md');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await lazyWorkspace.filesystem?.readFile('/workspace/report.md');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await lazyWorkspace.filesystem?.readFile('/workspace/report.md');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[LINK_WORKSPACE_SDK_ENV];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[LINK_WORKSPACE_SDK_ENV] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalLinkSdk = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await workspace.filesystem?.writeFile('src/workflow.ts', 'code', { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workspace.filesystem?.readFile('/workspace/builders/agent-2/src/workflow.ts'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(readFile(join(stagingDir, 'skills/demo/SKILL.md'), 'utf-8')).resolves.toBe(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(readFile(join(first.stagingDir, 'package.json'), 'utf-8')).resolves.toBe(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(results[0].stagingDir, 'skills/post-build-flow/SKILL.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(results[0].stagingDir, 'knowledge-base/templates/example.ts'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'skills/data-table-manager/SKILL.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(
join(stagingDir, 'skills/data-table-manager/references/data-table-playbook.md'),
'utf-8',
),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'skills/registry.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'skills/.manifest.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/best-practices/index.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(join(stagingDir, 'knowledge-base/.manifest.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = await fsp.readFile(archivePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fsp.readFile(path.join(this.cacheDir, ETAG_FILENAME), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fsp.readFile(path.join(this.cacheDir, SHA256_FILENAME), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = (await fsp.readFile(path.join(this.cacheDir, CHANNEL_FILENAME), 'utf-8')).trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsp.writeFile(tmp, contents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = process.env.N8N_INSTANCE_AI_TEMPLATES_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hoursRaw = process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const disabled = process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await (await this.getFilesystem()).readFile(path, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await (await this.getFilesystem()).writeFile(path, content, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const v = process.env[ENV_FLAG];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tarball = await readFile(tarballPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const linkFlag = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(path, content, { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(path, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await this.filesystem.readFile(resolvePath(this.root, path), options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await this.filesystem.writeFile(resolvePath(this.root, path), content, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(targetPath, content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return decodeWorkspaceFileContent(await filesystem.readFile(filePath, { encoding: 'utf-8' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await workspace.filesystem.writeFile(filePath, content, { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/containers
npm first-party const { headers, body } = await undiciRequest(formAction, {
method: 'POST',
headers: loginHeaders,
body: loginBody.toString(),
dispatcher: agent,
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
const response = await fetch(`http://${host}:${hostPort}/api/tunnels`);
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 40 low-confidence finding(s)
if (process.env.N8N_LICENSE_TENANT_ID) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extraEnvs.push({ name: 'N8N_LICENSE_TENANT_ID', value: process.env.N8N_LICENSE_TENANT_ID });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_LICENSE_ACTIVATION_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value: process.env.N8N_LICENSE_ACTIVATION_KEY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_LICENSE_CERT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extraEnvs.push({ name: 'N8N_LICENSE_CERT', value: process.env.N8N_LICENSE_CERT });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(kubeConfigPath, namedKubeconfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(defaultKubeconfig, merged);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(values['url-file'], stack.baseUrl);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(values['kubeconfig-file'], stack.kubeConfigPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.CI || os.platform() !== 'linux') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (failures.length > 0 && process.env.STRICT_IMAGE_PULL === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(devEnvFilePath(), lines.join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_ENCRYPTION_KEY: process.env.N8N_ENCRYPTION_KEY ?? 'test-encryption-key',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LICENSE_TENANT_ID: process.env.N8N_LICENSE_TENANT_ID ?? '1001',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LICENSE_ACTIVATION_KEY: process.env.N8N_LICENSE_ACTIVATION_KEY ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
N8N_LICENSE_CERT: process.env.N8N_LICENSE_CERT ?? '',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.N8N_LICENSE_ACTIVATION_KEY && !process.env.N8N_LICENSE_CERT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const authToken = process.env.NGROK_AUTHTOKEN;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(processedExpectation, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ref = process.env.GITHUB_REF ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: process.env.GITHUB_SHA?.slice(0, 8) ?? 'local',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
branch: process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME ?? 'local',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId: process.env.GITHUB_RUN_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
job: process.env.GITHUB_JOB,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
workflow: process.env.GITHUB_WORKFLOW,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
attempt: process.env.GITHUB_RUN_ATTEMPT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.CI) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.RUNNER_ENVIRONMENT === 'github-hosted') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const repo = process.env.GITHUB_REPOSITORY ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let value = process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value = process.env.N8N_DOCKER_IMAGE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/cli
npm first-party response = await fetch(url.toString(), { method, headers, body });
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 23 low-confidence finding(s)
delete process.env.N8N_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_URL = 'https://env.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_API_KEY = 'env_key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_URL = 'https://env.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_API_KEY = 'env_key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_API_KEY = 'env_key';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(0, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(flags.file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(flags.output, archive);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = fs.readFileSync(flags.file);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(skillSource, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existing = fs.readFileSync(targetFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, stripped);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existing = fs.readFileSync(targetFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(targetFile, stripped);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', {
mode: 0o600,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
url: flags.url ?? process.env.N8N_URL ?? config.url,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
apiKey: flags.apiKey ?? process.env.N8N_API_KEY ?? config.apiKey,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/computer-use
npm first-party const response = await fetch(url, {
method: 'POST',
headers,
body: JSON.stringify({
rootPath: this.dir,
tools,
hostIdentifier: `${os.userInfo().username}@${os.hostname()}`,
toolCategories: this.activeToolCategories,
}),
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 37 low-confidence finding(s)
process.env.N8N_GATEWAY_ALLOWED_ORIGINS = 'https://from-env.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[`${ENV_PREFIX}${name}`];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const logLevel = envString('LOG_LEVEL') ?? process.env.LOG_LEVEL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(dir, 'settings.json'), JSON.stringify(initial), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, 'not-json', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, existing, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(initialSettings, null, 2), {
encoding: 'utf-8',
mode: 0o600,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(this.filePath, JSON.stringify(this.persistent, null, 2), {
encoding: 'utf-8',
mode: 0o600,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, existing, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(resolvedReadablePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(resolvedWritablePath, content.replace(oldString, newString), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(resolvedPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(baseDir, 'binary.dat'), Buffer.from([0xff, 0xfe, 0xfd, 0xfc]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(fullPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(resolvedPath, content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.WAYLAND_DISPLAY && !process.env.DISPLAY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalWaylandDisplay = process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalDisplay = process.env.DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WAYLAND_DISPLAY = originalWaylandDisplay;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DISPLAY = originalDisplay;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.WAYLAND_DISPLAY = 'wayland-0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DISPLAY = ':0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.WAYLAND_DISPLAY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DISPLAY = ':0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/mcp-apps
npm first-party telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDER_FAILED, {
...getPreviewTelemetryPayload(),
reason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDERED_SUCCESSFULLY,
getPreviewTelemetryPayload(),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.OPEN_IN_N8N_CLICKED, {
...getPreviewTelemetryPayload(),
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_COMPLETED, {
...getPreviewToolCallTelemetryPayload(requestId),
duration_ms: Math.max(0, Math.round(performance.now() - startedAt)),
outcome,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_CRASHED, {
...getPreviewTelemetryPayload(),
...(message ? { error_message: sanitizeTelemetryErrorMessage(message) } : {}),
source: WORKFLOW_PREVIEW_CRASH_SOURCES.PREVIEW_IFRAME_ERROR,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(
WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_REQUESTED,
getPreviewToolCallTelemetryPayload(requestId),
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(event, {
app,
...getMcpClientTelemetryProperties(hostVersion.value),
error_message: sanitizeTelemetryErrorMessage(getErrorMessage(error)),
source,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track(events.renderFailed, {
app,
...getMcpClientTelemetryProperties(hostVersion.value),
error_message: getConnectionErrorReason(connectionError.value),
reason: renderFailedReason,
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event', { boot_ms: 42 });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event', {
apiKey: 'secret-api-key',
error_message: 'Authorization: Bearer abc.def-ghi_jkl/mno=',
});
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event');
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
telemetry.track('Test event', { reason: 'x' });
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.rudderStack?.track(
event,
{
...sanitizedProperties,
instance_id: this.config.instanceId,
version_cli: this.config.versionCli,
},
// Send a fake IP so RudderStack does not capture the user's real one.
{ context: { ip: '0.0.0.0' } },
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 2 low-confidence finding(s)
const html = await readFile(join(getPackageRoot(), 'dist', 'apps', fileName), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) as PackageJson;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/agents
npm first-party tracker.track(inner);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(a);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(b);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(rejected);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(inner);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracker.track(Promise.resolve());
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.backgroundTasks.track(titlePromise);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.backgroundTasks.track(queued);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
this.tracker.track(queued);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 92 low-confidence finding(s)
if (!process.env.OPENAI_API_KEY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(OUT_PATH, JSON.stringify(fixture));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PG_URL = process.env.PG_VECTOR_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_URL = process.env.QDRANT_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return Boolean(process.env[envVar]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isReplayMode = Boolean(process.env.CI);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PG_URL = process.env.PG_VECTOR_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_URL = process.env.QDRANT_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const IS_RECORD_MODE = process.env.VCR_MODE === 'record';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const IS_REPLAY_MODE = Boolean(process.env.CI);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const PG_URL = process.env.PG_VECTOR_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_URL = process.env.QDRANT_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(path.resolve(__dirname, '../fixtures/bulk-vector-fixture.json'), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/index.ts', 'console.log("hello")');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/README.md', '# Project');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/data.json', '{"key": "value", "count": 42}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/source.txt', 'alpha');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/project/remove-me/old.txt', 'remove this');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile(
'/project/config.ts',
[
'export const region = "OLD_REGION";',
'export const owner = "OLD_OWNER";',
'export const status = "OLD_STATUS";',
].join('\n'),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.LANGCHAIN_TRACING_V2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.LANGCHAIN_TRACING_V2).toBe('true');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile('/test');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fs.readFile('/test')).rejects.toThrow();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(filesystem.readFile('/workspace/file.txt')).resolves.toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile('/workspace/nested/file.txt', 'hello', { recursive: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile('/workspace/file.txt', { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await this.readFile(src);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await this.writeFile(dest, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/log.txt', 'line1\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await memFs.readFile('/log.txt', { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/original.txt', 'original');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await memFs.readFile('/copy.txt', { encoding: 'utf-8' })).toBe('original');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await memFs.readFile('/moved.txt', { encoding: 'utf-8' })).toBe('original');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await memFs.writeFile('/deep/nested/file.txt', 'data');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(memFs.readFile('/nonexistent')).rejects.toThrow('ENOENT');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGCHAIN_TRACING_V2 ??= 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://proxy:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://proxy:9090';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://https-proxy:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://http-proxy:9090';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(MODELS_DEV_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(skillDir, 'SKILL.md'),
`---
name: workflow-builder
description: Build workflows.
---
Use the workflow SDK.`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(skillDir, 'references', 'guide.md'), 'Guide text');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(skillDir, 'examples', 'slack.workflow.ts'), 'export default {};');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(intentSkillDir, 'SKILL.md'),
`---
name: intent-recognition
description: Classify intent.
---
Classify automation intent.`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(intentSkillDir, 'references', 'taxonomy.md'), 'Taxonomy text');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(workflowSkillDir, 'SKILL.md'),
`---
name: workflow-builder
description: Build workflows.
---
Use the workflow SDK.`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, lstatSync, readdirSync, readFileSync, statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content: readFileSync(join(skill.directory, normalizedPath), 'utf-8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(skillPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha256: createHash('sha256').update(readFileSync(abs)).digest('hex'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await client.readFile(sandboxId, path);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await client.writeFile(sandboxId, path, content, options?.overwrite ?? true);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(input.path, editedContent, { overwrite: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(input.path, {
encoding: (input.encoding ?? 'utf-8') as BufferEncoding,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(input.path, editedContent, { overwrite: true });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await filesystem.writeFile(input.path, input.content, { recursive: input.recursive });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OPENAI_API_KEY = 'sk-proj-1234567890';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = 'sk-proj-1234567890';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/errors
npm first-partyimport type { Event } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { Event } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
first-party (npm): packages/@n8n/task-runner
npm first-partyimport type { ErrorEvent } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
import type { ErrorEvent, Exception } from '@sentry/core';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 6 low-confidence finding(s)
process.env.N8N_RUNNERS_TASK_BROKER_URI = 'http://127.0.0.1:5679';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync('package.json', 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
scriptPath,
`const Module = require("module");
if (process.env.NODE_PATH) { Module._initPaths(); }
try {
require("${packageName}");
console.log(JSON.stringify({ success: true }));
} catch (e) {
console.log(JSON.stringify({ success: false, error: e.message }));
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
scriptNoInitPath,
`process.env.NODE_PATH = "${nodeModulesPath}";
try {
require("${packageName}");
console.log(JSON.stringify({ success: true }));
} catch (e) {
console.log(JSON.stringify({ success: false, error: e.message }));
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'test') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_PATH) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/nodes-langchain
npm first-party temp.track();
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 9 low-confidence finding(s)
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(tempDbPath, bufferString);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('https://my-mcp-endpoint.ai/sse');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL('https://my-mcp-endpoint.ai/sse');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await expect(customFetch!(new URL('https://allowed.example/sse'), {} as any)).rejects.toThrow(
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.ENABLE_OBSERVABILITY = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_OBSERVABILITY === 'true' &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/workflow
npm first-partyimport type { Event } from '@sentry/node';
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
expand_more 4 low-confidence finding(s)
env: process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false' ? {} : process.env,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { PathLike } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/ai-utilities
npm first-partyexpand_more 61 low-confidence finding(s)
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('https://example.com');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.http_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.https_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.N8N_AI_TIMEOUT_MAX;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://http-proxy.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.http_proxy = 'http://http-proxy-lowercase.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'https://https-proxy.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy = 'https://https-proxy-lowercase.example.com:8080';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = httpProxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = httpsProxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'localhost,127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '*.internal.company.com,localhost';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'localhost,127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.no_proxy = 'localhost';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_AI_TIMEOUT_MAX = '300000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.http_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.https_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('https://api.openai.com/v1');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL('http://api.example.com/data');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'localhost,127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = proxyUrl;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pdfBuffer = readFileSync(
join(__dirname, '../../../../../nodes-base/nodes/ReadPdf/test/sample.pdf'),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(variant) => `// ── mode: ${variant.mode} ──\n${readFileSync(variant.filePath, 'utf-8')}`,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(pathResult.filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const DEFAULT_TIMEOUT = parseInt(process.env.N8N_AI_TIMEOUT_MAX ?? '3600000', 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await readFile(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_VECTOR_STORE_MAX_MEMORY) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed = parseInt(process.env.N8N_VECTOR_STORE_MAX_MEMORY, 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_VECTOR_STORE_TTL_HOURS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed = parseInt(process.env.N8N_VECTOR_STORE_TTL_HOURS, 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/ai-workflow-builder.ee
npm first-partyexpand_more 66 low-confidence finding(s)
delete process.env.LANGSMITH_DATASET_NAME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(csvPath, content, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(promptPath, 'utf-8')).toBe('Create a test workflow');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const workflow = jsonParse<ParsedWorkflow>(fs.readFileSync(workflowPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(errorPath, 'utf-8')).toBe('Generation failed: timeout');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.LANGSMITH_DATASET_NAME ?? 'workflow-builder-canvas-prompts';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.GITHUB_ACTIONS === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
trigger: process.env.GITHUB_EVENT_NAME,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
runId: process.env.GITHUB_RUN_ID,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rows = parseCsv(readFileSync(resolvedPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(outputPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, '', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, lines.join('\n') + '\n', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'prompt.txt'), result.prompt, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(exampleDir, 'workflow.json'),
JSON.stringify(workflowForExport, null, 2),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'code.ts'), result.generatedCode, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'response.txt'), result.agentTextResponse, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(exampleDir, 'feedback.json'),
JSON.stringify(feedbackOutput, null, 2),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(exampleDir, 'error.txt'), result.error, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(outputDir, 'summary.json'),
JSON.stringify(summaryOutput, null, 2),
'utf-8',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANGSMITH_TRACING = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envValue = process.env.LANGSMITH_MINIMAL_TRACING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(summaryPath, summaryContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(generatedPath, JSON.stringify(generatedWorkflow)),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(groundTruthPath, JSON.stringify(groundTruthWorkflow)),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env[envVar];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.LANGSMITH_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envConcurrency = process.env.EVALUATION_CONCURRENCY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.GENERATE_TEST_CASES === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envCount = process.env.GENERATE_TEST_CASES_COUNT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const disabledNodesEnv = process.env.N8N_EVALS_DISABLED_NODES ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const nodesData = readFileSync(nodesPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync, readFileSync, readdirSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(join(entryPath, nodeFile), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(schemaFile, 'utf-8')) as Record<string, unknown>;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsedConcurrency = parseInt(process.env.CONCURRENCY ?? '', 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(summaryPath, summaryLines.join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputFile, markdownContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envConfig = { apiKey: process.env.N8N_AI_ANTHROPIC_KEY ?? '' };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.E2E_TESTS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/api-types
npm first-partyexpand_more 1 low-confidence finding(s)
const envMinLength = parseInt(process.env.N8N_PASSWORD_MIN_LENGTH ?? '', 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/backend-common
npm first-partyexpand_more 13 low-confidence finding(s)
delete process.env.NO_COLOR;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_COLOR = '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_COLOR;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
private readonly noColor = process.env.NO_COLOR !== undefined && process.env.NO_COLOR !== '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_COLOR !== 'false' && process.env.NO_COLOR !== '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'instance-ai';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'insights';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_ENABLED_MODULES = 'insights,invalidModule';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_DISABLED_MODULES = 'insights,invalidModule';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dir = process.env.NODE_ENV === 'test' && srcDirExists ? 'src' : 'dist';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/backend-network
npm first-partyexpand_more 116 low-confidence finding(s)
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.HTTP_PROXY) process.env.HTTP_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.HTTPS_PROXY) process.env.HTTPS_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.ALL_PROXY === true) process.env.ALL_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.ALL_PROXY && env.ALL_PROXY !== true) process.env.ALL_PROXY = env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (env.NO_PROXY) process.env.NO_PROXY = env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxyServer.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(validateUrl).toHaveBeenCalledWith(new URL(`${baseUrl}/ok`));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL('https://api.example.com/data');
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = proxy.url;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = readFileSync(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
savedEnv[key] = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://127.0.0.1:1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://127.0.0.1:1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1,localhost';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] = savedEnv[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (isProxyVar(key)) delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://env-proxy:3128';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = 'http://env-proxy:3128';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = 'http://env-proxy:3128';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HTTP_PROXY: process.env.HTTP_PROXY ?? process.env.http_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
HTTPS_PROXY: process.env.HTTPS_PROXY ?? process.env.https_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
NO_PROXY: process.env.NO_PROXY ?? process.env.no_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ALL_PROXY: process.env.ALL_PROXY ?? process.env.all_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNoProxy = process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNoProxyLower = process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[name] = value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'example.com,internal.net';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com,internal.net');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.com,internal.net');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1, localhost, example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = '127.0.0.1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('localhost,127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.no_proxy = 'internal.lan';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBe('127.0.0.1,localhost,internal.lan');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,internal.lan');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.no_proxy).toBe('internal.lan');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBeUndefined();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'first.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('first.example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'second.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,second.example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NO_PROXY).toBe('second.example.com');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HTTPS_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ALL_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'api.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ALL_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY = PROXY_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = 'api.example.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = readFileSync(file, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
value: process.env[name],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[name] = captured.value;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const lower = process.env.no_proxy;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const upper = process.env.NO_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NO_PROXY = merged;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.no_proxy = merged;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTP_PROXY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.http_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HTTPS_PROXY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.https_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ALL_PROXY,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.all_proxy,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/backend-test-utils
npm first-partyexpand_more 1 low-confidence finding(s)
const templateDb = dbType === 'postgresdb' ? process.env.N8N_TEST_TEMPLATE_DB : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/benchmark
npm first-partyexpand_more 24 low-confidence finding(s)
const n8nTag = argv.n8nDockerTag || process.env.N8N_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const benchmarkTag = argv.benchmarkDockerTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const k6ApiToken = argv.k6ApiToken || process.env.K6_API_TOKEN || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
argv.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
argv.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseRunDir = argv.runDir || process.env.RUN_DIR || '/n8n';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseCert = argv.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseActivationKey = process.env.N8N_LICENSE_ACTIVATION_KEY || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseTenantId = argv.n8nLicenseTenantId || process.env.N8N_LICENSE_TENANT_ID || '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PATH: process.env.PATH,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nTag = args.n8nTag || process.env.N8N_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const benchmarkTag = args.benchmarkTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const k6ApiToken = args.k6ApiToken || process.env.K6_API_TOKEN || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
args.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
args.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const n8nLicenseCert = args.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(credentialFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(workflowFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(dataTableFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(scenarioManifestPath, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testScript = fs.readFileSync(fullTestScriptPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const summaryReport = fs.readFileSync(summaryReportPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/config
npm first-partyexpand_more 6 low-confidence finding(s)
const raw = process.env.N8N_DB_PING_TIMEOUT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (envName in process.env) return process.env[envName];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const filePath = process.env[`${envName}_FILE`];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const value = readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/db
npm first-partyexpand_more 33 low-confidence finding(s)
const original = readFileSync(indexPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(indexPath, lines.join('\n'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(targetFile, migrationTemplate(className));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const args = { command: null, dbType: null, docker: !!process.env.CI };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TYPE = 'sqlite';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_SQLITE_DATABASE = file;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TABLE_PREFIX = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TYPE = 'postgresdb';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_HOST = conn.host;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_PORT = String(conn.port);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_DATABASE = conn.database;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_USER = conn.username;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_PASSWORD = conn.password;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_POSTGRESDB_SCHEMA = conn.schema;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DB_TABLE_PREFIX = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const externalHost = process.env.DB_POSTGRESDB_HOST ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
port: Number(process.env.DB_POSTGRESDB_PORT ?? '5432'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
username: process.env.DB_POSTGRESDB_USER ?? 'postgres',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
password: process.env.DB_POSTGRESDB_PASSWORD ?? 'postgres',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
database: process.env.DB_POSTGRESDB_DATABASE ?? 'postgres',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.N8N_DB_PING_TIMEOUT) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(this.privateKeyPath, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFile(this.publicKeyPath, { encoding: 'utf8' }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(this.privateKeyPath, privateKey, { encoding: 'utf8', mode: 0o600 }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFile(this.publicKeyPath, publicKey, { encoding: 'utf8', mode: 0o600 }),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, rmSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const surveyFile = readFileSync(filename, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'test') return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === 'test') return;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { statSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const migrationsPruningEnabled = process.env.MIGRATIONS_PRUNING_ENABLED === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/eslint-config
npm first-partyexpand_more 3 low-confidence finding(s)
'unused-imports/no-unused-imports': process.env.NODE_ENV === 'development' ? 'warn' : 'error',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
'n8n-local-rules/no-skipped-tests': process.env.NODE_ENV === 'development' ? 'warn' : 'error',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.CI === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/eslint-plugin-community-nodes
npm first-partyexpand_more 3 low-confidence finding(s)
const content = readFileSync(packageJsonPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceCode = readFileSync(credentialFilePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const sourceCode = readFileSync(nodeFile, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/expression-runtime
npm first-partyexpand_more 1 low-confidence finding(s)
return await readFile(path.join(dir, BUNDLE_RELATIVE_PATH), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/extension-sdk
npm first-partyexpand_more 2 low-confidence finding(s)
import { writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(resolve(rootDir, filepath), formattedSchema);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/json-schema-to-zod
npm first-partyexpand_more 2 low-confidence finding(s)
require('fs').writeFileSync('./dist/cjs/package.json', '{"type":"commonjs"}', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
require('fs').writeFileSync('./dist/esm/package.json', '{"type":"module"}', 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/local-gateway
npm first-partyexpand_more 4 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
img.addRepresentation({ scaleFactor: 1.0, buffer: fs.readFileSync(path1x) });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
img.addRepresentation({ scaleFactor: 2.0, buffer: fs.readFileSync(path2x) });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/mcp-browser
npm first-partyexpand_more 17 low-confidence finding(s)
delete process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'edge';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_TRANSPORT = 'stdio';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_PORT = '4000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'firefox';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_PORT = '5000';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return readFileSync(path).toString('base64');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const programFiles = process.env.ProgramFiles ?? 'C:\\Program Files';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const programFilesX86 = process.env['ProgramFiles(x86)'] ?? 'C:\\Program Files (x86)';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const localAppData = process.env.LOCALAPPDATA ?? path.join(os.homedir(), 'AppData\\Local');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[`${ENV_PREFIX}${envKey}`];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/node-cli
npm first-partyexpand_more 80 low-confidence finding(s)
await fs.writeFile(`${tmpdir}/src/icons/icon.png`, 'fake-png-content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/assets/logo.svg`, '<svg>fake-svg</svg>');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/__schema__/node.json`, '{"fake": "schema"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'regular-package',
version: '1.0.0',
// No n8n field - this makes it an invalid n8n package
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/nodes/icons/node1.png`, 'fake-node1-png');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/nodes/subdir/__schema__/schema.json`, '{"node": "schema"}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/src/assets/images/logo.svg`, '<svg>logo</svg>');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/dist/old-file.js`, 'old content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(eslintConfigPath, newConfig, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const eslintConfig = await fs.readFile(eslintConfigPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs
.readFile('package.json', 'utf-8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'regular-package',
version: '1.0.0',
// No n8n field - this makes it an invalid n8n package
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const expectedConfig = await fs.readFile(templatePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const currentConfig = await fs.readFile(eslintConfigPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.RELEASE_MODE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.RELEASE_MODE = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.RELEASE_MODE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GITHUB_ACTIONS;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(workflowPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(workflowPath, originalContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(workflowPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GITHUB_ACTIONS = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
`${tmpdir}/package.json`,
JSON.stringify({
name: 'test-node',
version: '1.0.0',
n8n: {
nodes: ['dist/nodes/TestNode.node.js'],
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = Boolean(process.env.GITHUB_ACTIONS);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const templateContent = await fs.readFile(templatePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(dest, rendered);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(pkgPath, packageJsonWithOverrides);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(pkgPath, packageJsonWithLifecycleScript);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(pkgPath, packageJsonWithOverrides);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, newContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(fullPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(fullPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(fullPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/package.json`, JSON.stringify(packageConfig, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/eslint.config.mjs`, DEFAULT_ESLINT_CONFIG);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/eslint.config.mjs`, options.eslintConfig);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, contents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0 darwin x64';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'yarn/1.22.19 npm/? node/v18.16.0 darwin x64';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'npm/9.5.1 node/v18.16.0 darwin x64 workspaces/false';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'pnpm/8.6.0 yarn/1.22.19 npm/9.5.1 node/v18.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'yarn/1.22.19 npm/9.5.1 node/v18.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'node/v18.16.0 darwin x64';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/yarn.lock`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/yarn.lock`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.npm_config_user_agent;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ua = process.env['npm_config_user_agent'] ?? '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(packageJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.COVERAGE_ENABLED === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI === 'true' ? ['cobertura'] : ['text-summary'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/scan-community-package
npm first-partyexpand_more 3 low-confidence finding(s)
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
fullPath,
typeof contents === 'string' ? contents : JSON.stringify(contents, null, 2),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/typeorm
npm first-partyexpand_more 8 low-confidence finding(s)
process.env.PGTZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export { ReadStream } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(filename);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(path, data, (err) => {
if (err) fail(err);
ok();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(potentialPackageJson, 'utf8', (err, data) => {
if (err != null) accept(null);
else {
try {
accept(JSON.parse(data));
} catch (err) {
accept(null);
}
}
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/vitest-config
npm first-partyexpand_more 7 low-confidence finding(s)
reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.COVERAGE_ENABLED === 'true' && vitestConfig.test?.coverage) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI === 'true' && coverage.provider === 'v8') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.CI !== 'true') return {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
...(process.env.COVERAGE_ENABLED === 'true'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI === 'true' ? 'lcov' : 'text-summary',
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/@n8n/workflow-sdk
npm first-partyexpand_more 54 low-confidence finding(s)
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, entry.getData());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, JSON.stringify(workflow, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
code = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, JSON.stringify(json, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputPath, code);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(jsonPath, 'utf8')) as WorkflowJSON;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(nodesJsonPath, JSON.stringify(nodes));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hashBefore = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(nodesJsonPath, JSON.stringify([modifiedNode]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const hashAfter = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tsContent = await fs.promises.readFile(path.join(nodeDir, 'v1.ts'), 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(fs.readFileSync(sdkPackageJsonPath, 'utf-8')) as { version: string };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.promises.readFile(nodesJsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const existingHash = await fs.promises.readFile(hashFilePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(hashFilePath, inputHash);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = jsonParse<{ name: string }>(fs.readFileSync(packageJsonPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(indexFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const schemaContent = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const schemaContent = fs.readFileSync(schemaPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.promises.readFile(jsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await Promise.all(batch.map((f) => fs.promises.writeFile(f.path, f.content)));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(outputDir, 'index.ts'), indexContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(DEV_OUTPUT_PATH, 'index.ts'), placeholderContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(generatedPath, code, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const WORKER_ID = process.env.VITEST_POOL_ID ?? '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(generatorPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const storedHash = fs.readFileSync(STAMP_FILE, 'utf-8').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(STAMP_FILE, hash);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/frontend/@n8n/design-system
npm first-partyexpand_more 1 low-confidence finding(s)
const raw = readFileSync(jsonPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/frontend/@n8n/i18n
npm first-partyexpand_more 1 low-confidence finding(s)
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/frontend/@n8n/stores
npm first-partyexpand_more 1 low-confidence finding(s)
process.env.TZ = 'UTC';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/node-dev
npm first-partyexpand_more 5 low-confidence finding(s)
import { access } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { copyFile, mkdir, readFile, writeFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tsConfigString = await readFile(tsconfigPath, { encoding: 'utf8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(path, JSON.stringify(tsConfig, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { copyFile } from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/code-health
npm first-partyexpand_more 13 low-confidence finding(s)
changedFiles: parseChangedFiles(process.env.CODE_HEALTH_CHANGED_FILES),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
addedFiles: parseChangedFiles(process.env.CODE_HEALTH_ADDED_FILES),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, 'export {};\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(abs, source, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pkg = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as OnDiskPackageJson;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/janitor
npm first-partyexpand_more 66 low-confidence finding(s)
fs.writeFileSync(
path.join(tempDir, 'tsconfig.json'),
JSON.stringify({
compilerOptions: {
target: 'ES2020',
module: 'ESNext',
moduleResolution: 'node',
strict: true,
},
include: ['**/*.ts'],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'janitor.config.js'),
`module.exports = {
rootDir: '${tempDir}',
patterns: {
pages: ['pages/**/*.ts'],
components: [],
flows: [],
tests: ['tests/**/*.spec.ts'],
services: [],
fixtures: [],
helpers: [],
factories: [],
testData: [],
},
excludeFromPages: [],
facade: { file: 'pages/AppPage.ts', className: 'AppPage', excludeTypes: [] },
fixtureObjectName: 'app',
apiFixtureName: 'api',
rawApiPatterns: [],
flowLayerName: 'Composable',
architectureLayers: [],
rules: {},
};`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'CleanPage.ts'), 'export class CleanPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'VerbosePage.ts'),
'export class VerbosePage {}',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'BaselinePage.ts'),
'export class BaselinePage {}',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const attempt = Number(process.env.GITHUB_RUN_ATTEMPT ?? '1');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
firstNonEmpty(options.url, process.env.JANITOR_FILTER_SHARD_URL) ?? DEFAULT_FILTER_SHARD_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const runId = process.env.GITHUB_RUN_ID;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const includeRaw = fs.readFileSync(options.includeSpecsFile, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = JSON.parse(fs.readFileSync(metricsPath, 'utf-8')) as {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const env = process.env.CHANGED_FILES;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const inputs = files.map((f) => ({ text: fs.readFileSync(f, 'utf8'), spec: f }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(options.outLcov, result.lcov);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(options.outMap, JSON.stringify(encodeImpactMap(result.impactMap)));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(root, 'pnpm-workspace.yaml'),
`packages:\n${opts.patterns.map((p) => ` - '${p}'`).join('\n')}\n`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(root, 'package.json'), JSON.stringify({ name: 'monorepo-root' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(pkgDir, 'package.json'), JSON.stringify(pkg));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(root, 'turbo.json'),
JSON.stringify({
tasks: Object.fromEntries(opts.turboTasks.map((t) => [t.taskId, { inputs: t.inputs }])),
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(readFileSync(path, 'utf-8')) as T;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(parseYaml(readFileSync(wsFile, 'utf-8')) as { packages?: string[] } | null)?.packages ?? [];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const currentContent = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, '.janitor-baseline.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(file, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fullPath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tsconfig.json'),
JSON.stringify({
compilerOptions: {
target: 'ES2020',
module: 'ESNext',
moduleResolution: 'node',
strict: true,
},
include: ['**/*.ts'],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'workflows', 'simple-webhook.json'),
JSON.stringify({ name: 'Simple Webhook' }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'workflows', 'complex-flow.json'),
JSON.stringify({ name: 'Complex Flow' }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'workflows', 'test-workflow.json'),
JSON.stringify({ name: 'Test' }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(testFilePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'tsconfig.json'), JSON.stringify(tsconfig, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(pagesDir, 'TestPage.ts'), 'export class TestPage { foo() {} }');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'TestClass.ts'),
`export class TestClass {
publicMethod() { return 1; }
private privateMethod() { return 2; }
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
doc = parse(readFileSync(lockPath, 'utf8')) as typeof doc;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return existsSync(abs) ? readFileSync(abs, 'utf8') : '';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(pkgDir, 'package.json'), JSON.stringify({ name: 'some-pkg' }));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', '.gitkeep'), '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'tests', '.gitkeep'), '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tsconfig.json'),
JSON.stringify({
compilerOptions: {
target: 'ES2020',
module: 'ESNext',
moduleResolution: 'node',
strict: true,
skipLibCheck: true,
noEmit: true,
},
include: ['**/*.ts'],
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'package.json'),
JSON.stringify({
name: 'tcr-test',
scripts: {
typecheck: 'tsc --noEmit',
},
}),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'NewPage.ts'), 'export class NewPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'TestPage.ts'), 'export class TestPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'TestPage.ts'),
'export class TestPage { modified() {} }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(newDir, 'new-feature.spec.ts'),
'import { test } from "@playwright/test"; test("new feature", () => {});',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(newDir, 'staged-feature.spec.ts'),
'export const test = { name: "staged feature test" };\n',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'package.json'),
JSON.stringify({ name: 'tcr-test', scripts: { typecheck: 'node -e ""' } }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'ToDelete.ts'),
'export class ToDelete { method() {} }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'OldName.ts'),
'export class OldName { method() {} }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'MethodClass.ts'),
`export class MethodClass {
existing() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'MethodClass.ts'),
`export class MethodClass {
existing() {}
newMethod() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'RemoveClass.ts'),
`export class RemoveClass {
keepMe() {}
removeMe() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'RemoveClass.ts'),
`export class RemoveClass {
keepMe() {}
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'ModifyClass.ts'),
`export class ModifyClass {
myMethod() { return 1; }
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'ModifyClass.ts'),
`export class ModifyClass {
myMethod() { return 2; }
}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), 'export class LargePage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), largeContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'SmallPage.ts'), 'export class SmallPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'SmallPage.ts'),
'export class SmallPage { x = 1; }',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'OtherPage.ts'), 'export class OtherPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'pages', 'PageA.ts'),
`import { PageB } from './PageB';
export class PageA {}`,
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'PageB.ts'), 'export class PageB {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'DryRunPage.ts'), 'export class DryRunPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'ResultPage.ts'), 'export class ResultPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(tempDir, 'tests', 'example.spec.ts'),
'import { test } from "@playwright/test"; test("example", () => {});',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(tempDir, 'pages', 'FailPage.ts'), 'export class FailPage {}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(headFile, 'corrupted');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CI === 'true' ? { pool: 'forks' as const, maxWorkers: '50%' } : {};
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/performance
npm first-partyexpand_more 10 low-confidence finding(s)
import { readFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseline = JSON.parse(readFileSync(BASELINE_PATH, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const current = JSON.parse(readFileSync(CURRENT_PATH, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync, readdirSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const wf = JSON.parse(readFileSync(join(inputDir, file), 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(outputPath, JSON.stringify(fixture, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync, existsSync } from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const results = JSON.parse(readFileSync(resultsPath, 'utf-8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(baselinePath, JSON.stringify(results, null, '\t'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
plugins: [process.env.CODSPEED ? codspeedPlugin() : null].filter(Boolean),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/rules-engine
npm first-partyexpand_more 2 low-confidence finding(s)
const content = fs.readFileSync(filePath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, JSON.stringify(baseline, null, '\t') + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/testing/test-impact
npm first-partyexpand_more 22 low-confidence finding(s)
writeFileSync(join(bs, 'spec_a', '.spec'), 'tests/e2e/a.spec.ts');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_a', 'raw-1.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'no_marker', 'raw-1.json'), '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'no_raw', '.spec'), 'x');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_jsonl', '.spec'), 'tests/e2e/b.spec.ts');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(join(bs, 'spec_jsonl', 'raw-1.jsonl'), '{}\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const spec = readFileSync(specMarker, 'utf8').trim();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
join(outDir, `${slug}${suffix}.lcov`),
forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(p, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, '{not valid json,,,');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, '{}');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(interned));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(map));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsed: unknown = JSON.parse(fs.readFileSync(mapFile, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? parseSpecList(fs.readFileSync(input.allSpecsFile, 'utf8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
@oclif/core
npm dependencyexpand_more 20 low-confidence finding(s)
keys.map((key) => delete process.env[key]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const base = process.env[`XDG_${category.toUpperCase()}_HOME`] ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(this.windows && process.env.LOCALAPPDATA) ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.home = process.env.HOME || (this.windows && this.windowsHome()) || (0, os_1.getHomeDir)() || (0, node_os_1.tmpdir)();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[this.scopedEnvVarKeys(k).find((k) => process.env[k])];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.HOMEDRIVE && process.env.HOMEPATH && (0, node_path_1.join)(process.env.HOMEDRIVE, process.env.HOMEPATH);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.USERPROFILE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SHELL = process.env.SHELL ?? (0, node_os_1.userInfo)().shell?.split(node_path_1.sep)?.pop();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.OCLIF_NEXT_VERSION && manifest.version.split('-')[0] !== this.version.split('-')[0]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
debug(`Skipping typescript path lookup for ${root} because it's an ESM module (NODE_ENV: ${process.env.NODE_ENV}, root plugin module type: ${rootPlugin?.moduleType})`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = 'development';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.CLI_FLAGS_DEBUG === '1'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (fws.inputFlag.flag.env && process.env[fws.inputFlag.flag.env]) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const valueFromEnv = process.env[fws.inputFlag.flag.env];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
valueFunction: async (i) => (0, util_1.isTruthy)(process.env[i.inputFlag.flag.env] ?? 'false'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const columns = Number.parseInt(process.env.OCLIF_COLUMNS, 10) || settings_1.settings.columns;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.OCLIF_DISABLE_RC) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return !['development', 'test'].includes(process.env.NODE_ENV ?? '');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
!process.env.CI &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
!['dumb', 'emacs-color'].includes(process.env.TERM) &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fast-glob
npm dependencyexpand_more 3 low-confidence finding(s)
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
n8n-core
npm dependencyexpand_more 1 low-confidence finding(s)
await writeFile(filePath, payload, { encoding: 'utf-8' });
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
replace-in-file
npm dependencyexpand_more 118 low-confidence finding(s)
const json = await fs.readFile(path.resolve(file), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync('config.json', JSON.stringify(config), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fsSync.readFileSync(file, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsSync.writeFileSync(file, newContents, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await fs.readFile(file, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file, newContents, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = fsSync.readFileSync(source, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsSync.writeFileSync(target, newContents, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contents = await fs.readFile(source, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(target, newContents, encoding)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test1', testData, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test2', testData, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test3', 'nope', 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test3 = fs.readFileSync('test3', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test1', testData, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test2', testData, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test3', 'nope', 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fsAsync.writeFile('test4', testData2, 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test2 = fs.readFileSync('test2', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test1 = fs.readFileSync('test1', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
before(() => fs.writeFileSync('test197', 'ABC 123\n6666666\nDEF 456', 'utf8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test197 = fs.readFileSync('test197', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test4 = fs.readFileSync('test4', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const test4 = fs.readFileSync('test4', 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tmp-promise
npm dependencyexpand_more 2 low-confidence finding(s)
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
assert.equal(fs.readFileSync(path), message)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- @n8n/di prod — dist-only: no readable source
- change-case prod — dist-only: no readable source
- inquirer prod — dist-only: no readable source
- n8n-workflow prod — dist-only: no readable source
- @azure/identity prod — dist-only: no readable source
- @azure/storage-blob prod — scan budget exceeded
- @langchain/core prod — scan budget exceeded
- @n8n/backend-common prod — scan budget exceeded
- @n8n/backend-network prod — scan budget exceeded
- @n8n/client-oauth2 prod — scan budget exceeded
- @n8n/config prod — scan budget exceeded
- @n8n/constants prod — scan budget exceeded
- @n8n/decorators prod — scan budget exceeded
- @n8n/errors prod — scan budget exceeded
- @n8n/utils prod — scan budget exceeded
- @sentry/core prod — scan budget exceeded
- @sentry/node prod — scan budget exceeded
- @sentry/node-native prod — scan budget exceeded
- @sentry/profiling-node prod — scan budget exceeded
- callsites prod — scan budget exceeded
- chardet prod — scan budget exceeded
- cron prod — scan budget exceeded
- file-type prod — scan budget exceeded
- form-data prod — scan budget exceeded
- htmlparser2 prod — scan budget exceeded
- jsonwebtoken prod — scan budget exceeded
- lodash prod — scan budget exceeded
- luxon prod — scan budget exceeded
- mime-types prod — scan budget exceeded
- ms prod — scan budget exceeded
- @n8n/workflow-sdk prod — scan budget exceeded
- nanoid prod — scan budget exceeded
- oauth-1.0a prod — scan budget exceeded
- p-cancelable prod — scan budget exceeded
- picocolors prod — scan budget exceeded
- pretty-bytes prod — scan budget exceeded
- ssh2 prod — scan budget exceeded
- uuid prod — scan budget exceeded
- winston prod — scan budget exceeded
- xml2js prod — scan budget exceeded
- qs prod — scan budget exceeded
- @codemirror/autocomplete prod — scan budget exceeded
- @n8n/expression-runtime prod — scan budget exceeded
- @n8n/tournament prod — scan budget exceeded
- ast-types prod — scan budget exceeded
- esprima-next prod — scan budget exceeded
- jmespath prod — scan budget exceeded
- js-base64 prod — scan budget exceeded
- jssha prod — scan budget exceeded
- json-schema prod — scan budget exceeded
- md5 prod — scan budget exceeded
- recast prod — scan budget exceeded
- title-case prod — scan budget exceeded
- transliteration prod — scan budget exceeded
- jsonrepair prod — scan budget exceeded
- @1password/connect prod — scan budget exceeded
- @ai-sdk/anthropic prod — scan budget exceeded
- @apidevtools/json-schema-ref-parser prod — scan budget exceeded
- @aws-sdk/client-secrets-manager prod — scan budget exceeded
- @azure/keyvault-secrets prod — scan budget exceeded
- @chat-adapter/linear prod — scan budget exceeded
- @chat-adapter/slack prod — scan budget exceeded
- @chat-adapter/state-memory prod — scan budget exceeded
- @chat-adapter/telegram prod — scan budget exceeded
- @daytona/sdk prod — scan budget exceeded
- @google-cloud/secret-manager prod — scan budget exceeded
- @joplin/turndown-plugin-gfm prod — scan budget exceeded
- @modelcontextprotocol/sdk prod — scan budget exceeded
- @mozilla/readability prod — scan budget exceeded
- @n8n/agents prod — scan budget exceeded
- @n8n/ai-node-sdk prod — scan budget exceeded
- @n8n/ai-utilities prod — scan budget exceeded
- @n8n/ai-workflow-builder prod — scan budget exceeded
- @n8n/api-types prod — scan budget exceeded
- @n8n/chat-hub prod — scan budget exceeded
- @n8n/db prod — scan budget exceeded
- @n8n/instance-ai prod — scan budget exceeded
- @n8n/mcp-apps prod — scan budget exceeded
- @n8n/mcp-browser prod — scan budget exceeded
- @n8n/n8n-nodes-langchain prod — scan budget exceeded
- @n8n/permissions prod — scan budget exceeded
- @n8n/scheduler prod — scan budget exceeded
- @n8n/syslog-client prod — scan budget exceeded
- @n8n/task-runner prod — scan budget exceeded
- @n8n_io/ai-assistant-sdk prod — scan budget exceeded
- @n8n_io/license-sdk prod — scan budget exceeded
- @opentelemetry/api prod — scan budget exceeded
- @opentelemetry/core prod — scan budget exceeded
- @opentelemetry/exporter-trace-otlp-proto prod — scan budget exceeded
- @opentelemetry/instrumentation prod — scan budget exceeded
- @opentelemetry/resources prod — scan budget exceeded
- @opentelemetry/sdk-node prod — scan budget exceeded
- @opentelemetry/sdk-trace-base prod — scan budget exceeded
- @opentelemetry/sdk-trace-node prod — scan budget exceeded
- @opentelemetry/semantic-conventions prod — scan budget exceeded
- @parcel/watcher prod — scan budget exceeded
- @pinecone-database/pinecone prod — scan budget exceeded
- @qdrant/js-client-rest prod — scan budget exceeded
- @rudderstack/rudder-sdk-node prod — scan budget exceeded
- @supabase/supabase-js prod — scan budget exceeded
- ai prod — scan budget exceeded
- aws4 prod — scan budget exceeded
- bcryptjs prod — scan budget exceeded
- bull prod — scan budget exceeded
- cache-manager prod — scan budget exceeded
- chat prod — scan budget exceeded
- class-transformer prod — scan budget exceeded
- class-validator prod — scan budget exceeded
- compression prod — scan budget exceeded
- convict prod — scan budget exceeded
- cookie-parser prod — scan budget exceeded
- csrf prod — scan budget exceeded
- csv-parse prod — scan budget exceeded
- dotenv prod — scan budget exceeded
- express prod — scan budget exceeded
- express-handlebars prod — scan budget exceeded
- express-openapi-validator prod — scan budget exceeded
- express-prom-bundle prod — scan budget exceeded
- express-rate-limit prod — scan budget exceeded
- fast-json-patch prod — scan budget exceeded
- fastest-levenshtein prod — scan budget exceeded
- fflate prod — scan budget exceeded
- flat prod — scan budget exceeded
- flatted prod — scan budget exceeded
- formidable prod — scan budget exceeded
- handlebars prod — scan budget exceeded
- helmet prod — scan budget exceeded
- http-proxy-middleware prod — scan budget exceeded
- ioredis prod — scan budget exceeded
- isbot prod — scan budget exceeded
- isolated-vm prod — scan budget exceeded
- jose prod — scan budget exceeded
- json-diff prod — scan budget exceeded
- jsonschema prod — scan budget exceeded
- langsmith prod — scan budget exceeded
- ldapts prod — scan budget exceeded
- linkedom prod — scan budget exceeded
- lru-cache prod — scan budget exceeded
- moment-timezone prod — scan budget exceeded
- multer prod — scan budget exceeded
- n8n-editor-ui prod — scan budget exceeded
- n8n-nodes-base prod — scan budget exceeded
- nodemailer prod — scan budget exceeded
- open prod — scan budget exceeded
- openid-client prod — scan budget exceeded
- otpauth prod — scan budget exceeded
- p-lazy prod — scan budget exceeded
- pdf-parse prod — scan budget exceeded
- pg prod — scan budget exceeded
- pkce-challenge prod — scan budget exceeded
- posthog-node prod — scan budget exceeded
- prom-client prod — scan budget exceeded
- psl prod — scan budget exceeded
- raw-body prod — scan budget exceeded
- replacestream prod — scan budget exceeded
- samlify prod — scan budget exceeded
- semver prod — scan budget exceeded
- shelljs prod — scan budget exceeded
- simple-git prod — scan budget exceeded
- source-map-support prod — scan budget exceeded
- sqlite3 prod — scan budget exceeded
- sshpk prod — scan budget exceeded
- sucrase prod — scan budget exceeded
- swagger-ui-express prod — scan budget exceeded
- tar prod — scan budget exceeded
- turndown prod — scan budget exceeded
- validator prod — scan budget exceeded
- ws prod — scan budget exceeded
- xmllint-wasm prod — scan budget exceeded
- xss prod — scan budget exceeded
- yargs-parser prod — scan budget exceeded
- zod-to-json-schema prod — scan budget exceeded
- @aws-crypto/sha256-js prod — scan budget exceeded
- @aws-sdk/credential-providers prod — scan budget exceeded
- @smithy/node-http-handler prod — scan budget exceeded
- @smithy/protocol-http prod — scan budget exceeded
- @smithy/signature-v4 prod — scan budget exceeded
- @smithy/types prod — scan budget exceeded
- @kafkajs/confluent-schema-registry prod — scan budget exceeded
- @n8n/imap prod — scan budget exceeded
- @thednp/dommatrix prod — scan budget exceeded
- alasql prod — scan budget exceeded
- amqplib prod — scan budget exceeded
- basic-auth prod — scan budget exceeded
- cheerio prod — scan budget exceeded
- chokidar prod — scan budget exceeded
- currency-codes prod — scan budget exceeded
- eventsource prod — scan budget exceeded
- generate-schema prod — scan budget exceeded
- get-system-fonts prod — scan budget exceeded
- gm prod — scan budget exceeded
- html-to-text prod — scan budget exceeded
- iconv-lite prod — scan budget exceeded
- ics prod — scan budget exceeded