Close Open Privacy Scan

bolt Snapshot: commit bb773ff
science engine v3
schedule 2026-07-10T01:15:45.410015+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

Incomplete scan — only 112/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

0 /100
High privacy risk — application leak confirmed

High risk · 2254 finding(s)

Dependency score: 0 (High risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −25
egress −15
env_fs −3

list Scan Summary

32 high 10 medium 2212 low
First-party packages: 5
Dependency packages: 40
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: [::1]:3000admin.comallowed.example.com,also-allowed.example.comapi.firecrawl.devapi.github.comapi.mistral.aiapi.nodemailer.comapi.pipedream.comapi.smith.langchain.comapi.unstructuredapp.ioapi.vectara.ioapp.comapp.example.com,https:dashboard.example.comdomain1.com,domain1.com,,https:domain1.com,https:domain2.com,domain3.come.example.comembed.example.com,https:ethereal.emailexample.comexample.com,example.com,https:github.comlegacy.example.commyapp.comnew.example.comnts.ngc.nvidia.comoauth2.googleapis.comraw.githubusercontent.comtrusted.comtrusted.example.comwww.googleapis.com

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:26 repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/TestRunDialog.tsx:32 repo/packages/agentflow/examples/src/TestRunDialog.tsx:44
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:129 repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/server/src/IdentityManager.ts:103 repo/packages/server/src/IdentityManager.ts:140
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/views/canvas/CanvasHeader.jsx:127 repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274
high first-party (npm): packages/ui User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211
high first-party (npm): packages/ui User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/views/canvas/CanvasHeader.jsx:127 repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274
high first-party (npm): packages/server User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/server/src/IdentityManager.ts:103 repo/packages/server/src/IdentityManager.ts:140
high first-party (npm): packages/agentflow User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:26 repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37
high first-party (npm): packages/agentflow User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/TestRunDialog.tsx:32 repo/packages/agentflow/examples/src/TestRunDialog.tsx:44
high first-party (npm): packages/components User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:129 repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132
hub Dependency data flows (22)
high axios dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:610 pkgs/npm/[email protected]/lib/adapters/http.js:708
high nodemailer dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/fetch/index.js:55 pkgs/npm/[email protected]/lib/fetch/index.js:148
high flowise-components dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:129 pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:132
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:935 pkgs/npm/@[email protected]/esm/api/api/security.js:952
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1562 pkgs/npm/@[email protected]/esm/api/api/security.js:1574
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1600 pkgs/npm/@[email protected]/esm/api/api/security.js:1612
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1676 pkgs/npm/@[email protected]/esm/api/api/security.js:1688
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2257 pkgs/npm/@[email protected]/esm/api/api/security.js:2274
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2437 pkgs/npm/@[email protected]/esm/api/api/security.js:2454
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2915 pkgs/npm/@[email protected]/esm/api/api/security.js:2927
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:937 pkgs/npm/@[email protected]/lib/api/api/security.js:954
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1564 pkgs/npm/@[email protected]/lib/api/api/security.js:1576
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1602 pkgs/npm/@[email protected]/lib/api/api/security.js:1614
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1678 pkgs/npm/@[email protected]/lib/api/api/security.js:1690
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2259 pkgs/npm/@[email protected]/lib/api/api/security.js:2276
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2439 pkgs/npm/@[email protected]/lib/api/api/security.js:2456
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2917 pkgs/npm/@[email protected]/lib/api/api/security.js:2929
high @mendable/firecrawl-js tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:24 pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:43
high @mendable/firecrawl-js dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/index.backup.ts:608 pkgs/npm/@[email protected]/src/index.backup.ts:663
high @mendable/firecrawl-js dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/v1/index.ts:699 pkgs/npm/@[email protected]/src/v1/index.ts:739
medium axios dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:616 pkgs/npm/[email protected]/lib/adapters/http.js:708
medium winston dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/winston/transports/http.js:249 pkgs/npm/[email protected]/lib/winston/transports/http.js:242

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #c8953379881896e7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37 · flow /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:26 → /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37
            const res = await fetch(`${apiBaseUrl}/api/v1/chatflows`, {
                method: 'POST',
                headers: authHeaders,
                credentials: token ? 'omit' : 'include',
                body: JSON.stringify(body)
            })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0f512be2062222ed User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/TestRunDialog.tsx:44 · flow /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/TestRunDialog.tsx:32 → /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/TestRunDialog.tsx:44
            const res = await fetch(`${apiBaseUrl}/api/v1/internal-prediction/${agentflowId}`, {
                method: 'POST',
                headers: authHeaders,
                credentials: token ? 'omit' : 'include',
                body: JSON.stringify({ question: question.trim(), streaming: true, chatId })
            })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #89756c5e3550cd36 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132 · flow /tmp/closeopen-d65y7tid/repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:129 → /tmp/closeopen-d65y7tid/repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132
        const response = await fetch(this.apiUrl, {
            method: 'POST',
            body: formData,
            headers
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #82c98ed390ce6656 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/server/src/IdentityManager.ts:140 · flow /tmp/closeopen-d65y7tid/repo/packages/server/src/IdentityManager.ts:103 → /tmp/closeopen-d65y7tid/repo/packages/server/src/IdentityManager.ts:140
                    const response = await axios.post(`${LICENSE_URL}/enterprise/verify`, { license: FLOWISE_EE_LICENSE_KEY })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #248c3d8393836233 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 · flow /tmp/closeopen-d65y7tid/repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 → /tmp/closeopen-d65y7tid/repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211
            getWorkspacesByUserIdApi.request(dialogProps.data.userId)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #62ea03f5d7d161ab User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274 · flow /tmp/closeopen-d65y7tid/repo/packages/ui/src/views/canvas/CanvasHeader.jsx:127 → /tmp/closeopen-d65y7tid/repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274
            updateChatflowApi.request(chatflow.id, updateBody)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #4ff4a86637639ce2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/server/src/utils/telemetry.test.ts:36
const posthogNode = require('posthog-node')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a676ad469113e0de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/server/src/utils/telemetry.ts:2
import { PostHog } from 'posthog-node'

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 793 low-confidence finding(s)
low env_fs production #988343cd52e52232 Environment-variable access.
repo/.eslintrc.js:25
        'no-console': [process.env.CI ? 'error' : 'warn', { allow: ['warn', 'error', 'info'] }],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f72259d6366d5154 Environment-variable access.
repo/docker/worker/healthcheck/healthcheck.js:4
const port = process.env.WORKER_PORT || 5566

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b076d55f6bee101 Environment-variable access.
repo/packages/components/nodes/agents/ConversationalAgent/ConversationalAgent.ts:283
        verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b116b305e90ffe88 Environment-variable access.
repo/packages/components/nodes/agents/ConversationalRetrievalToolAgent/ConversationalRetrievalToolAgent.ts:360
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8034be4b2e50995 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:104
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0c5524e7e8a6988 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:113
        const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf08e94e24fd4fc7 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:115
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5048b0ac11e4783c Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:130
                verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #638e821857d2f70c Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:157
            const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ea78ef7fb368c1b Environment-variable access.
repo/packages/components/nodes/agents/ReActAgentChat/ReActAgentChat.ts:132
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe2ba37a6c920ece Environment-variable access.
repo/packages/components/nodes/agents/ReActAgentLLM/ReActAgentLLM.ts:105
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76f07138b9097ca0 Environment-variable access.
repo/packages/components/nodes/agents/ToolAgent/ToolAgent.ts:359
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56d05c42b5244cbe Environment-variable access.
repo/packages/components/nodes/agents/XMLAgent/XMLAgent.ts:284
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35b04a28331518b4 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:130
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c332e25a77efb53 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:131
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12bb2c69eb3ed764 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:138
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612b2d7395c76d2e Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:139
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4552ea41959fde88 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:87
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7ca2a6106d3b5d3 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:88
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2b281719db9b2b4 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:95
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0632c638295e41b2 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:96
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b26b7ee5754fc79a Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/GETApiChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa83328e417434a3 Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/OpenAPIChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea0fc8a7a0dbe17c Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/POSTApiChain.ts:124
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4d00cb74334538a Environment-variable access.
repo/packages/components/nodes/chains/ConversationChain/ConversationChain.ts:139
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e69bf2fceb913e8 Environment-variable access.
repo/packages/components/nodes/chains/ConversationalRetrievalQAChain/ConversationalRetrievalQAChain.ts:229
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf426b082a282662 Environment-variable access.
repo/packages/components/nodes/chains/GraphCypherQAChain/GraphCypherQAChain.ts:423
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #035e955075b15545 Environment-variable access.
repo/packages/components/nodes/chains/LLMChain/LLMChain.ts:109
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed2c7f8036e5cbd5 Environment-variable access.
repo/packages/components/nodes/chains/LLMChain/LLMChain.ts:117
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5641692bea26d896 Environment-variable access.
repo/packages/components/nodes/chains/MultiPromptChain/MultiPromptChain.ts:71
            llmChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf95ef2838c3cd97 Environment-variable access.
repo/packages/components/nodes/chains/MultiRetrievalQAChain/MultiRetrievalQAChain.ts:79
            retrievalQAChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false, returnSourceDocuments }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95739800b897d44b Environment-variable access.
repo/packages/components/nodes/chains/RetrievalQAChain/RetrievalQAChain.ts:58
        const chain = RetrievalQAChain.fromLLM(model, vectorStoreRetriever, { verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5bad702c3217a72 Environment-variable access.
repo/packages/components/nodes/chains/SqlDatabaseChain/SqlDatabaseChain.ts:245
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #3208bd6e59c2d026 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/chains/VectaraChain/VectaraChain.ts:312
            const response = await fetch(`https://api.vectara.io/v1/query`, {
                method: 'POST',
                headers: headers?.headers,
                body: JSON.stringify(data)
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8ad2262e57a3bfa2 Environment-variable access.
repo/packages/components/nodes/chains/VectorDBQAChain/VectorDBQAChain.ts:60
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cd54d8bf072301a Filesystem access.
repo/packages/components/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63fd156095db524a Filesystem access.
repo/packages/components/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:9
        const raw = JSON.parse(fs.readFileSync(modelsPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f1736a964ae35ae Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #332dfc683d0d94da Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10f406ae729e551e Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e66ded32c9f1ed1e Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:13
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d411d685d9834219 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:153
                    if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc0edf194d31bdc4 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:166
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #984501f72aee81ed Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:175
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71bd75d4e4aa9178 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:186
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #523bf6e0508aa650 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:192
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf3c02f6e5194686 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:194
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3aca0d18e4f69c3 Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:7
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #656aa36059e4ba80 Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:127
                    fs.writeFileSync(tempFilePath, fileData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #591fd54d513c8e0c Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:139
                    fs.writeFileSync(tempFilePath, fileBuffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd12d461c35355e3 Filesystem access.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #5d9951a0d9bbbea2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:227
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c9d0bbd509012618 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:454
            const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8b9065b7b3ada0e5 Filesystem access.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:702
        fs.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e4cf2d509b244d5f Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleSheets/GoogleSheets.ts:155
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3ee6c0640da01271 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:194
                const executablePath = process.env.PLAYWRIGHT_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #266d7b15d369ca5f Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:235
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ec4f5629a2d59a2 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:242
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61634ec50bb46520 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:253
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e11e91fbc28577d3 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:262
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d1a26997b52aa4f Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:264
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e61e90fc3f119986 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:185
                const executablePath = process.env.PUPPETEER_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1af30e2d0e5a5819 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:226
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac154129f9e17a5f Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:233
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f80a6e0d138b3dc5 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:244
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c00a9d0784a7283a Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:253
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2d7100a81774418 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:255
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a05bcd3d0448317 Filesystem access.
repo/packages/components/nodes/documentloaders/S3Directory/S3Directory.ts:217
                        fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3e7a574c93b15ba Environment-variable access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:130
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9bc4b6696e47ff1 Environment-variable access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:131
                optional: !!process.env.UNSTRUCTURED_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77692eecf700fc41 Filesystem access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:784
                    fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #296dc4020f4712a5 Filesystem access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:1020
        fsDefault.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6cd275505c70228 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:30
    private apiUrl = process.env.UNSTRUCTURED_API_URL || 'https://api.unstructuredapp.io/general/v0/general'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56d04b604bc6bece Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:32
    private apiKey: string | undefined = process.env.UNSTRUCTURED_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84519f14eb4d0569 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/UnstructuredFile.ts:57
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #263da845f05206b5 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/UnstructuredFile.ts:58
                optional: !!process.env.UNSTRUCTURED_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9af40d57612af8de Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:6
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23849db1d528b0b4 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:7
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8847d6df9e04e5f3 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:8
    (!!process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME || !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56870aeaecc2f981 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:9
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6edabb820a65f9c2 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:9
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9123c05df35981d Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5272865f0d0f884 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ed86a6ece49ae38 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fae21ce63475d033 Environment-variable access.
repo/packages/components/nodes/memory/AgentMemory/AgentMemory.ts:138
                : path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #902c8637a36f9d5f Environment-variable access.
repo/packages/components/nodes/memory/AgentMemory/SQLiteAgentMemory/SQLiteAgentMemory.ts:72
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50b97802e9b04335 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:144
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a93be6a5a2a326ab Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:145
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63a9e0f6ca6aaf23 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:151
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a59c3d4f17b7fa3f Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:152
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #871969a3fb3ad8f2 Environment-variable access.
repo/packages/components/nodes/multiagents/Worker/Worker.ts:235
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fe6fa9673b012ae Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:10
const serverCredentialsExists = !!process.env.POSTGRES_RECORDMANAGER_USER && !!process.env.POSTGRES_RECORDMANAGER_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #279f24c1e8e2d4dc Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:139
        const user = getCredentialParam('user', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #630febba6bc7a756 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:140
        const password = getCredentialParam('password', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e6f35801a2a59b4 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_RECORDMANAGER_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06fdf4dad8b6ef70 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_RECORDMANAGER_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #198e27faa0978e59 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_RECORDMANAGER_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e8ad303cc80e142 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_RECORDMANAGER_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d250f70d5f427b3 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_RECORDMANAGER_TABLE_NAME, 'upsertion_records')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6dc84be7043c463 Environment-variable access.
repo/packages/components/nodes/recordmanager/SQLiteRecordManager/SQLiteRecordManager.ts:124
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #26a9d5dcadaa72b2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/CohereRerankRetriever/CohereRerank.ts:44
            let returnedDocs = await axios.post(this.COHERE_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #778ec20425ab82db Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/JinaRerankRetriever/JinaRerank.ts:39
            let returnedDocs = await axios.post(this.JINA_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #9fcb9028b2d556f6 Environment-variable access.
repo/packages/components/nodes/retrievers/MultiQueryRetriever/MultiQueryRetriever.ts:75
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #86854626a643408d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/VoyageAIRetriever/VoyageAIRerank.ts:40
            let returnedDocs = await axios.post(this.VOYAGEAI_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ffbc8f32066befa6 Environment-variable access.
repo/packages/components/nodes/sequentialagents/Agent/Agent.ts:690
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8e328617ca55417 Environment-variable access.
repo/packages/components/nodes/tools/Arxiv/Arxiv.ts:119
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23cec70ed7e64e3d Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:77
                    process.env.CUSTOM_MCP_PROTOCOL === 'sse'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02772cf4845f88b9 Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:176
            if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2871585975299d70 Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:186
            if (process.env.CUSTOM_MCP_PROTOCOL === 'stdio' && serverParams!.command) toolkit = new MCPToolkit(serverParams, 'stdio')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #b09511d2eef85e7d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/tools/MCP/Pipedream/PipedreamMCP.ts:212
            const response = await axios.post('https://api.pipedream.com/v1/oauth/token', body, {
                headers: {
                    'Content-Type': 'application/json'
                }
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4f6746cbcf5fcceb Environment-variable access.
repo/packages/components/nodes/tools/MCP/Supergateway/SupergatewayMCP.ts:109
        if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9390141fce7e4dca Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:416
        const originalAllowList = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72a90b65b0cba39c Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:420
                delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ad1f2ece17924e8 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:422
                process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = originalAllowList

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82ca60921a83825d Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:427
            delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4da9a14e46afb0e4 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:435
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b81c9470eb82b44d Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:447
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #382f911734c8cf41 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:455
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR,API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dfc727a022e54dd Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:464
        const originalAllowedCommands = process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6206d0a74be893dc Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:469
            process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'node,npx,python,python3,docker'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5d2700e8afb041f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:474
                delete process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fff87007db675637 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:476
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = originalAllowedCommands

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06ddffa2c877ca5f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:536
            const original = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #671a2cad506e8a96 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:537
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_TOKEN'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccfefacf6b6a223b Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:549
                    delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d38c4eeb0a348c8 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:551
                    process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = original

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66f3b48261d2241f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:577
                delete process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1b2978c8a6553b5 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:588
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'python3'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd21108494190a70 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:599
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'npx,docker'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0210d2b958c1011f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:610
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = ' node , npx '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d03cff5471d30151 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:48
                    PATH: process.env.PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd117de245cca104 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:258
        (process.env.CUSTOM_MCP_ALLOWED_ENV_VARS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f340dfc676526fe Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:390
    const allowedCommands = (process.env.CUSTOM_MCP_ALLOWED_COMMANDS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b25e61bc5760836 Environment-variable access.
repo/packages/components/nodes/vectorstores/Pinecone/Pinecone_LlamaIndex.ts:238
        this.chunkSize = params?.chunkSize ?? Number.parseInt(process.env.PINECONE_CHUNK_SIZE ?? '100')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be7506114e0fd0e4 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/Postgres.ts:13
const serverCredentialsExists = !!process.env.POSTGRES_VECTORSTORE_USER && !!process.env.POSTGRES_VECTORSTORE_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de2d36dce050aee6 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/driver/Base.ts:68
        const user = getCredentialParam('user', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #138a7daabd07a950 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/driver/Base.ts:69
        const password = getCredentialParam('password', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfbfdbae6477037e Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_VECTORSTORE_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee0015a9eeac4cb7 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_VECTORSTORE_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01aa9cb8dae825c9 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_VECTORSTORE_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df8f3f4ee47dec02 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_VECTORSTORE_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80e6fc419d288b3c Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_VECTORSTORE_TABLE_NAME, 'documents')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de3cb9afae8dfe42 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:24
    return defaultChain(nodeData?.inputs?.contentColumnName, process.env.POSTGRES_VECTORSTORE_CONTENT_COLUMN_NAME, 'pageContent')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38830ec90444eccb Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:28
    return defaultChain(nodeData?.inputs?.schemaName, process.env.POSTGRES_VECTORSTORE_SCHEMA_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ce05458ffbc811e Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:154
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a3c94286ea5ea9d Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:155
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4029559a54343299 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:159
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0d9ac23827f48d3 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:160
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df2e8721aba79eef Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:172
                    if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6be7ee4918b02d48 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:231
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72e85186d989417f Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:232
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e353f12a9305a78d Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:236
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba55290d20401cf8 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:237
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cb9367bf0350256 Environment-variable access.
repo/packages/components/src/handler.test.ts:388
        for (const k of LANGSMITH_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df961c5bfa6e7f3b Environment-variable access.
repo/packages/components/src/handler.test.ts:389
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf0a3e720147dea6 Environment-variable access.
repo/packages/components/src/handler.test.ts:390
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91c283e982c65651 Environment-variable access.
repo/packages/components/src/handler.test.ts:391
        process.env.LANGSMITH_API_KEY = 'test-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d3d5d30ce72dc5d Environment-variable access.
repo/packages/components/src/handler.test.ts:397
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80464e417056f7f2 Environment-variable access.
repo/packages/components/src/handler.test.ts:400
            if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a4741367974eaa5 Environment-variable access.
repo/packages/components/src/handler.ts:81
        if (process.env.DEBUG === 'true') console.error(`Error setting up Arize tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc6aca44e0e8224b Environment-variable access.
repo/packages/components/src/handler.ts:135
        if (process.env.DEBUG === 'true') console.error(`Error setting up Phoenix tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60fd14c6862c6a1f Environment-variable access.
repo/packages/components/src/handler.ts:179
        if (process.env.DEBUG === 'true') console.error(`Error setting up Opik tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85e4a2aae4b209c1 Environment-variable access.
repo/packages/components/src/httpSecurity.ts:36
    const securityCheckEnabled = process.env.HTTP_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e70480248467c982 Environment-variable access.
repo/packages/components/src/httpSecurity.ts:37
    const httpDenyListString = process.env.HTTP_DENY_LIST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25c99e31a265f0f8 Filesystem access.
repo/packages/components/src/modelLoader.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ace747858e13882 Environment-variable access.
repo/packages/components/src/modelLoader.ts:38
        process.env.MODEL_LIST_CONFIG_JSON ?? 'https://raw.githubusercontent.com/FlowiseAI/Flowise/main/packages/components/models.json'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61e1258349cc122e Filesystem access.
repo/packages/components/src/modelLoader.ts:48
            const models = await fs.promises.readFile(modelFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3209edeb6bcfa6b5 Filesystem access.
repo/packages/components/src/modelLoader.ts:55
        const models = await fs.promises.readFile(getModelsJSONPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bb1ddb48763094a Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:40
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #939b75e67a439677 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:41
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f774bdec3e0d6be Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:42
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f991e5589ca222e Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:43
        const containerName = process.env.AZURE_BLOB_STORAGE_CONTAINER_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eb1f9deddbf8669 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:265
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1be036cec110e71 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:276
            storageConfig.accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #940879cca5076a01 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:277
            storageConfig.accessKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ebaee50e548c11c Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:285
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f15ed309e0b69ff0 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:286
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a787ef4bef91266 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:287
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c02924dcfe74b522 Environment-variable access.
repo/packages/components/src/storage/BaseStorageProvider.ts:63
        const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb9be33bbea83eda Environment-variable access.
repo/packages/components/src/storage/BaseStorageProvider.ts:64
            ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e0839899173a76d Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:32
        const keyFilename = process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecc9ed94ed9b98ea Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:33
        const projectId = process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fc529bac1019c30 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:34
        const bucketName = process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb75cf25987df951 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:333
                uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7795ee91cda0ee8 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c56740f5a91c928 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:40
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff6bd0744905dd48 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:60
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3029aea3469df4c9 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:74
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29c15e98db65e1aa Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:81
        return fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fc9f2b3068bc9e0 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:88
            return fs.readFileSync(fileInStorage)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0083d6810ec52492 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:114
                    return fs.readFileSync(targetPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa95624fddd7249a Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:344
        return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8db47be1fa30b964 Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:345
            ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31a1a5e9dbee6f30 Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:350
        return process.env.HOME || process.env.USERPROFILE || process.env.HOMEPATH || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce97cd426e22d551 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:34
        const accessKeyId = process.env.S3_STORAGE_ACCESS_KEY_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6ce64b26af1c8eb Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:35
        const secretAccessKey = process.env.S3_STORAGE_SECRET_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #341bb818e66c94d4 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:36
        const region = process.env.S3_STORAGE_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1d5604b1e7fbf74 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:37
        const bucket = process.env.S3_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #686fbc121f29623d Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:38
        const customURL = process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d92a13bd96abd122 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:39
        const forcePathStyle = process.env.S3_FORCE_PATH_STYLE === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc1a738360842dae Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:73
            region: process.env.S3_STORAGE_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee08c19ad15e1017 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:74
            endpoint: process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6760964f5efff1f3 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:536
            const instance = process.env.HOSTNAME || process.env.POD_NAME || String(process.pid)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67870308526ce6c9 Environment-variable access.
repo/packages/components/src/storage/StorageProviderFactory.ts:20
            const storageType = process.env.STORAGE_TYPE || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9748fe2dadf986fd Filesystem access.
repo/packages/components/src/storageUtils.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55fc4ecd43dad019 Environment-variable access.
repo/packages/components/src/storageUtils.ts:51
    const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2c6cefad540b13b Environment-variable access.
repo/packages/components/src/storageUtils.ts:52
        ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c1cd68e39996c50 Environment-variable access.
repo/packages/components/src/storageUtils.ts:64
    return process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaba4c1b71005a99 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:21
    for (const k of ENV_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2eec5b17aa25eef Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:28
    for (const k of ENV_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84c43df5b3fd596c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:37
        if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd768c7ef541dc78 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:48
        process.env.LANGSMITH_TRACING = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2f2f295cc29e12f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:49
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30505d6b4f0c95d1 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:52
        process.env.LANGSMITH_TRACING = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0ae44c66117501e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:55
        process.env.LANGSMITH_TRACING = 'TRUE'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4edb73a4a9219278 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:60
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a917c27afb3d7741 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:65
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3e8c1164610ea6a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:66
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9a209894e1bc05a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:75
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ee3cfabadd1fa8c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:76
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aae42a96188a35dd Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:77
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a31479ac44220f2 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:78
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c7b0731a648c73e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:87
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1552804beb59a320 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:88
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4f4200a6b840847 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:89
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1dc8ee4dab1c9270 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:90
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #409a602fca88167a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:91
        process.env.LANGSMITH_ENDPOINT = 'https://new.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff86b3bf8c47480a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:92
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3df47a83ffec7b6 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:93
        process.env.LANGSMITH_PROJECT = 'new-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab4f479ff064405c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:94
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50be93c40a8f3f1a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:103
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52a50b13c281c267 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:104
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8897d5c9864c4e9 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:113
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a745caf321e1737e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:114
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd0c49142c9f9d96 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:115
        process.env.LANGSMITH_ENDPOINT = 'https://api.smith.langchain.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3927b2c850ac79e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:116
        process.env.LANGSMITH_PROJECT = 'my-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #812b1e6bef3a01fa Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:129
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #818c26ef74129090 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:130
        process.env.LANGSMITH_API_KEY = 'k1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d67f2ba6296977b Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:135
        process.env.LANGSMITH_API_KEY = 'k2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #503beded48a7e4ac Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:144
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c27e0c669b58b31f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:145
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61d7aa74336d0cb6 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:152
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d4fbdc63021367c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:153
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b0b180793e096cb Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:197
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7abb527943572057 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:198
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9ed670fef34adf2 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:212
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b86e38625595eaca Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:213
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cdda6265840e647 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:214
        process.env.LANGSMITH_ENDPOINT = 'https://e.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54a2cfa15f48d6c0 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:215
        process.env.LANGSMITH_PROJECT = 'proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84ce29ed14bb26dc Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:233
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63f041e362fbc96c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:234
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e99ffca2e7c431d Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:245
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dc1f4f2551c2fa9 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:246
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #775dc86cef9d50bc Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:259
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d6f837c1e8b30c8 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:260
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #448dcc15df1afda1 Environment-variable access.
repo/packages/components/src/tracingEnv.ts:71
    for (const k of LANGCHAIN_TRACING_FLAG_VARS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4af6a6ee5997412c Environment-variable access.
repo/packages/components/src/utils.test.ts:245
        delete process.env.ALLOW_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5732e115588867d Environment-variable access.
repo/packages/components/src/utils.test.ts:246
        delete process.env.TOOL_FUNCTION_EXTERNAL_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fdd15881a4b3884 Environment-variable access.
repo/packages/components/src/utils.test.ts:251
            process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b3e2f2d169a41f0 Environment-variable access.
repo/packages/components/src/utils.test.ts:278
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d2cad5a078c0cfc Environment-variable access.
repo/packages/components/src/utils.test.ts:284
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #055b0138ed98af6a Environment-variable access.
repo/packages/components/src/utils.test.ts:285
        process.env.TOOL_FUNCTION_EXTERNAL_DEP = 'pg'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7af5b13f2f5d5070 Filesystem access.
repo/packages/components/src/utils.ts:12
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de673325ec8dd123 Environment-variable access.
repo/packages/components/src/utils.ts:32
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b92d58ffd79e4ea0 Environment-variable access.
repo/packages/components/src/utils.ts:34
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42b543e5d10de73d Environment-variable access.
repo/packages/components/src/utils.ts:35
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cb9bc036a69b0f7 Environment-variable access.
repo/packages/components/src/utils.ts:36
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21f16ef8ff196546 Environment-variable access.
repo/packages/components/src/utils.ts:408
            if (process.env.DEBUG === 'true') console.error(`error with scraped URL: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0acf5c062f3bdeba Environment-variable access.
repo/packages/components/src/utils.ts:454
    if (process.env.DEBUG === 'true') console.info(`actively crawling ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4180f91c614da02e Environment-variable access.
repo/packages/components/src/utils.ts:459
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae07f66c14575a7a Environment-variable access.
repo/packages/components/src/utils.ts:465
            if (process.env.DEBUG === 'true') console.error(`non html response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ea027b08e82c709 Environment-variable access.
repo/packages/components/src/utils.ts:475
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48b51a2eb384f6a6 Environment-variable access.
repo/packages/components/src/utils.ts:510
    if (process.env.DEBUG === 'true') console.info(`actively scarping ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4feae0cf5504a4b9 Environment-variable access.
repo/packages/components/src/utils.ts:515
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a20632b43d8346a Environment-variable access.
repo/packages/components/src/utils.ts:521
            if (process.env.DEBUG === 'true') console.error(`non xml response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26b482f3322a4406 Environment-variable access.
repo/packages/components/src/utils.ts:528
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d7c312ffb7eb18b Environment-variable access.
repo/packages/components/src/utils.ts:540
        return typeof process !== 'undefined' ? process.env?.[name] : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #875ca4d72e938b85 Environment-variable access.
repo/packages/components/src/utils.ts:571
    return process.env.SECRETKEY_PATH ? path.join(process.env.SECRETKEY_PATH, 'encryption.key') : getEncryptionKeyFilePath()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58ca9a47d3e40c5f Environment-variable access.
repo/packages/components/src/utils.ts:579
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a4895852f72a7ab Environment-variable access.
repo/packages/components/src/utils.ts:580
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84aa6375d897188e Environment-variable access.
repo/packages/components/src/utils.ts:584
            const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05fcac6577d3b5b0 Filesystem access.
repo/packages/components/src/utils.ts:592
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73193cb92a8d3f32 Environment-variable access.
repo/packages/components/src/utils.ts:734
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8169af479b1cade Environment-variable access.
repo/packages/components/src/utils.ts:738
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cefdb5a482d6aa6 Environment-variable access.
repo/packages/components/src/utils.ts:1021
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21cd770ea9dda14b Filesystem access.
repo/packages/components/src/utils.ts:1048
            const content = await fs.promises.readFile(checkPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5f57e11124dd177 Environment-variable access.
repo/packages/components/src/utils.ts:1603
    const shouldUseE2BSandbox = useSandbox && process.env.E2B_APIKEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4eee386c2b76998 Environment-variable access.
repo/packages/components/src/utils.ts:1606
    if (process.env.SANDBOX_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f45e75089d4fcc7f Environment-variable access.
repo/packages/components/src/utils.ts:1607
        timeoutMs = parseInt(process.env.SANDBOX_TIMEOUT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63e4320881b44287 Environment-variable access.
repo/packages/components/src/utils.ts:1665
            const sbx = await Sandbox.create({ apiKey: process.env.E2B_APIKEY, timeoutMs })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4150de02562eccd Environment-variable access.
repo/packages/components/src/utils.ts:1729
        const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d563d3fee70136f Environment-variable access.
repo/packages/components/src/utils.ts:1730
            ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #294e7d49274f67c5 Environment-variable access.
repo/packages/components/src/utils.ts:1732
        const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84628c97f2f383a9 Environment-variable access.
repo/packages/components/src/utils.ts:1733
        let deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d03a8b2650b853 Environment-variable access.
repo/packages/components/src/validator.test.ts:55
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0798575e691e6b0 Environment-variable access.
repo/packages/components/src/validator.test.ts:58
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23019dc1287b2507 Environment-variable access.
repo/packages/components/src/validator.test.ts:75
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cebb91ad27068728 Environment-variable access.
repo/packages/components/src/validator.test.ts:78
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d24275a05d8a27a1 Environment-variable access.
repo/packages/components/src/validator.test.ts:365
            const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9acbc588bb9f4490 Environment-variable access.
repo/packages/components/src/validator.test.ts:366
            delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2c672774e1015fe Environment-variable access.
repo/packages/components/src/validator.test.ts:375
                    process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #780c034e431fd880 Environment-variable access.
repo/packages/components/src/validator.test.ts:396
        const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7293c40f4f6b2af Environment-variable access.
repo/packages/components/src/validator.test.ts:401
                process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6d3d60497ffa35f Environment-variable access.
repo/packages/components/src/validator.test.ts:403
                delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #528a50069969e0b3 Environment-variable access.
repo/packages/components/src/validator.test.ts:409
            process.env.BLOB_STORAGE_PATH = customStoragePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9c66704f6ead7e2 Environment-variable access.
repo/packages/components/src/validator.test.ts:418
            process.env.BLOB_STORAGE_PATH = path.join(userHome, 'custom-storage')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #184d2ae9f1c7bfd1 Environment-variable access.
repo/packages/components/src/validator.test.ts:453
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ac42da20130c6a6 Environment-variable access.
repo/packages/components/src/validator.test.ts:456
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1657ba3b99b09a48 Environment-variable access.
repo/packages/components/src/validator.test.ts:591
        const originalDatabasePath = process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faac2bb550eeb5a0 Environment-variable access.
repo/packages/components/src/validator.test.ts:595
                delete process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #598a9acd0ae53de3 Environment-variable access.
repo/packages/components/src/validator.test.ts:597
                process.env.DATABASE_PATH = originalDatabasePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a258afc3f5fdc6c Environment-variable access.
repo/packages/components/src/validator.test.ts:603
            process.env.DATABASE_PATH = customBase

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fee658a0c66f573b Environment-variable access.
repo/packages/components/src/validator.test.ts:609
            process.env.DATABASE_PATH = path.join(userHome, 'custom-flowise-data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a997fd762f99e6b Environment-variable access.
repo/packages/components/src/validator.test.ts:616
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #128430fc4ffc3ba8 Environment-variable access.
repo/packages/components/src/validator.test.ts:619
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #455c81de635af65b Environment-variable access.
repo/packages/components/src/validator.test.ts:788
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47c0a06b031d0fba Environment-variable access.
repo/packages/components/src/validator.test.ts:791
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83c44e828a82b987 Environment-variable access.
repo/packages/components/src/validator.ts:41
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3cb15b72c5754786 Environment-variable access.
repo/packages/components/src/validator.ts:70
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5500ed275c8c05aa Environment-variable access.
repo/packages/components/src/validator.ts:195
    if (process.env.BLOB_STORAGE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b73c1def8ef198f Environment-variable access.
repo/packages/components/src/validator.ts:196
        allowedDirs.push(path.resolve(process.env.BLOB_STORAGE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #178130e494b3720e Environment-variable access.
repo/packages/components/src/validator.ts:213
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #266b148c4d0ad1d9 Environment-variable access.
repo/packages/components/src/validator.ts:290
    if (process.env.DATABASE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #928e023d042b8fe9 Environment-variable access.
repo/packages/components/src/validator.ts:291
        dirs.push(path.resolve(process.env.DATABASE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #440873cdf0728863 Environment-variable access.
repo/packages/components/src/validator.ts:324
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a454d6e5be8be78 Environment-variable access.
repo/packages/components/src/validator.ts:423
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96416bf023424040 Environment-variable access.
repo/packages/server/bin/dev:9
process.env.NODE_ENV = 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b137445cd005038 Environment-variable access.
repo/packages/server/src/AppConfig.ts:2
    showCommunityNodes: process.env.SHOW_COMMUNITY_NODES ? process.env.SHOW_COMMUNITY_NODES.toLowerCase() === 'true' : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcb62da381676fd2 Environment-variable access.
repo/packages/server/src/CachePool.ts:15
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0110753c9aa78436 Environment-variable access.
repo/packages/server/src/CachePool.ts:16
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbb036f23cabbaaa Environment-variable access.
repo/packages/server/src/CachePool.ts:17
                this.redisClient = new Redis(process.env.REDIS_URL, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5905105f54d9904f Environment-variable access.
repo/packages/server/src/CachePool.ts:19
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f7d7004d03d4390 Environment-variable access.
repo/packages/server/src/CachePool.ts:20
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #297889991338ab26 Environment-variable access.
repo/packages/server/src/CachePool.ts:25
                    host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4df1bbfc0c424b48 Environment-variable access.
repo/packages/server/src/CachePool.ts:26
                    port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d74ac128747dbb2c Environment-variable access.
repo/packages/server/src/CachePool.ts:27
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc2593b362b94184 Environment-variable access.
repo/packages/server/src/CachePool.ts:28
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596363f88633556e Environment-variable access.
repo/packages/server/src/CachePool.ts:30
                        process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94ca9b7b5801356b Environment-variable access.
repo/packages/server/src/CachePool.ts:32
                                  cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebae8706f79f6f41 Environment-variable access.
repo/packages/server/src/CachePool.ts:33
                                  key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3f52c49b98259ec Environment-variable access.
repo/packages/server/src/CachePool.ts:34
                                  ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f048284e79a3c88 Environment-variable access.
repo/packages/server/src/CachePool.ts:38
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fc72757181d7618 Environment-variable access.
repo/packages/server/src/CachePool.ts:39
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e592ca224084781 Environment-variable access.
repo/packages/server/src/CachePool.ts:52
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e1c502c912d3bd5 Environment-variable access.
repo/packages/server/src/CachePool.ts:63
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8cadc48768e4107 Environment-variable access.
repo/packages/server/src/CachePool.ts:77
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f610600cfbc113d2 Environment-variable access.
repo/packages/server/src/CachePool.ts:92
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6a0655c01bc1d02 Environment-variable access.
repo/packages/server/src/CachePool.ts:108
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a34c4f491c1d63d Environment-variable access.
repo/packages/server/src/CachePool.ts:125
        if (process.env.MODE !== MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73fc8ee0a13953a0 Environment-variable access.
repo/packages/server/src/CachePool.ts:135
        if (process.env.MODE !== MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #126ecc89b88808d6 Environment-variable access.
repo/packages/server/src/CachePool.ts:146
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7ea9972ccd9a211 Environment-variable access.
repo/packages/server/src/CachePool.ts:164
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #442e574ace3c7171 Filesystem access.
repo/packages/server/src/DataSource.ts:3
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ef0c4f9a5211f73 Environment-variable access.
repo/packages/server/src/DataSource.ts:21
    switch (process.env.DATABASE_TYPE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #030ed156c6f1a21d Environment-variable access.
repo/packages/server/src/DataSource.ts:23
            homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a4248a9730b5ddd Environment-variable access.
repo/packages/server/src/DataSource.ts:36
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c36b2347f279bf2d Environment-variable access.
repo/packages/server/src/DataSource.ts:37
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd70e936969d0038 Environment-variable access.
repo/packages/server/src/DataSource.ts:38
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f14ef6365d4976ea Environment-variable access.
repo/packages/server/src/DataSource.ts:39
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #952e496fe1515888 Environment-variable access.
repo/packages/server/src/DataSource.ts:40
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7907a46699db9e4c Environment-variable access.
repo/packages/server/src/DataSource.ts:52
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b2f25781268cb26 Environment-variable access.
repo/packages/server/src/DataSource.ts:53
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de49a0dc4a943e19 Environment-variable access.
repo/packages/server/src/DataSource.ts:54
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c057562449346172 Environment-variable access.
repo/packages/server/src/DataSource.ts:55
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9950b1c4e417f7bb Environment-variable access.
repo/packages/server/src/DataSource.ts:56
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df9cff18bf880d54 Environment-variable access.
repo/packages/server/src/DataSource.ts:68
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5f2969f6c12ccfe Environment-variable access.
repo/packages/server/src/DataSource.ts:69
                port: parseInt(process.env.DATABASE_PORT || '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e9f79972a701ac0 Environment-variable access.
repo/packages/server/src/DataSource.ts:70
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05a5d09283e553b9 Environment-variable access.
repo/packages/server/src/DataSource.ts:71
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4a80eb317a8dbc2 Environment-variable access.
repo/packages/server/src/DataSource.ts:72
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5a23babbedeb976 Environment-variable access.
repo/packages/server/src/DataSource.ts:91
            homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45e629091a82968e Environment-variable access.
repo/packages/server/src/DataSource.ts:112
    if (process.env.DATABASE_SSL_KEY_BASE64) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04915779554c8cf7 Environment-variable access.
repo/packages/server/src/DataSource.ts:114
            rejectUnauthorized: process.env.DATABASE_REJECT_UNAUTHORIZED === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8a4a9d80119f27e Environment-variable access.
repo/packages/server/src/DataSource.ts:115
            ca: Buffer.from(process.env.DATABASE_SSL_KEY_BASE64, 'base64')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c1d472534943f02 Environment-variable access.
repo/packages/server/src/DataSource.ts:117
    } else if (process.env.DATABASE_SSL === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e31fd3ed18c29f88 Filesystem access.
repo/packages/server/src/IdentityManager.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0051f309414c859 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:60
        if (process.env.STRIPE_SECRET_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fb0de9cae7e910b Filesystem access.
repo/packages/server/src/IdentityManager.ts:91
            const publicKey = fs.readFileSync(path.join(__dirname, '../', 'src/enterprise/license/public.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f29540b206b009 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:103
        const LICENSE_URL = process.env.LICENSE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c0aff1d0d2d3d98 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:104
        const FLOWISE_EE_LICENSE_KEY = process.env.FLOWISE_EE_LICENSE_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4760ca4c96cccab Environment-variable access.
repo/packages/server/src/IdentityManager.ts:114
            if (process.env.OFFLINE === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0246a85ac4ed4a9f Environment-variable access.
repo/packages/server/src/IdentityManager.ts:402
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acf56bc0e3c6eb3d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:419
                newPlanId === process.env.CLOUD_FREE_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c7691b35af2000d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:420
                newPlanId === process.env.CLOUD_STARTER_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3597f6047f0feb Environment-variable access.
repo/packages/server/src/IdentityManager.ts:421
                newPlanId === process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37087143661f0e4d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:435
                newPlanId === process.env.CLOUD_FREE_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #739b3b22f5c6ee0b Environment-variable access.
repo/packages/server/src/IdentityManager.ts:436
                newPlanId === process.env.CLOUD_STARTER_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63e07218b8c0abff Environment-variable access.
repo/packages/server/src/IdentityManager.ts:437
                newPlanId === process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d289e015fd0b7b7a Environment-variable access.
repo/packages/server/src/IdentityManager.ts:493
                    productId = process.env.CLOUD_STARTER_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37fe944f8a663bab Environment-variable access.
repo/packages/server/src/IdentityManager.ts:496
                    productId = process.env.CLOUD_PRO_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c82a367ef3724448 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:499
                    productId = process.env.CLOUD_FREE_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #604875d2be31a95f Filesystem access.
repo/packages/server/src/NodesPool.ts:3
import { Dirent } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75a189525d16c1d8 Filesystem access.
repo/packages/server/src/NodesPool.ts:5
import { promises } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e605b6ad03d9d77 Environment-variable access.
repo/packages/server/src/NodesPool.ts:37
        const disabled_nodes = process.env.DISABLED_NODES ? process.env.DISABLED_NODES.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5d39addc71df243 Environment-variable access.
repo/packages/server/src/StripeManager.ts:21
        if (!this.stripe && process.env.STRIPE_SECRET_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e815e8f3e76b8df Environment-variable access.
repo/packages/server/src/StripeManager.ts:22
            this.stripe = new Stripe(process.env.STRIPE_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d707d6c7867e3925 Environment-variable access.
repo/packages/server/src/StripeManager.ts:140
                return_url: `${process.env.APP_URL}/account`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69f0be842b194eb2 Environment-variable access.
repo/packages/server/src/StripeManager.ts:166
                product: process.env.CLOUD_STARTER_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a00d366aee2431fd Environment-variable access.
repo/packages/server/src/StripeManager.ts:170
                product: process.env.CLOUD_PRO_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ed06bb1ffac3c93 Environment-variable access.
repo/packages/server/src/StripeManager.ts:174
                product: process.env.CLOUD_FREE_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3198ccc9129393bf Environment-variable access.
repo/packages/server/src/StripeManager.ts:178
                product: process.env.ADDITIONAL_SEAT_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #914d229e0c8acf32 Environment-variable access.
repo/packages/server/src/StripeManager.ts:201
                privacy_policy_url: `${process.env.APP_URL}/privacy-policy`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97f22a9fbba35a91 Environment-variable access.
repo/packages/server/src/StripeManager.ts:202
                terms_of_service_url: `${process.env.APP_URL}/terms-of-service`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5529548804084e9 Environment-variable access.
repo/packages/server/src/StripeManager.ts:245
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64342cdff1d78cd7 Environment-variable access.
repo/packages/server/src/StripeManager.ts:291
            const basePlanItem = subscription.items.data.find((item) => (item.price.product as string) !== process.env.ADDITIONAL_SEAT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ec6964b728d51a0 Environment-variable access.
repo/packages/server/src/StripeManager.ts:303
                product: process.env.ADDITIONAL_SEAT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f920a316a43ddad Environment-variable access.
repo/packages/server/src/StripeManager.ts:319
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55d1ec88178101b1 Environment-variable access.
repo/packages/server/src/StripeManager.ts:378
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #959621b2873146d0 Environment-variable access.
repo/packages/server/src/StripeManager.ts:383
                product: process.env.ADDITIONAL_SEAT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0794a24aefa6bda Environment-variable access.
repo/packages/server/src/StripeManager.ts:463
            const isStarterPlan = newPlanId === process.env.CLOUD_STARTER_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8898150af70b8c4b Environment-variable access.
repo/packages/server/src/StripeManager.ts:534
            const isStarterPlan = newPlanId === process.env.CLOUD_STARTER_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdb061877538c460 Environment-variable access.
repo/packages/server/src/StripeManager.ts:546
                        plan_id: process.env.CLOUD_STARTER_ID || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e01a5739dd4d488 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:37
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad46d12d18bc00f9 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:39
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca9242dc076308b0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:41
                    url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66d70fb7bd8a62f7 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:44
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #887587ac6af5023d Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:45
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7cef0d2f9d2105c Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:49
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d18e870b9629e22a Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:50
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bd3e31dc686c644 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:55
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69abddc4a5c7949d Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:56
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7032781f27ceb6b0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:58
                        host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #923d737ea0663937 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:59
                        port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6b45f5ea4e25a9c Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:60
                        tls: process.env.REDIS_TLS === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29ce7bb4f436de5d Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:61
                        cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21bacb0bdae3c6ba Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:62
                        key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e5de920bd66d2ad Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:63
                        ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9883c55b6049c0ef Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:65
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9520374f528f1371 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:66
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f546d43d4be9fc34 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:70
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed789e48b1b3e33f Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:71
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40354f35440072a0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:147
            (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0defdca180f072a Environment-variable access.
repo/packages/server/src/commands/base.ts:217
                process.env[key] = flags[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #106aaec516079097 Environment-variable access.
repo/packages/server/src/controllers/evaluations/index.ts:32
        const baseURL = `${process.env.APP_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb474c3f07ccd734 Environment-variable access.
repo/packages/server/src/controllers/evaluations/index.ts:56
        const baseURL = `${process.env.APP_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ee98e1e37933eb4 Filesystem access.
repo/packages/server/src/controllers/get-upload-file/index.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f4615d4e61636f Environment-variable access.
repo/packages/server/src/controllers/internal-predictions/index.ts:36
    const isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #2c3c9afa934ba29c Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/controllers/nvidia-nim/index.ts:17
        const response = await axios.post('https://nts.ngc.nvidia.com/v1/token', data, { headers })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #984bddcb8370f9b5 Filesystem access.
repo/packages/server/src/controllers/openai-assistants/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cab7681ae17f4fd1 Environment-variable access.
repo/packages/server/src/controllers/predictions/index.ts:67
                const isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #497ac9533b71ad97 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:6
            FREE: process.env.CLOUD_FREE_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7c1c83d5701a608 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:7
            STARTER: process.env.CLOUD_STARTER_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59386c7a7440a21b Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:8
            PRO: process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #758579fa59a4a270 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:16
        if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b690db0c72f370ec Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:17
            redisClient = new Redis(process.env.REDIS_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d073b848584cf0f Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:20
                host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a434460184d30f6 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:21
                port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99f5eb4287ed34ec Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:22
                username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3e77cc509ccfdf8 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:23
                password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e188d99ce169f73 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:25
                    process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e2b1573fe5bb716 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:27
                              cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b7d62aabe6f08ef Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:28
                              key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b71da7166882e02d Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:29
                              ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf83617755836e53 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:44
    const databaseType = process.env.DATABASE_TYPE || 'sqlite'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c81a3af9d69965bc Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:50
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa4a2a5c4310dcd5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:51
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc778e9cc3944e70 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:52
                user: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d16b07f94740fc5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:53
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #336bcb3051345dd5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:54
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #488fafd70431f20f Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:73
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb01626b350709d9 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:74
                port: parseInt(process.env.DATABASE_PORT || '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79d88f6805c6341d Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:75
                user: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4ccbbe74ed73a19 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:76
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf4625d440fede8b Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:77
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae4d184afd12d8c0 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:93
            const homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abd127d51f954407 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:153
            const databaseType = process.env.DATABASE_TYPE || 'sqlite'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db1578b97577dd72 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:36
const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4240d41d5cc6e60e Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:42
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8c49c31045fbf08 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:44
        : process.env.SECURE_COOKIES === 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0de3954408ea2d8b Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:46
        : process.env.SECURE_COOKIES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67040a3dba67eb19 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:48
        : process.env.APP_URL?.startsWith('https')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eb9f846d34942fe Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:68
        if (process.env.MODE === 'queue') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a78e6c69263d5448 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:371
        expiryInMinutes = process.env.JWT_TOKEN_EXPIRY_IN_MINUTES ? parseInt(process.env.JWT_TOKEN_EXPIRY_IN_MINUTES) : 60

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40439a7e101fcec3 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:391
        expiryInMinutes = process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #017b120e3a3559fa Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:392
            ? parseInt(process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #959d67d4dc6af042 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:155
            const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0f4633c1993b9f9 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:218
                    const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e220baa79a138fe1 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:373
                const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d3152306f7a306a Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:446
                    const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f87cb5129cdc97bb Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:637
            const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f8aca102f177902 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:638
                ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d86b8cef316e5d24 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:878
            const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #027a8ee471786a03 Environment-variable access.
repo/packages/server/src/enterprise/sso/Auth0SSO.ts:49
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fa59b649c210ee9 Environment-variable access.
repo/packages/server/src/enterprise/sso/AzureSSO.ts:21
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #647ad6b2349efbaf Environment-variable access.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:17
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #7b06a2fed5efcfe0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:38
                        const emailResponse = await fetch('https://api.github.com/user/emails', {
                            headers: {
                                Authorization: `token ${accessToken}`,
                                'User-Agent': 'Node.js'
                            }
                        })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c0cbd174a83bae8a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:106
            const response = await fetch('https://github.com/login/oauth/access_token', {
                method: 'POST',
                headers: {
                    Accept: 'application/json',
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    client_id: clientID,
                    client_secret: clientSecret,
                    code: 'dummy_code_for_testing'
                })
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d13872fa5d12dc96 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:133
            const response = await fetch('https://github.com/login/oauth/access_token', {
                method: 'POST',
                headers: {
                    Accept: 'application/json',
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    client_id: clientID,
                    client_secret: clientSecret,
                    grant_type: 'refresh_token',
                    refresh_token: currentRefreshToken
                })
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #629b24633e9b1ff5 Environment-variable access.
repo/packages/server/src/enterprise/sso/GoogleSSO.ts:20
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #cfeed7868de29a4a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GoogleSSO.ts:141
            const response = await axios.post(
                `https://oauth2.googleapis.com/token`,
                new URLSearchParams({
                    client_id: clientID || '',
                    client_secret: clientSecret || '',
                    grant_type: 'refresh_token',
                    refresh_token: ssoRefreshToken,
                    scope: 'refresh_token'
                }).toString(),
                {
                    headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
                }
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #03a404de33d1af8a Environment-variable access.
repo/packages/server/src/enterprise/utils/encryption.util.ts:6
    return parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '10', 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b3cc480b8a7e9a5 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:7
const SMTP_HOST = process.env.SMTP_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5806722cbb6cd7b1 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:8
const SMTP_PORT = parseInt(process.env.SMTP_PORT as string, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42e7b8921ba1e9b3 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:9
const SMTP_USER = process.env.SMTP_USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f073ef9e02a9dad Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:10
const SMTP_PASSWORD = process.env.SMTP_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #180f7f65a1f80400 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:13
    const port = parseInt(process.env.SMTP_PORT as string, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13ba19d2b0143c1e Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:15
        process.env.SMTP_HOST?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb808bc1e3b2541d Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:16
            process.env.SMTP_USER?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ba1ed2e141a36fe Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:17
            process.env.SMTP_PASSWORD?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebbb6b9d18fe0a8c Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:18
            process.env.SMTP_PORT &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43c5fbe2c4f0bf19 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:22
const SENDER_EMAIL = process.env.SENDER_EMAIL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2357b167e088bd49 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:23
const SMTP_SECURE = process.env.SMTP_SECURE ? process.env.SMTP_SECURE === 'true' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d955f87d2bcc83e2 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:24
const TLS = process.env.ALLOW_UNAUTHORIZED_CERTS ? { rejectUnauthorized: false } : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd0692e221d12693 Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:40
            return fs.readFileSync(userTemplatePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7d62c778d94dfa6 Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:45
    return fs.readFileSync(path.join(__dirname, '../', 'emails', defaultTemplateName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e94d26091128fd9 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:52
    const template = getEmailTemplate('workspace_add_cloud.hbs', process.env.WORKSPACE_INVITE_TEMPLATE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #194dca5b7ca271e0 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:80
                  process.env.WORKSPACE_INVITE_TEMPLATE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f07f2f44f0c1987 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:84
                  process.env.WORKSPACE_INVITE_TEMPLATE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f26b7e1ad7fd254a Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:100
    const passwordResetTemplateSource = fs.readFileSync(path.join(__dirname, '../', 'emails', 'workspace_user_reset_password.hbs'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfe5da9f518769d4 Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:80
        const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8b0ab4431abaa94 Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:85
        const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3283e93e84669e Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:86
            ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f1b31aa26ce9410 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:11
    const originalEnv = process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ea78cfe515ef8a5 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:15
            process.env.APP_URL = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5aa65c28ed72b50 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:17
            delete process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37f463087acc58c5 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:23
            delete process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d995990a471d5a44 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:28
            process.env.APP_URL = 'example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f277329cdfd306b9 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:33
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e817969cb50c4771 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:38
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beb672bbaf4ad275 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:44
            process.env.APP_URL = 'http://localhost:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5937c18d81a9559c Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:49
            process.env.APP_URL = 'http://127.0.0.1:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d211dede46c5c78 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:54
            process.env.APP_URL = 'http://[::1]:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3958f6d97af0ef1e Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:59
            process.env.APP_URL = 'http://0.0.0.0:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e4a112fd6c44821 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:64
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe44de3012efc2fd Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:69
            process.env.APP_URL = 'https://example.com/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16e4152a7e85f6c7 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:74
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cbdf5c06372635d Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:79
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c981d45db199b76 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:86
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9044c4fe22e82a6 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:92
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4786b5bb1179b65 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:98
            process.env.APP_URL = 'http://localhost:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #825b09c52eb95f35 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:104
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fa2e42a715ab247 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:113
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92c42f52d787bee4 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:120
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0875539da6fa129c Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:126
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97ca8702ed4d196d Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.ts:11
    const appUrl = process.env.APP_URL || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f51af8e751081ca7 Environment-variable access.
repo/packages/server/src/index.ts:137
            if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d1c89b189876522 Environment-variable access.
repo/packages/server/src/index.ts:174
        const flowise_file_size_limit = process.env.FLOWISE_FILE_SIZE_LIMIT || '50mb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #684b34148f0fae1f Environment-variable access.
repo/packages/server/src/index.ts:184
        let trustProxy: string | boolean | number | undefined = process.env.TRUST_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #def557d74aa620a4 Environment-variable access.
repo/packages/server/src/index.ts:223
        const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e12dfb06ef258a81 Environment-variable access.
repo/packages/server/src/index.ts:305
        if (process.env.ENABLE_METRICS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9afd3db6da5eb575 Environment-variable access.
repo/packages/server/src/index.ts:306
            switch (process.env.METRICS_PROVIDER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaad25dda9feae71 Environment-variable access.
repo/packages/server/src/index.ts:339
        if (process.env.MODE === MODE.QUEUE && process.env.ENABLE_BULLMQ_DASHBOARD === 'true' && !this.identityManager.isCloud()) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3adfd16e2a92709 Environment-variable access.
repo/packages/server/src/index.ts:346
                process.env.ADMIN_RATE_LIMIT_MESSAGE || 'Too many requests to admin dashboard, please try again later.'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2470d35678750a25 Environment-variable access.
repo/packages/server/src/index.ts:392
    const host = process.env.HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47d8080043300699 Environment-variable access.
repo/packages/server/src/index.ts:393
    const port = parseInt(process.env.PORT || '', 10) || 3000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e9ac53bcd097e6c Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:29
        if (!process.env.METRICS_OPEN_TELEMETRY_METRIC_ENDPOINT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe594466d53101ab Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:33
        if (process.env.METRICS_OPEN_TELEMETRY_DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8442b3a503c09f9 Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:51
                [ATTR_SERVICE_NAME]: process.env.METRICS_SERVICE_NAME || 'FlowiseAI',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebae51d9bf8be24a Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:55
            const metricProtocol = process.env.METRICS_OPEN_TELEMETRY_PROTOCOL || 'http' // Default to 'http'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75d99d169a04ee5e Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:79
                url: process.env.METRICS_OPEN_TELEMETRY_METRIC_ENDPOINT // OTLP endpoint for metrics

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #537eb47d657074da Environment-variable access.
repo/packages/server/src/metrics/Prometheus.ts:26
        const serviceName: string = process.env.METRICS_SERVICE_NAME || 'FlowiseAI'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #577e8eb5519a1de3 Environment-variable access.
repo/packages/server/src/metrics/Prometheus.ts:155
        if (process.env.METRICS_INCLUDE_NODE_METRICS !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8f3e05ddaacb1c9 Environment-variable access.
repo/packages/server/src/middlewares/errors/index.ts:16
        stack: process.env.NODE_ENV === 'development' ? err.stack : {}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f35b6832e23bb550 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:5
const QUEUE_REDIS_EVENT_STREAM_MAX_LEN = process.env.QUEUE_REDIS_EVENT_STREAM_MAX_LEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8fec69aa8ae9e2e Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:6
    ? parseInt(process.env.QUEUE_REDIS_EVENT_STREAM_MAX_LEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d625aa07ce859a8 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:8
const WORKER_CONCURRENCY = process.env.WORKER_CONCURRENCY ? parseInt(process.env.WORKER_CONCURRENCY) : 100000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b3717705840e0d0 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:9
const REMOVE_ON_AGE = process.env.REMOVE_ON_AGE ? parseInt(process.env.REMOVE_ON_AGE) : -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cacbc6c86a2fba4 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:10
const REMOVE_ON_COUNT = process.env.REMOVE_ON_COUNT ? parseInt(process.env.REMOVE_ON_COUNT) : -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e851266bd738f1b Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:18
const QUEUE_NAME = process.env.QUEUE_NAME || 'flowise-queue'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ad2bd00f7d302b2 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:30
        if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #105a4e0e04bddb2e Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:32
            if (process.env.REDIS_URL.startsWith('rediss://')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5794f9069c9efe3 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:36
            } else if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #425d18e3589814d6 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:38
                    cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a898d991fb923e76 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:39
                    key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5443a7090ae72a7 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:40
                    ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dcc8ccca0fff003 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:44
                url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff742288b5333b5c Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:48
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a78ba5cafa463aac Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:49
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fffb5811f1da7d3a Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:54
            if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #383ff9a358ef24a8 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:56
                    cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11e9286acbf721e0 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:57
                    key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f95569456a83bba Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:58
                    ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f94b3898d43bc9eb Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:62
                host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad0c6d1b00b2d046 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:63
                port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a9e2bff11a41fc3 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:64
                username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7403979faf47e53 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:65
                password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0e38f85590d4f9b Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:69
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b10539790b0a3be4 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:70
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eefcc1bfb482b572 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:60
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #587088577bd3e4cb Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:98
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5d59a17654ddbb2 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:142
        process.env.MCP_CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d13a9795583091c Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:147
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b97739c0b014485 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:180
        process.env.MCP_CORS_ORIGINS = 'https://allowed.example.com, https://also-allowed.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10184d3b8276f9a9 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:185
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3d7822697cf3ed8 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.ts:13
const mcpCorsOrigins = process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de333fc950b974a3 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:90
    delete process.env.MODE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #893a838617a00b11 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:91
    if (mode) process.env.MODE = mode

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69fd781ed533fb9c Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:115
    delete process.env.MODE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3a8e51c604a437b Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.ts:33
        this.isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31346ae86db2954c Environment-variable access.
repo/packages/server/src/schedule/ScheduleExecutor.ts:206
            baseURL: process.env.APP_URL ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90bddfe788445d49 Filesystem access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:6
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdb7d26446565359 Environment-variable access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:85
    const disabled_nodes = process.env.DISABLED_NODES ? process.env.DISABLED_NODES.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2556232994add9f Filesystem access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:109
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a97d87baf3b619f Environment-variable access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:202
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3de17a19deeec8c8 Environment-variable access.
repo/packages/server/src/services/chat-messages/index.ts:195
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abbbf9db1e5dbc73 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:691
        const ORIGINAL_ENV = process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7dda682f1804dd6d Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:693
            if (ORIGINAL_ENV === undefined) delete process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c01909909b64690f Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:694
            else process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = ORIGINAL_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9b28f4c09116b16 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:698
            process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = '50'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #547913a6b0d4e2a6 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:720
            process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da59cbc5a368c21b Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:749
        const ORIGINAL_ENV = process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cebead9276c8fe91 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:751
            if (ORIGINAL_ENV === undefined) delete process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9b9a29152b251dc Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:752
            else process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS = ORIGINAL_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9723476b78a5ecc6 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:758
            process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS = '1000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb1a806597c4588a Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.ts:19
    const raw = process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce4fef4f68e9ba25 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.ts:27
    const raw = process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0828672fedd47f1 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:699
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5fff95379ac8823 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:907
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #987e5d3adc40e611 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:1326
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9fb68ba1db92b0c Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:2057
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52128979869fa984 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:2132
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8101c33faa4b8f67 Environment-variable access.
repo/packages/server/src/services/export-import/index.ts:891
                            const baseURL = process.env.BASE_URL || `http://localhost:${process.env.PORT || 3000}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5b3560ea2403a2a Environment-variable access.
repo/packages/server/src/services/fetch-links/index.ts:18
        if (process.env.DEBUG === 'true') console.info(`Start ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c38671710a81314f Environment-variable access.
repo/packages/server/src/services/fetch-links/index.ts:20
        if (process.env.DEBUG === 'true') console.info(`Finish ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd1460c9d92a2584 Filesystem access.
repo/packages/server/src/services/log/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a62e89c70218536d Environment-variable access.
repo/packages/server/src/services/log/index.ts:73
            const filePath = process.env.LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b57a87671a776ec9 Environment-variable access.
repo/packages/server/src/services/log/index.ts:74
                ? path.resolve(process.env.LOG_PATH, `server.log.${date}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b33dc7be1f3324c1 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60c807671caacd1c Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:37
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efb32f728711e391 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:58
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6717f8e8f210b3b9 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:99
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #776ef93b4b2a6591 Environment-variable access.
repo/packages/server/src/services/nodes/index.ts:149
    if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e722965897dec578 Environment-variable access.
repo/packages/server/src/services/schedule/utils.ts:10
const MIN_SCHEDULE_INTERVAL_SECONDS = Math.max(1, parseInt(process.env.MIN_SCHEDULE_INTERVAL_SECONDS || '60', 10) || 60)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85ae1412ed40192e Filesystem access.
repo/packages/server/src/services/versions/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b05a7cbfe7090ef2 Filesystem access.
repo/packages/server/src/services/versions/index.ts:29
            const content = await fs.promises.readFile(packagejsonPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f5d8ca2d57ece5a Environment-variable access.
repo/packages/server/src/services/webhook-listener/registry.ts:217
    if (process.env.MODE === MODE.QUEUE && redisEventSubscriber) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #485661b654917fd3 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:22
    const SAVED_CORS_ORIGINS = process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7d6187874f0069e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:23
    const SAVED_CORS_ALLOW_CREDENTIALS = process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0f463cee431747e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:26
        if (SAVED_CORS_ORIGINS !== undefined) process.env.CORS_ORIGINS = SAVED_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32bd6ffc7cc67f92 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:27
        else delete process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40e70c7a37b9c70c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:28
        if (SAVED_CORS_ALLOW_CREDENTIALS !== undefined) process.env.CORS_ALLOW_CREDENTIALS = SAVED_CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4746e381fb06ca9 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:29
        else delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5963b527ce4c17bd Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:33
        if (corsOrigins === undefined) delete process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae106048be37797a Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:34
        else process.env.CORS_ORIGINS = corsOrigins

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf90f7248e5868d8 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:35
        if (corsAllowCredentials === undefined) delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18b500b23a91563e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:36
        else process.env.CORS_ALLOW_CREDENTIALS = corsAllowCredentials

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db0990dc312cb4ac Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:71
            process.env.CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d1dc23cfe46b58f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:72
            process.env.CORS_ALLOW_CREDENTIALS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b14ac0bb5613a5ed Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:78
            process.env.CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f264fd18fbcdfdb3 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:79
            delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1620bffa9d136f5 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:85
            process.env.CORS_ORIGINS = 'https://trusted.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6b5048687dec854 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:86
            process.env.CORS_ALLOW_CREDENTIALS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #615b66521bc5c982 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:94
    const originalEnv = process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cbb5b7014226588 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:99
            process.env.IFRAME_ORIGINS = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2445e330cc719a3c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:101
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3313557e4bc94a9 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:107
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43db710ea503a068 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:112
            process.env.IFRAME_ORIGINS = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ce86bb453904257 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:117
            process.env.IFRAME_ORIGINS = '   '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a59f23cd498582e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:124
            process.env.IFRAME_ORIGINS = "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43e1e5c4dbc442bc Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:129
            process.env.IFRAME_ORIGINS = "'none'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2aa1a4d002c5824b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:134
            process.env.IFRAME_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6195c784ff555916 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:141
            process.env.IFRAME_ORIGINS = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff6ae9cc161e087b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:146
            process.env.IFRAME_ORIGINS = '  https://example.com  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7897e897a5265dfd Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:153
            process.env.IFRAME_ORIGINS = 'https://domain1.com,https://domain2.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #512087d8878fc86e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:158
            process.env.IFRAME_ORIGINS = 'https://domain1.com, https://domain2.com, https://domain3.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30b102d563746cb4 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:163
            process.env.IFRAME_ORIGINS = '  https://app.com  ,  https://admin.com  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f49cd2edf1fcbcac Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:170
            process.env.IFRAME_ORIGINS = 'https://localhost:3000,https://localhost:4000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8376ee7f5f1c1820 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:175
            process.env.IFRAME_ORIGINS = 'https://example.com/path1,https://example.com/path2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7797d247a31572d7 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:180
            process.env.IFRAME_ORIGINS = 'http://example.com,https://secure.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5411de45bfd6ee1f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:185
            process.env.IFRAME_ORIGINS = 'https://example.com,'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69120bbe5b1aafef Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:190
            process.env.IFRAME_ORIGINS = ',https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbc6f0ee53f52d1f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:195
            process.env.IFRAME_ORIGINS = 'https://domain1.com,,https://domain2.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ed2499f15b24a10 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:202
            process.env.IFRAME_ORIGINS = 'https://app.example.com,https://admin.example.com,https://dashboard.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd12d9f197f1b9cc Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:207
            process.env.IFRAME_ORIGINS = 'http://localhost:3000,http://localhost:3001,http://127.0.0.1:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a822d1b073d8b8c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:212
            process.env.IFRAME_ORIGINS = "'self',https://trusted.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fd90cda39fa237e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:219
    const originalEnv = process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e3c1eaeefa86102 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:223
            process.env.IFRAME_ORIGINS = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff288a74c5d6235b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:225
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5814e795091ccf0e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:230
        process.env.IFRAME_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c92ef07c983ca54 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:237
        process.env.IFRAME_ORIGINS = "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e6285bbc50b566c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:245
        process.env.IFRAME_ORIGINS = "'none'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c91cd886460c86dd Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:253
        process.env.IFRAME_ORIGINS = 'https://embed.example.com,https://admin.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd36f7bbf22b6db7 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:26
    return process.env.CORS_ORIGINS ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84f774d7cc02a49 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:30
    return process.env.CORS_ALLOW_CREDENTIALS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c25969220c16fe14 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:34
    const appUrl = process.env.APP_URL?.trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b13d2a55ab1b6386 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:161
    const origins = (process.env.IFRAME_ORIGINS?.trim() || undefined) ?? "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbb2ab334fa40f6c Environment-variable access.
repo/packages/server/src/utils/buildAgentflow.ts:174
const MAX_LOOP_COUNT = process.env.MAX_LOOP_COUNT ? parseInt(process.env.MAX_LOOP_COUNT) : 10

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c809ee91507708d Environment-variable access.
repo/packages/server/src/utils/buildAgentflow.ts:1912
    const maxIterations = process.env.MAX_ITERATIONS ? parseInt(process.env.MAX_ITERATIONS) : 1000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04be72b4dad55868 Environment-variable access.
repo/packages/server/src/utils/buildChatflow.ts:1084
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05eecc595582a2f3 Environment-variable access.
repo/packages/server/src/utils/config.ts:10
    dir: process.env.LOG_PATH ?? path.join(__dirname, '..', '..', 'logs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0642ad8456571b1e Environment-variable access.
repo/packages/server/src/utils/config.ts:12
        level: process.env.LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3083992e9a33250f Environment-variable access.
repo/packages/server/src/utils/config.ts:17
        level: process.env.LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2a3471ecc2dc61e Filesystem access.
repo/packages/server/src/utils/index.ts:6
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #692cbbc71fbbd259 Environment-variable access.
repo/packages/server/src/utils/index.ts:76
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7c9e77eca94d951 Environment-variable access.
repo/packages/server/src/utils/index.ts:78
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5867cf6fc058d599 Environment-variable access.
repo/packages/server/src/utils/index.ts:79
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bb92c82efc76e1a Environment-variable access.
repo/packages/server/src/utils/index.ts:80
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9335f0f00bc03ff Environment-variable access.
repo/packages/server/src/utils/index.ts:120
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a126849c4934b142 Environment-variable access.
repo/packages/server/src/utils/index.ts:125
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #712db78273b688b7 Environment-variable access.
repo/packages/server/src/utils/index.ts:852
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03f9fd5750e52317 Environment-variable access.
repo/packages/server/src/utils/index.ts:1554
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79042c03ef065c30 Environment-variable access.
repo/packages/server/src/utils/index.ts:1555
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24843c782549cc4b Environment-variable access.
repo/packages/server/src/utils/index.ts:1558
        const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e8ed596c1038330 Filesystem access.
repo/packages/server/src/utils/index.ts:1581
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3536dfc12f7c0277 Environment-variable access.
repo/packages/server/src/utils/index.ts:1584
        const defaultLocation = process.env.SECRETKEY_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec1347bfcfab1179 Environment-variable access.
repo/packages/server/src/utils/index.ts:1585
            ? path.join(process.env.SECRETKEY_PATH, 'encryption.key')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f17be6af37e1337 Filesystem access.
repo/packages/server/src/utils/index.ts:1587
        await fs.promises.writeFile(defaultLocation, encryptKey)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00e3187dd1e4f9c1 Environment-variable access.
repo/packages/server/src/utils/index.ts:1670
    return process.env.SECRETKEY_PATH ? process.env.SECRETKEY_PATH : path.join(getUserHome(), '.flowise')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b06fdb1318e89f13 Environment-variable access.
repo/packages/server/src/utils/index.ts:1697
    const envVal = process.env[envKey]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d2ab1ece08c33d1 Environment-variable access.
repo/packages/server/src/utils/index.ts:1704
        const prefix = process.env.SECRETKEY_AWS_AUTH_PREFIX || 'Flowise'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d24728121de76ed Filesystem access.
repo/packages/server/src/utils/index.ts:1729
        return await fs.promises.readFile(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e91117d8f379d88 Filesystem access.
repo/packages/server/src/utils/index.ts:1735
        await fs.promises.writeFile(filePath, value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #945a42eaa657ca7b Filesystem access.
repo/packages/server/src/utils/index.ts:1981
        const content = await fs.promises.readFile(packagejsonPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #099a9efb68053a78 Environment-variable access.
repo/packages/server/src/utils/index.ts:2019
    return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5763563bd916b69f Environment-variable access.
repo/packages/server/src/utils/index.ts:2020
        ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3372fa9bcd55e7c Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:127
            process.env.DEBUG = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b70ef9d9eba62833 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:128
            process.env.LOG_SANITIZE_BODY_FIELDS = 'password,secret'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8db3d8eb8abc8d0 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:129
            process.env.LOG_SANITIZE_HEADER_FIELDS = 'authorization'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1162457906f2da9a Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:146
            process.env.DEBUG = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4a12fcbbfd04c34 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:147
            delete process.env.LOG_SANITIZE_BODY_FIELDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b04356c91e438bea Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:148
            delete process.env.LOG_SANITIZE_HEADER_FIELDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c50fe70cb853a068 Filesystem access.
repo/packages/server/src/utils/logger.ts:3
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #678f1bd81e0e5169 Environment-variable access.
repo/packages/server/src/utils/logger.ts:40
    exceptionHandlers: [...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...errorTransports],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d8894a736537f67 Environment-variable access.
repo/packages/server/src/utils/logger.ts:42
        ...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcaf2f7a69f37165 Environment-variable access.
repo/packages/server/src/utils/logger.ts:45
        ...((!process.env.DEBUG || process.env.DEBUG !== 'true') && errorTransports.length === 0 ? [new transports.Console()] : [])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f24d51bc0a3e3e4c Environment-variable access.
repo/packages/server/src/utils/logger.ts:54
    transports: [...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...requestTransports]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a98a97b3de07236 Environment-variable access.
repo/packages/server/src/utils/logger.ts:58
    if (!process.env.LOG_SANITIZE_BODY_FIELDS) return []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc6500dd7fede1fc Environment-variable access.
repo/packages/server/src/utils/logger.ts:59
    return (process.env.LOG_SANITIZE_BODY_FIELDS as string)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25a92b880df5a790 Environment-variable access.
repo/packages/server/src/utils/logger.ts:66
    if (!process.env.LOG_SANITIZE_HEADER_FIELDS) return []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9d1a5556a3501a6 Environment-variable access.
repo/packages/server/src/utils/logger.ts:67
    return (process.env.LOG_SANITIZE_HEADER_FIELDS as string)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70acaa051ad743bd Environment-variable access.
repo/packages/server/src/utils/logger.ts:96
        const isDebugLevel = logger.level === 'debug' || process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6251e81dce196ab8 Environment-variable access.
repo/packages/server/src/utils/logger.ts:151
    transports: [...(process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...auditTransports]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d84df1d90cf90f6 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:44
    delete process.env.OAUTH2_SECURITY_CHECK

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17bacc65bf9ca7eb Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:45
    delete process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61a68908cef45a55 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:63
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'custom.example.com, another.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4015b1991054659 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:73
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'github.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cfc611726f0ebc3 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:80
        process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afa30cf58d758ccf Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:81
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'my.corp.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8a63a4ae60dd048 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:87
        process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e56dc3efda058708 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:93
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = '  MyDomain.COM , UPPER.IO  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59abb1571f7d4f90 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:100
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = ',,,valid.com,,,'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48ae34a94734d74d Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:137
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'custom-idp.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faff9f5cec7ad2aa Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:148
            process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fa9f1cbc09dc302 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:156
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'local.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb6510eecddaa9d3 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:161
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'local.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee66375a39cd248d Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:166
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'myidp.local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27f4f4988e1a0c38 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:4
    return (process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #396bdfcf3bc7a89a Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:21
    const securityCheckEnabled = process.env.OAUTH2_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #150b2408b0e1a6bd Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:49
    const securityCheckEnabled = process.env.OAUTH2_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f442bad59d039d4b Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:25
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd49200ac4a0f82c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:26
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af1275c8119b1a1c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:27
                this.redisClient = new Redis(process.env.REDIS_URL, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a739fee50b702d7 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:29
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38175a94837a6657 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:30
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fb017f444343593 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:35
                    host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #befcb05dd30319de Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:36
                    port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a689ad70156a68d Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:37
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4eab4401f7b6243 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:38
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ed1607946bc13be Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:40
                        process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #374fc7686eb73c4d Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:42
                                  cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a761c482799cc6b3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:43
                                  key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #063062e5570f1f70 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:44
                                  ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cad37cecd6c4970 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:48
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09141844111f105f Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:49
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #959e14fe903c118c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:60
        if (process.env.REDIS_URL && process.env.REDIS_URL.startsWith('rediss://')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5000e85e388e47e Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:64
        } else if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f68df291f58e80a9 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:66
                cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #530e5ace396dc3a3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:67
                key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a0ba526461c5381 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:68
                ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9f6bdb3ae5af0e9 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:72
            url: process.env.REDIS_URL || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d096d5e6051b1deb Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:73
            host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619ffd90f103cf1e Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:74
            port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a29447c022120e4 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:75
            username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68ab643daf9b27b3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:76
            password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5159a92b5daa4730 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:81
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d670043eee44f2dc Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:82
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4f8ba7fb1e67cb6 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:97
            if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #926170138a70d7bc Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:160
        if (!isInitialized && process.env.MODE === MODE.QUEUE && this.queueEventsProducer) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75ad95afed5e5100 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:184
        if (process.env.MODE === MODE.QUEUE && this.queueEvents) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #624ea4dfc61546cb Environment-variable access.
repo/packages/server/src/utils/redis.ts:4
    const keepAliveRaw = process.env.REDIS_KEEP_ALIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c40dcc5c52923224 Environment-variable access.
repo/packages/server/src/utils/redis.ts:7
    if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40275ba6a955adc4 Environment-variable access.
repo/packages/server/src/utils/redis.ts:9
            url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0218ef1bb175e85 Environment-variable access.
repo/packages/server/src/utils/redis.ts:16
        username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0abb2f98c7ae4c5b Environment-variable access.
repo/packages/server/src/utils/redis.ts:17
        password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6331133c6ad2462f Environment-variable access.
repo/packages/server/src/utils/redis.ts:19
            host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d0ddc1c1f2ccf68 Environment-variable access.
repo/packages/server/src/utils/redis.ts:20
            port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80dd83f40475d2dc Environment-variable access.
repo/packages/server/src/utils/redis.ts:21
            tls: process.env.REDIS_TLS === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa151befbf3d0b80 Environment-variable access.
repo/packages/server/src/utils/redis.ts:22
            cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b45a2dd00bb2ae3e Environment-variable access.
repo/packages/server/src/utils/redis.ts:23
            key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #274c6b6564963cbe Environment-variable access.
repo/packages/server/src/utils/redis.ts:24
            ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58fc754fe3266b40 Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:67
            delete process.env.POSTHOG_PUBLIC_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4738596d348d180 Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:74
            process.env.POSTHOG_PUBLIC_API_KEY = 'ph-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84c15b93f38d61af Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:97
            process.env.POSTHOG_PUBLIC_API_KEY = 'ph-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a3676506ea0cb85 Environment-variable access.
repo/packages/server/src/utils/telemetry.ts:18
        if (process.env.POSTHOG_PUBLIC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af770e4230194aa2 Environment-variable access.
repo/packages/server/src/utils/telemetry.ts:19
            this.postHog = new PostHog(process.env.POSTHOG_PUBLIC_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a70c00d24c84882b Environment-variable access.
repo/packages/server/src/utils/upsertVector.ts:307
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #d5a7adbd1d5263b2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/ui/src/layout/MainLayout/Header/index.jsx:202
                    const response = await fetch('https://api.github.com/repos/FlowiseAI/Flowise')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #7eda2c56de08e99a Environment-variable access.
repo/packages/ui/src/serviceWorker.js:90
    if (process.env.NODE_ENV === 'production' && 'serviceWorker' in navigator) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0435081b09252752 Environment-variable access.
repo/packages/ui/src/serviceWorker.js:92
        const publicUrl = new URL(process.env.PUBLIC_URL, window.location.href)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f5441363f57b623 Environment-variable access.
repo/packages/ui/src/serviceWorker.js:101
            const swUrl = `${process.env.PUBLIC_URL}/service-worker.js`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #f9c4bd12ec071719 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/ui/src/ui-component/dialog/AboutDialog.jsx:16
            const latestReleaseReq = axios.get('https://api.github.com/repos/FlowiseAI/Flowise/releases/latest')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #891ac636eb46123f Environment-variable access.
repo/packages/ui/vite.config.js:47
            port: process.env.VITE_PORT ?? 8080,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d37b547000ec0c4 Environment-variable access.
repo/packages/ui/vite.config.js:48
            host: process.env.VITE_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/server

npm first-party
high pii_flow production #82c98ed390ce6656 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/server/src/IdentityManager.ts:140 · flow /tmp/closeopen-d65y7tid/repo/packages/server/src/IdentityManager.ts:103 → /tmp/closeopen-d65y7tid/repo/packages/server/src/IdentityManager.ts:140
                    const response = await axios.post(`${LICENSE_URL}/enterprise/verify`, { license: FLOWISE_EE_LICENSE_KEY })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #4ff4a86637639ce2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/server/src/utils/telemetry.test.ts:36
const posthogNode = require('posthog-node')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a676ad469113e0de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/server/src/utils/telemetry.ts:2
import { PostHog } from 'posthog-node'

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 460 low-confidence finding(s)
low env_fs production #96416bf023424040 Environment-variable access.
repo/packages/server/bin/dev:9
process.env.NODE_ENV = 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b137445cd005038 Environment-variable access.
repo/packages/server/src/AppConfig.ts:2
    showCommunityNodes: process.env.SHOW_COMMUNITY_NODES ? process.env.SHOW_COMMUNITY_NODES.toLowerCase() === 'true' : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcb62da381676fd2 Environment-variable access.
repo/packages/server/src/CachePool.ts:15
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0110753c9aa78436 Environment-variable access.
repo/packages/server/src/CachePool.ts:16
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbb036f23cabbaaa Environment-variable access.
repo/packages/server/src/CachePool.ts:17
                this.redisClient = new Redis(process.env.REDIS_URL, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5905105f54d9904f Environment-variable access.
repo/packages/server/src/CachePool.ts:19
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f7d7004d03d4390 Environment-variable access.
repo/packages/server/src/CachePool.ts:20
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #297889991338ab26 Environment-variable access.
repo/packages/server/src/CachePool.ts:25
                    host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4df1bbfc0c424b48 Environment-variable access.
repo/packages/server/src/CachePool.ts:26
                    port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d74ac128747dbb2c Environment-variable access.
repo/packages/server/src/CachePool.ts:27
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc2593b362b94184 Environment-variable access.
repo/packages/server/src/CachePool.ts:28
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596363f88633556e Environment-variable access.
repo/packages/server/src/CachePool.ts:30
                        process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94ca9b7b5801356b Environment-variable access.
repo/packages/server/src/CachePool.ts:32
                                  cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebae8706f79f6f41 Environment-variable access.
repo/packages/server/src/CachePool.ts:33
                                  key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3f52c49b98259ec Environment-variable access.
repo/packages/server/src/CachePool.ts:34
                                  ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f048284e79a3c88 Environment-variable access.
repo/packages/server/src/CachePool.ts:38
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fc72757181d7618 Environment-variable access.
repo/packages/server/src/CachePool.ts:39
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e592ca224084781 Environment-variable access.
repo/packages/server/src/CachePool.ts:52
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e1c502c912d3bd5 Environment-variable access.
repo/packages/server/src/CachePool.ts:63
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8cadc48768e4107 Environment-variable access.
repo/packages/server/src/CachePool.ts:77
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f610600cfbc113d2 Environment-variable access.
repo/packages/server/src/CachePool.ts:92
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6a0655c01bc1d02 Environment-variable access.
repo/packages/server/src/CachePool.ts:108
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a34c4f491c1d63d Environment-variable access.
repo/packages/server/src/CachePool.ts:125
        if (process.env.MODE !== MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73fc8ee0a13953a0 Environment-variable access.
repo/packages/server/src/CachePool.ts:135
        if (process.env.MODE !== MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #126ecc89b88808d6 Environment-variable access.
repo/packages/server/src/CachePool.ts:146
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7ea9972ccd9a211 Environment-variable access.
repo/packages/server/src/CachePool.ts:164
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #442e574ace3c7171 Filesystem access.
repo/packages/server/src/DataSource.ts:3
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ef0c4f9a5211f73 Environment-variable access.
repo/packages/server/src/DataSource.ts:21
    switch (process.env.DATABASE_TYPE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #030ed156c6f1a21d Environment-variable access.
repo/packages/server/src/DataSource.ts:23
            homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a4248a9730b5ddd Environment-variable access.
repo/packages/server/src/DataSource.ts:36
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c36b2347f279bf2d Environment-variable access.
repo/packages/server/src/DataSource.ts:37
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd70e936969d0038 Environment-variable access.
repo/packages/server/src/DataSource.ts:38
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f14ef6365d4976ea Environment-variable access.
repo/packages/server/src/DataSource.ts:39
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #952e496fe1515888 Environment-variable access.
repo/packages/server/src/DataSource.ts:40
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7907a46699db9e4c Environment-variable access.
repo/packages/server/src/DataSource.ts:52
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b2f25781268cb26 Environment-variable access.
repo/packages/server/src/DataSource.ts:53
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de49a0dc4a943e19 Environment-variable access.
repo/packages/server/src/DataSource.ts:54
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c057562449346172 Environment-variable access.
repo/packages/server/src/DataSource.ts:55
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9950b1c4e417f7bb Environment-variable access.
repo/packages/server/src/DataSource.ts:56
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df9cff18bf880d54 Environment-variable access.
repo/packages/server/src/DataSource.ts:68
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5f2969f6c12ccfe Environment-variable access.
repo/packages/server/src/DataSource.ts:69
                port: parseInt(process.env.DATABASE_PORT || '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e9f79972a701ac0 Environment-variable access.
repo/packages/server/src/DataSource.ts:70
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05a5d09283e553b9 Environment-variable access.
repo/packages/server/src/DataSource.ts:71
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4a80eb317a8dbc2 Environment-variable access.
repo/packages/server/src/DataSource.ts:72
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5a23babbedeb976 Environment-variable access.
repo/packages/server/src/DataSource.ts:91
            homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45e629091a82968e Environment-variable access.
repo/packages/server/src/DataSource.ts:112
    if (process.env.DATABASE_SSL_KEY_BASE64) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04915779554c8cf7 Environment-variable access.
repo/packages/server/src/DataSource.ts:114
            rejectUnauthorized: process.env.DATABASE_REJECT_UNAUTHORIZED === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8a4a9d80119f27e Environment-variable access.
repo/packages/server/src/DataSource.ts:115
            ca: Buffer.from(process.env.DATABASE_SSL_KEY_BASE64, 'base64')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c1d472534943f02 Environment-variable access.
repo/packages/server/src/DataSource.ts:117
    } else if (process.env.DATABASE_SSL === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e31fd3ed18c29f88 Filesystem access.
repo/packages/server/src/IdentityManager.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0051f309414c859 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:60
        if (process.env.STRIPE_SECRET_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fb0de9cae7e910b Filesystem access.
repo/packages/server/src/IdentityManager.ts:91
            const publicKey = fs.readFileSync(path.join(__dirname, '../', 'src/enterprise/license/public.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f29540b206b009 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:103
        const LICENSE_URL = process.env.LICENSE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c0aff1d0d2d3d98 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:104
        const FLOWISE_EE_LICENSE_KEY = process.env.FLOWISE_EE_LICENSE_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4760ca4c96cccab Environment-variable access.
repo/packages/server/src/IdentityManager.ts:114
            if (process.env.OFFLINE === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0246a85ac4ed4a9f Environment-variable access.
repo/packages/server/src/IdentityManager.ts:402
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acf56bc0e3c6eb3d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:419
                newPlanId === process.env.CLOUD_FREE_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c7691b35af2000d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:420
                newPlanId === process.env.CLOUD_STARTER_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3597f6047f0feb Environment-variable access.
repo/packages/server/src/IdentityManager.ts:421
                newPlanId === process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37087143661f0e4d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:435
                newPlanId === process.env.CLOUD_FREE_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #739b3b22f5c6ee0b Environment-variable access.
repo/packages/server/src/IdentityManager.ts:436
                newPlanId === process.env.CLOUD_STARTER_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63e07218b8c0abff Environment-variable access.
repo/packages/server/src/IdentityManager.ts:437
                newPlanId === process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d289e015fd0b7b7a Environment-variable access.
repo/packages/server/src/IdentityManager.ts:493
                    productId = process.env.CLOUD_STARTER_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37fe944f8a663bab Environment-variable access.
repo/packages/server/src/IdentityManager.ts:496
                    productId = process.env.CLOUD_PRO_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c82a367ef3724448 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:499
                    productId = process.env.CLOUD_FREE_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #604875d2be31a95f Filesystem access.
repo/packages/server/src/NodesPool.ts:3
import { Dirent } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75a189525d16c1d8 Filesystem access.
repo/packages/server/src/NodesPool.ts:5
import { promises } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e605b6ad03d9d77 Environment-variable access.
repo/packages/server/src/NodesPool.ts:37
        const disabled_nodes = process.env.DISABLED_NODES ? process.env.DISABLED_NODES.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5d39addc71df243 Environment-variable access.
repo/packages/server/src/StripeManager.ts:21
        if (!this.stripe && process.env.STRIPE_SECRET_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e815e8f3e76b8df Environment-variable access.
repo/packages/server/src/StripeManager.ts:22
            this.stripe = new Stripe(process.env.STRIPE_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d707d6c7867e3925 Environment-variable access.
repo/packages/server/src/StripeManager.ts:140
                return_url: `${process.env.APP_URL}/account`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69f0be842b194eb2 Environment-variable access.
repo/packages/server/src/StripeManager.ts:166
                product: process.env.CLOUD_STARTER_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a00d366aee2431fd Environment-variable access.
repo/packages/server/src/StripeManager.ts:170
                product: process.env.CLOUD_PRO_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ed06bb1ffac3c93 Environment-variable access.
repo/packages/server/src/StripeManager.ts:174
                product: process.env.CLOUD_FREE_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3198ccc9129393bf Environment-variable access.
repo/packages/server/src/StripeManager.ts:178
                product: process.env.ADDITIONAL_SEAT_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #914d229e0c8acf32 Environment-variable access.
repo/packages/server/src/StripeManager.ts:201
                privacy_policy_url: `${process.env.APP_URL}/privacy-policy`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97f22a9fbba35a91 Environment-variable access.
repo/packages/server/src/StripeManager.ts:202
                terms_of_service_url: `${process.env.APP_URL}/terms-of-service`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5529548804084e9 Environment-variable access.
repo/packages/server/src/StripeManager.ts:245
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64342cdff1d78cd7 Environment-variable access.
repo/packages/server/src/StripeManager.ts:291
            const basePlanItem = subscription.items.data.find((item) => (item.price.product as string) !== process.env.ADDITIONAL_SEAT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ec6964b728d51a0 Environment-variable access.
repo/packages/server/src/StripeManager.ts:303
                product: process.env.ADDITIONAL_SEAT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f920a316a43ddad Environment-variable access.
repo/packages/server/src/StripeManager.ts:319
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55d1ec88178101b1 Environment-variable access.
repo/packages/server/src/StripeManager.ts:378
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #959621b2873146d0 Environment-variable access.
repo/packages/server/src/StripeManager.ts:383
                product: process.env.ADDITIONAL_SEAT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0794a24aefa6bda Environment-variable access.
repo/packages/server/src/StripeManager.ts:463
            const isStarterPlan = newPlanId === process.env.CLOUD_STARTER_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8898150af70b8c4b Environment-variable access.
repo/packages/server/src/StripeManager.ts:534
            const isStarterPlan = newPlanId === process.env.CLOUD_STARTER_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdb061877538c460 Environment-variable access.
repo/packages/server/src/StripeManager.ts:546
                        plan_id: process.env.CLOUD_STARTER_ID || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e01a5739dd4d488 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:37
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad46d12d18bc00f9 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:39
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca9242dc076308b0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:41
                    url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66d70fb7bd8a62f7 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:44
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #887587ac6af5023d Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:45
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7cef0d2f9d2105c Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:49
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d18e870b9629e22a Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:50
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bd3e31dc686c644 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:55
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69abddc4a5c7949d Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:56
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7032781f27ceb6b0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:58
                        host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #923d737ea0663937 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:59
                        port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6b45f5ea4e25a9c Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:60
                        tls: process.env.REDIS_TLS === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29ce7bb4f436de5d Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:61
                        cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21bacb0bdae3c6ba Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:62
                        key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e5de920bd66d2ad Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:63
                        ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9883c55b6049c0ef Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:65
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9520374f528f1371 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:66
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f546d43d4be9fc34 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:70
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed789e48b1b3e33f Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:71
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40354f35440072a0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:147
            (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0defdca180f072a Environment-variable access.
repo/packages/server/src/commands/base.ts:217
                process.env[key] = flags[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #106aaec516079097 Environment-variable access.
repo/packages/server/src/controllers/evaluations/index.ts:32
        const baseURL = `${process.env.APP_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb474c3f07ccd734 Environment-variable access.
repo/packages/server/src/controllers/evaluations/index.ts:56
        const baseURL = `${process.env.APP_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ee98e1e37933eb4 Filesystem access.
repo/packages/server/src/controllers/get-upload-file/index.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f4615d4e61636f Environment-variable access.
repo/packages/server/src/controllers/internal-predictions/index.ts:36
    const isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #2c3c9afa934ba29c Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/controllers/nvidia-nim/index.ts:17
        const response = await axios.post('https://nts.ngc.nvidia.com/v1/token', data, { headers })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #984bddcb8370f9b5 Filesystem access.
repo/packages/server/src/controllers/openai-assistants/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cab7681ae17f4fd1 Environment-variable access.
repo/packages/server/src/controllers/predictions/index.ts:67
                const isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #497ac9533b71ad97 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:6
            FREE: process.env.CLOUD_FREE_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7c1c83d5701a608 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:7
            STARTER: process.env.CLOUD_STARTER_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59386c7a7440a21b Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:8
            PRO: process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #758579fa59a4a270 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:16
        if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b690db0c72f370ec Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:17
            redisClient = new Redis(process.env.REDIS_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d073b848584cf0f Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:20
                host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a434460184d30f6 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:21
                port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99f5eb4287ed34ec Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:22
                username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3e77cc509ccfdf8 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:23
                password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e188d99ce169f73 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:25
                    process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e2b1573fe5bb716 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:27
                              cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b7d62aabe6f08ef Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:28
                              key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b71da7166882e02d Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:29
                              ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf83617755836e53 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:44
    const databaseType = process.env.DATABASE_TYPE || 'sqlite'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c81a3af9d69965bc Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:50
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa4a2a5c4310dcd5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:51
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc778e9cc3944e70 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:52
                user: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d16b07f94740fc5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:53
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #336bcb3051345dd5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:54
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #488fafd70431f20f Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:73
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb01626b350709d9 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:74
                port: parseInt(process.env.DATABASE_PORT || '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79d88f6805c6341d Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:75
                user: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4ccbbe74ed73a19 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:76
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf4625d440fede8b Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:77
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae4d184afd12d8c0 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:93
            const homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abd127d51f954407 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:153
            const databaseType = process.env.DATABASE_TYPE || 'sqlite'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db1578b97577dd72 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:36
const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4240d41d5cc6e60e Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:42
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8c49c31045fbf08 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:44
        : process.env.SECURE_COOKIES === 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0de3954408ea2d8b Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:46
        : process.env.SECURE_COOKIES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67040a3dba67eb19 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:48
        : process.env.APP_URL?.startsWith('https')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eb9f846d34942fe Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:68
        if (process.env.MODE === 'queue') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a78e6c69263d5448 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:371
        expiryInMinutes = process.env.JWT_TOKEN_EXPIRY_IN_MINUTES ? parseInt(process.env.JWT_TOKEN_EXPIRY_IN_MINUTES) : 60

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40439a7e101fcec3 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:391
        expiryInMinutes = process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #017b120e3a3559fa Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:392
            ? parseInt(process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #959d67d4dc6af042 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:155
            const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0f4633c1993b9f9 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:218
                    const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e220baa79a138fe1 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:373
                const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d3152306f7a306a Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:446
                    const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f87cb5129cdc97bb Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:637
            const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f8aca102f177902 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:638
                ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d86b8cef316e5d24 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:878
            const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #027a8ee471786a03 Environment-variable access.
repo/packages/server/src/enterprise/sso/Auth0SSO.ts:49
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fa59b649c210ee9 Environment-variable access.
repo/packages/server/src/enterprise/sso/AzureSSO.ts:21
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #647ad6b2349efbaf Environment-variable access.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:17
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #7b06a2fed5efcfe0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:38
                        const emailResponse = await fetch('https://api.github.com/user/emails', {
                            headers: {
                                Authorization: `token ${accessToken}`,
                                'User-Agent': 'Node.js'
                            }
                        })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c0cbd174a83bae8a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:106
            const response = await fetch('https://github.com/login/oauth/access_token', {
                method: 'POST',
                headers: {
                    Accept: 'application/json',
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    client_id: clientID,
                    client_secret: clientSecret,
                    code: 'dummy_code_for_testing'
                })
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d13872fa5d12dc96 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:133
            const response = await fetch('https://github.com/login/oauth/access_token', {
                method: 'POST',
                headers: {
                    Accept: 'application/json',
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    client_id: clientID,
                    client_secret: clientSecret,
                    grant_type: 'refresh_token',
                    refresh_token: currentRefreshToken
                })
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #629b24633e9b1ff5 Environment-variable access.
repo/packages/server/src/enterprise/sso/GoogleSSO.ts:20
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #cfeed7868de29a4a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GoogleSSO.ts:141
            const response = await axios.post(
                `https://oauth2.googleapis.com/token`,
                new URLSearchParams({
                    client_id: clientID || '',
                    client_secret: clientSecret || '',
                    grant_type: 'refresh_token',
                    refresh_token: ssoRefreshToken,
                    scope: 'refresh_token'
                }).toString(),
                {
                    headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
                }
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #03a404de33d1af8a Environment-variable access.
repo/packages/server/src/enterprise/utils/encryption.util.ts:6
    return parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '10', 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b3cc480b8a7e9a5 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:7
const SMTP_HOST = process.env.SMTP_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5806722cbb6cd7b1 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:8
const SMTP_PORT = parseInt(process.env.SMTP_PORT as string, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42e7b8921ba1e9b3 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:9
const SMTP_USER = process.env.SMTP_USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f073ef9e02a9dad Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:10
const SMTP_PASSWORD = process.env.SMTP_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #180f7f65a1f80400 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:13
    const port = parseInt(process.env.SMTP_PORT as string, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13ba19d2b0143c1e Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:15
        process.env.SMTP_HOST?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb808bc1e3b2541d Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:16
            process.env.SMTP_USER?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ba1ed2e141a36fe Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:17
            process.env.SMTP_PASSWORD?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebbb6b9d18fe0a8c Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:18
            process.env.SMTP_PORT &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43c5fbe2c4f0bf19 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:22
const SENDER_EMAIL = process.env.SENDER_EMAIL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2357b167e088bd49 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:23
const SMTP_SECURE = process.env.SMTP_SECURE ? process.env.SMTP_SECURE === 'true' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d955f87d2bcc83e2 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:24
const TLS = process.env.ALLOW_UNAUTHORIZED_CERTS ? { rejectUnauthorized: false } : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd0692e221d12693 Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:40
            return fs.readFileSync(userTemplatePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7d62c778d94dfa6 Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:45
    return fs.readFileSync(path.join(__dirname, '../', 'emails', defaultTemplateName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e94d26091128fd9 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:52
    const template = getEmailTemplate('workspace_add_cloud.hbs', process.env.WORKSPACE_INVITE_TEMPLATE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #194dca5b7ca271e0 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:80
                  process.env.WORKSPACE_INVITE_TEMPLATE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f07f2f44f0c1987 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:84
                  process.env.WORKSPACE_INVITE_TEMPLATE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f26b7e1ad7fd254a Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:100
    const passwordResetTemplateSource = fs.readFileSync(path.join(__dirname, '../', 'emails', 'workspace_user_reset_password.hbs'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfe5da9f518769d4 Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:80
        const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8b0ab4431abaa94 Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:85
        const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3283e93e84669e Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:86
            ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f1b31aa26ce9410 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:11
    const originalEnv = process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ea78cfe515ef8a5 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:15
            process.env.APP_URL = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5aa65c28ed72b50 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:17
            delete process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37f463087acc58c5 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:23
            delete process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d995990a471d5a44 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:28
            process.env.APP_URL = 'example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f277329cdfd306b9 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:33
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e817969cb50c4771 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:38
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beb672bbaf4ad275 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:44
            process.env.APP_URL = 'http://localhost:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5937c18d81a9559c Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:49
            process.env.APP_URL = 'http://127.0.0.1:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d211dede46c5c78 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:54
            process.env.APP_URL = 'http://[::1]:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3958f6d97af0ef1e Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:59
            process.env.APP_URL = 'http://0.0.0.0:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e4a112fd6c44821 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:64
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe44de3012efc2fd Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:69
            process.env.APP_URL = 'https://example.com/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16e4152a7e85f6c7 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:74
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cbdf5c06372635d Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:79
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c981d45db199b76 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:86
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9044c4fe22e82a6 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:92
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4786b5bb1179b65 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:98
            process.env.APP_URL = 'http://localhost:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #825b09c52eb95f35 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:104
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fa2e42a715ab247 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:113
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92c42f52d787bee4 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:120
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0875539da6fa129c Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:126
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97ca8702ed4d196d Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.ts:11
    const appUrl = process.env.APP_URL || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f51af8e751081ca7 Environment-variable access.
repo/packages/server/src/index.ts:137
            if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d1c89b189876522 Environment-variable access.
repo/packages/server/src/index.ts:174
        const flowise_file_size_limit = process.env.FLOWISE_FILE_SIZE_LIMIT || '50mb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #684b34148f0fae1f Environment-variable access.
repo/packages/server/src/index.ts:184
        let trustProxy: string | boolean | number | undefined = process.env.TRUST_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #def557d74aa620a4 Environment-variable access.
repo/packages/server/src/index.ts:223
        const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e12dfb06ef258a81 Environment-variable access.
repo/packages/server/src/index.ts:305
        if (process.env.ENABLE_METRICS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9afd3db6da5eb575 Environment-variable access.
repo/packages/server/src/index.ts:306
            switch (process.env.METRICS_PROVIDER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaad25dda9feae71 Environment-variable access.
repo/packages/server/src/index.ts:339
        if (process.env.MODE === MODE.QUEUE && process.env.ENABLE_BULLMQ_DASHBOARD === 'true' && !this.identityManager.isCloud()) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3adfd16e2a92709 Environment-variable access.
repo/packages/server/src/index.ts:346
                process.env.ADMIN_RATE_LIMIT_MESSAGE || 'Too many requests to admin dashboard, please try again later.'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2470d35678750a25 Environment-variable access.
repo/packages/server/src/index.ts:392
    const host = process.env.HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47d8080043300699 Environment-variable access.
repo/packages/server/src/index.ts:393
    const port = parseInt(process.env.PORT || '', 10) || 3000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e9ac53bcd097e6c Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:29
        if (!process.env.METRICS_OPEN_TELEMETRY_METRIC_ENDPOINT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe594466d53101ab Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:33
        if (process.env.METRICS_OPEN_TELEMETRY_DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8442b3a503c09f9 Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:51
                [ATTR_SERVICE_NAME]: process.env.METRICS_SERVICE_NAME || 'FlowiseAI',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebae51d9bf8be24a Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:55
            const metricProtocol = process.env.METRICS_OPEN_TELEMETRY_PROTOCOL || 'http' // Default to 'http'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75d99d169a04ee5e Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:79
                url: process.env.METRICS_OPEN_TELEMETRY_METRIC_ENDPOINT // OTLP endpoint for metrics

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #537eb47d657074da Environment-variable access.
repo/packages/server/src/metrics/Prometheus.ts:26
        const serviceName: string = process.env.METRICS_SERVICE_NAME || 'FlowiseAI'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #577e8eb5519a1de3 Environment-variable access.
repo/packages/server/src/metrics/Prometheus.ts:155
        if (process.env.METRICS_INCLUDE_NODE_METRICS !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8f3e05ddaacb1c9 Environment-variable access.
repo/packages/server/src/middlewares/errors/index.ts:16
        stack: process.env.NODE_ENV === 'development' ? err.stack : {}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f35b6832e23bb550 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:5
const QUEUE_REDIS_EVENT_STREAM_MAX_LEN = process.env.QUEUE_REDIS_EVENT_STREAM_MAX_LEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8fec69aa8ae9e2e Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:6
    ? parseInt(process.env.QUEUE_REDIS_EVENT_STREAM_MAX_LEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d625aa07ce859a8 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:8
const WORKER_CONCURRENCY = process.env.WORKER_CONCURRENCY ? parseInt(process.env.WORKER_CONCURRENCY) : 100000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b3717705840e0d0 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:9
const REMOVE_ON_AGE = process.env.REMOVE_ON_AGE ? parseInt(process.env.REMOVE_ON_AGE) : -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cacbc6c86a2fba4 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:10
const REMOVE_ON_COUNT = process.env.REMOVE_ON_COUNT ? parseInt(process.env.REMOVE_ON_COUNT) : -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e851266bd738f1b Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:18
const QUEUE_NAME = process.env.QUEUE_NAME || 'flowise-queue'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ad2bd00f7d302b2 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:30
        if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #105a4e0e04bddb2e Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:32
            if (process.env.REDIS_URL.startsWith('rediss://')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5794f9069c9efe3 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:36
            } else if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #425d18e3589814d6 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:38
                    cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a898d991fb923e76 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:39
                    key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5443a7090ae72a7 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:40
                    ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dcc8ccca0fff003 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:44
                url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff742288b5333b5c Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:48
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a78ba5cafa463aac Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:49
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fffb5811f1da7d3a Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:54
            if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #383ff9a358ef24a8 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:56
                    cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11e9286acbf721e0 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:57
                    key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f95569456a83bba Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:58
                    ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f94b3898d43bc9eb Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:62
                host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad0c6d1b00b2d046 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:63
                port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a9e2bff11a41fc3 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:64
                username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7403979faf47e53 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:65
                password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0e38f85590d4f9b Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:69
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b10539790b0a3be4 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:70
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eefcc1bfb482b572 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:60
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #587088577bd3e4cb Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:98
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5d59a17654ddbb2 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:142
        process.env.MCP_CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d13a9795583091c Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:147
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b97739c0b014485 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:180
        process.env.MCP_CORS_ORIGINS = 'https://allowed.example.com, https://also-allowed.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10184d3b8276f9a9 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:185
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3d7822697cf3ed8 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.ts:13
const mcpCorsOrigins = process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de333fc950b974a3 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:90
    delete process.env.MODE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #893a838617a00b11 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:91
    if (mode) process.env.MODE = mode

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69fd781ed533fb9c Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:115
    delete process.env.MODE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3a8e51c604a437b Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.ts:33
        this.isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31346ae86db2954c Environment-variable access.
repo/packages/server/src/schedule/ScheduleExecutor.ts:206
            baseURL: process.env.APP_URL ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90bddfe788445d49 Filesystem access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:6
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdb7d26446565359 Environment-variable access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:85
    const disabled_nodes = process.env.DISABLED_NODES ? process.env.DISABLED_NODES.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2556232994add9f Filesystem access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:109
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a97d87baf3b619f Environment-variable access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:202
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3de17a19deeec8c8 Environment-variable access.
repo/packages/server/src/services/chat-messages/index.ts:195
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abbbf9db1e5dbc73 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:691
        const ORIGINAL_ENV = process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7dda682f1804dd6d Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:693
            if (ORIGINAL_ENV === undefined) delete process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c01909909b64690f Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:694
            else process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = ORIGINAL_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9b28f4c09116b16 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:698
            process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = '50'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #547913a6b0d4e2a6 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:720
            process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da59cbc5a368c21b Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:749
        const ORIGINAL_ENV = process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cebead9276c8fe91 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:751
            if (ORIGINAL_ENV === undefined) delete process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9b9a29152b251dc Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:752
            else process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS = ORIGINAL_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9723476b78a5ecc6 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:758
            process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS = '1000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb1a806597c4588a Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.ts:19
    const raw = process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce4fef4f68e9ba25 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.ts:27
    const raw = process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0828672fedd47f1 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:699
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5fff95379ac8823 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:907
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #987e5d3adc40e611 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:1326
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9fb68ba1db92b0c Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:2057
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52128979869fa984 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:2132
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8101c33faa4b8f67 Environment-variable access.
repo/packages/server/src/services/export-import/index.ts:891
                            const baseURL = process.env.BASE_URL || `http://localhost:${process.env.PORT || 3000}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5b3560ea2403a2a Environment-variable access.
repo/packages/server/src/services/fetch-links/index.ts:18
        if (process.env.DEBUG === 'true') console.info(`Start ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c38671710a81314f Environment-variable access.
repo/packages/server/src/services/fetch-links/index.ts:20
        if (process.env.DEBUG === 'true') console.info(`Finish ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd1460c9d92a2584 Filesystem access.
repo/packages/server/src/services/log/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a62e89c70218536d Environment-variable access.
repo/packages/server/src/services/log/index.ts:73
            const filePath = process.env.LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b57a87671a776ec9 Environment-variable access.
repo/packages/server/src/services/log/index.ts:74
                ? path.resolve(process.env.LOG_PATH, `server.log.${date}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b33dc7be1f3324c1 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60c807671caacd1c Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:37
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efb32f728711e391 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:58
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6717f8e8f210b3b9 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:99
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #776ef93b4b2a6591 Environment-variable access.
repo/packages/server/src/services/nodes/index.ts:149
    if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e722965897dec578 Environment-variable access.
repo/packages/server/src/services/schedule/utils.ts:10
const MIN_SCHEDULE_INTERVAL_SECONDS = Math.max(1, parseInt(process.env.MIN_SCHEDULE_INTERVAL_SECONDS || '60', 10) || 60)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85ae1412ed40192e Filesystem access.
repo/packages/server/src/services/versions/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b05a7cbfe7090ef2 Filesystem access.
repo/packages/server/src/services/versions/index.ts:29
            const content = await fs.promises.readFile(packagejsonPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f5d8ca2d57ece5a Environment-variable access.
repo/packages/server/src/services/webhook-listener/registry.ts:217
    if (process.env.MODE === MODE.QUEUE && redisEventSubscriber) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #485661b654917fd3 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:22
    const SAVED_CORS_ORIGINS = process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7d6187874f0069e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:23
    const SAVED_CORS_ALLOW_CREDENTIALS = process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0f463cee431747e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:26
        if (SAVED_CORS_ORIGINS !== undefined) process.env.CORS_ORIGINS = SAVED_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32bd6ffc7cc67f92 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:27
        else delete process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40e70c7a37b9c70c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:28
        if (SAVED_CORS_ALLOW_CREDENTIALS !== undefined) process.env.CORS_ALLOW_CREDENTIALS = SAVED_CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4746e381fb06ca9 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:29
        else delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5963b527ce4c17bd Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:33
        if (corsOrigins === undefined) delete process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae106048be37797a Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:34
        else process.env.CORS_ORIGINS = corsOrigins

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf90f7248e5868d8 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:35
        if (corsAllowCredentials === undefined) delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18b500b23a91563e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:36
        else process.env.CORS_ALLOW_CREDENTIALS = corsAllowCredentials

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db0990dc312cb4ac Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:71
            process.env.CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d1dc23cfe46b58f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:72
            process.env.CORS_ALLOW_CREDENTIALS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b14ac0bb5613a5ed Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:78
            process.env.CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f264fd18fbcdfdb3 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:79
            delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1620bffa9d136f5 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:85
            process.env.CORS_ORIGINS = 'https://trusted.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6b5048687dec854 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:86
            process.env.CORS_ALLOW_CREDENTIALS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #615b66521bc5c982 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:94
    const originalEnv = process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cbb5b7014226588 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:99
            process.env.IFRAME_ORIGINS = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2445e330cc719a3c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:101
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3313557e4bc94a9 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:107
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43db710ea503a068 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:112
            process.env.IFRAME_ORIGINS = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ce86bb453904257 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:117
            process.env.IFRAME_ORIGINS = '   '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a59f23cd498582e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:124
            process.env.IFRAME_ORIGINS = "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43e1e5c4dbc442bc Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:129
            process.env.IFRAME_ORIGINS = "'none'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2aa1a4d002c5824b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:134
            process.env.IFRAME_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6195c784ff555916 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:141
            process.env.IFRAME_ORIGINS = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff6ae9cc161e087b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:146
            process.env.IFRAME_ORIGINS = '  https://example.com  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7897e897a5265dfd Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:153
            process.env.IFRAME_ORIGINS = 'https://domain1.com,https://domain2.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #512087d8878fc86e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:158
            process.env.IFRAME_ORIGINS = 'https://domain1.com, https://domain2.com, https://domain3.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30b102d563746cb4 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:163
            process.env.IFRAME_ORIGINS = '  https://app.com  ,  https://admin.com  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f49cd2edf1fcbcac Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:170
            process.env.IFRAME_ORIGINS = 'https://localhost:3000,https://localhost:4000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8376ee7f5f1c1820 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:175
            process.env.IFRAME_ORIGINS = 'https://example.com/path1,https://example.com/path2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7797d247a31572d7 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:180
            process.env.IFRAME_ORIGINS = 'http://example.com,https://secure.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5411de45bfd6ee1f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:185
            process.env.IFRAME_ORIGINS = 'https://example.com,'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69120bbe5b1aafef Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:190
            process.env.IFRAME_ORIGINS = ',https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbc6f0ee53f52d1f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:195
            process.env.IFRAME_ORIGINS = 'https://domain1.com,,https://domain2.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ed2499f15b24a10 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:202
            process.env.IFRAME_ORIGINS = 'https://app.example.com,https://admin.example.com,https://dashboard.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd12d9f197f1b9cc Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:207
            process.env.IFRAME_ORIGINS = 'http://localhost:3000,http://localhost:3001,http://127.0.0.1:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a822d1b073d8b8c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:212
            process.env.IFRAME_ORIGINS = "'self',https://trusted.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fd90cda39fa237e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:219
    const originalEnv = process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e3c1eaeefa86102 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:223
            process.env.IFRAME_ORIGINS = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff288a74c5d6235b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:225
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5814e795091ccf0e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:230
        process.env.IFRAME_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c92ef07c983ca54 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:237
        process.env.IFRAME_ORIGINS = "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e6285bbc50b566c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:245
        process.env.IFRAME_ORIGINS = "'none'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c91cd886460c86dd Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:253
        process.env.IFRAME_ORIGINS = 'https://embed.example.com,https://admin.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd36f7bbf22b6db7 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:26
    return process.env.CORS_ORIGINS ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84f774d7cc02a49 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:30
    return process.env.CORS_ALLOW_CREDENTIALS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c25969220c16fe14 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:34
    const appUrl = process.env.APP_URL?.trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b13d2a55ab1b6386 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:161
    const origins = (process.env.IFRAME_ORIGINS?.trim() || undefined) ?? "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbb2ab334fa40f6c Environment-variable access.
repo/packages/server/src/utils/buildAgentflow.ts:174
const MAX_LOOP_COUNT = process.env.MAX_LOOP_COUNT ? parseInt(process.env.MAX_LOOP_COUNT) : 10

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c809ee91507708d Environment-variable access.
repo/packages/server/src/utils/buildAgentflow.ts:1912
    const maxIterations = process.env.MAX_ITERATIONS ? parseInt(process.env.MAX_ITERATIONS) : 1000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04be72b4dad55868 Environment-variable access.
repo/packages/server/src/utils/buildChatflow.ts:1084
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05eecc595582a2f3 Environment-variable access.
repo/packages/server/src/utils/config.ts:10
    dir: process.env.LOG_PATH ?? path.join(__dirname, '..', '..', 'logs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0642ad8456571b1e Environment-variable access.
repo/packages/server/src/utils/config.ts:12
        level: process.env.LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3083992e9a33250f Environment-variable access.
repo/packages/server/src/utils/config.ts:17
        level: process.env.LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2a3471ecc2dc61e Filesystem access.
repo/packages/server/src/utils/index.ts:6
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #692cbbc71fbbd259 Environment-variable access.
repo/packages/server/src/utils/index.ts:76
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7c9e77eca94d951 Environment-variable access.
repo/packages/server/src/utils/index.ts:78
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5867cf6fc058d599 Environment-variable access.
repo/packages/server/src/utils/index.ts:79
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bb92c82efc76e1a Environment-variable access.
repo/packages/server/src/utils/index.ts:80
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9335f0f00bc03ff Environment-variable access.
repo/packages/server/src/utils/index.ts:120
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a126849c4934b142 Environment-variable access.
repo/packages/server/src/utils/index.ts:125
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #712db78273b688b7 Environment-variable access.
repo/packages/server/src/utils/index.ts:852
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03f9fd5750e52317 Environment-variable access.
repo/packages/server/src/utils/index.ts:1554
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79042c03ef065c30 Environment-variable access.
repo/packages/server/src/utils/index.ts:1555
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24843c782549cc4b Environment-variable access.
repo/packages/server/src/utils/index.ts:1558
        const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e8ed596c1038330 Filesystem access.
repo/packages/server/src/utils/index.ts:1581
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3536dfc12f7c0277 Environment-variable access.
repo/packages/server/src/utils/index.ts:1584
        const defaultLocation = process.env.SECRETKEY_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec1347bfcfab1179 Environment-variable access.
repo/packages/server/src/utils/index.ts:1585
            ? path.join(process.env.SECRETKEY_PATH, 'encryption.key')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f17be6af37e1337 Filesystem access.
repo/packages/server/src/utils/index.ts:1587
        await fs.promises.writeFile(defaultLocation, encryptKey)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00e3187dd1e4f9c1 Environment-variable access.
repo/packages/server/src/utils/index.ts:1670
    return process.env.SECRETKEY_PATH ? process.env.SECRETKEY_PATH : path.join(getUserHome(), '.flowise')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b06fdb1318e89f13 Environment-variable access.
repo/packages/server/src/utils/index.ts:1697
    const envVal = process.env[envKey]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d2ab1ece08c33d1 Environment-variable access.
repo/packages/server/src/utils/index.ts:1704
        const prefix = process.env.SECRETKEY_AWS_AUTH_PREFIX || 'Flowise'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d24728121de76ed Filesystem access.
repo/packages/server/src/utils/index.ts:1729
        return await fs.promises.readFile(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e91117d8f379d88 Filesystem access.
repo/packages/server/src/utils/index.ts:1735
        await fs.promises.writeFile(filePath, value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #945a42eaa657ca7b Filesystem access.
repo/packages/server/src/utils/index.ts:1981
        const content = await fs.promises.readFile(packagejsonPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #099a9efb68053a78 Environment-variable access.
repo/packages/server/src/utils/index.ts:2019
    return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5763563bd916b69f Environment-variable access.
repo/packages/server/src/utils/index.ts:2020
        ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3372fa9bcd55e7c Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:127
            process.env.DEBUG = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b70ef9d9eba62833 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:128
            process.env.LOG_SANITIZE_BODY_FIELDS = 'password,secret'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8db3d8eb8abc8d0 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:129
            process.env.LOG_SANITIZE_HEADER_FIELDS = 'authorization'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1162457906f2da9a Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:146
            process.env.DEBUG = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4a12fcbbfd04c34 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:147
            delete process.env.LOG_SANITIZE_BODY_FIELDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b04356c91e438bea Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:148
            delete process.env.LOG_SANITIZE_HEADER_FIELDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c50fe70cb853a068 Filesystem access.
repo/packages/server/src/utils/logger.ts:3
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #678f1bd81e0e5169 Environment-variable access.
repo/packages/server/src/utils/logger.ts:40
    exceptionHandlers: [...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...errorTransports],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d8894a736537f67 Environment-variable access.
repo/packages/server/src/utils/logger.ts:42
        ...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcaf2f7a69f37165 Environment-variable access.
repo/packages/server/src/utils/logger.ts:45
        ...((!process.env.DEBUG || process.env.DEBUG !== 'true') && errorTransports.length === 0 ? [new transports.Console()] : [])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f24d51bc0a3e3e4c Environment-variable access.
repo/packages/server/src/utils/logger.ts:54
    transports: [...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...requestTransports]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a98a97b3de07236 Environment-variable access.
repo/packages/server/src/utils/logger.ts:58
    if (!process.env.LOG_SANITIZE_BODY_FIELDS) return []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc6500dd7fede1fc Environment-variable access.
repo/packages/server/src/utils/logger.ts:59
    return (process.env.LOG_SANITIZE_BODY_FIELDS as string)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25a92b880df5a790 Environment-variable access.
repo/packages/server/src/utils/logger.ts:66
    if (!process.env.LOG_SANITIZE_HEADER_FIELDS) return []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9d1a5556a3501a6 Environment-variable access.
repo/packages/server/src/utils/logger.ts:67
    return (process.env.LOG_SANITIZE_HEADER_FIELDS as string)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70acaa051ad743bd Environment-variable access.
repo/packages/server/src/utils/logger.ts:96
        const isDebugLevel = logger.level === 'debug' || process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6251e81dce196ab8 Environment-variable access.
repo/packages/server/src/utils/logger.ts:151
    transports: [...(process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...auditTransports]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d84df1d90cf90f6 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:44
    delete process.env.OAUTH2_SECURITY_CHECK

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17bacc65bf9ca7eb Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:45
    delete process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61a68908cef45a55 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:63
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'custom.example.com, another.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4015b1991054659 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:73
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'github.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cfc611726f0ebc3 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:80
        process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afa30cf58d758ccf Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:81
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'my.corp.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8a63a4ae60dd048 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:87
        process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e56dc3efda058708 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:93
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = '  MyDomain.COM , UPPER.IO  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59abb1571f7d4f90 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:100
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = ',,,valid.com,,,'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48ae34a94734d74d Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:137
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'custom-idp.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faff9f5cec7ad2aa Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:148
            process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fa9f1cbc09dc302 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:156
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'local.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb6510eecddaa9d3 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:161
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'local.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee66375a39cd248d Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:166
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'myidp.local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27f4f4988e1a0c38 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:4
    return (process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #396bdfcf3bc7a89a Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:21
    const securityCheckEnabled = process.env.OAUTH2_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #150b2408b0e1a6bd Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:49
    const securityCheckEnabled = process.env.OAUTH2_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f442bad59d039d4b Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:25
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd49200ac4a0f82c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:26
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af1275c8119b1a1c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:27
                this.redisClient = new Redis(process.env.REDIS_URL, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a739fee50b702d7 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:29
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38175a94837a6657 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:30
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fb017f444343593 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:35
                    host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #befcb05dd30319de Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:36
                    port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a689ad70156a68d Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:37
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4eab4401f7b6243 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:38
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ed1607946bc13be Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:40
                        process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #374fc7686eb73c4d Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:42
                                  cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a761c482799cc6b3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:43
                                  key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #063062e5570f1f70 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:44
                                  ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cad37cecd6c4970 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:48
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09141844111f105f Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:49
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #959e14fe903c118c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:60
        if (process.env.REDIS_URL && process.env.REDIS_URL.startsWith('rediss://')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5000e85e388e47e Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:64
        } else if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f68df291f58e80a9 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:66
                cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #530e5ace396dc3a3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:67
                key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a0ba526461c5381 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:68
                ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9f6bdb3ae5af0e9 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:72
            url: process.env.REDIS_URL || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d096d5e6051b1deb Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:73
            host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619ffd90f103cf1e Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:74
            port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a29447c022120e4 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:75
            username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68ab643daf9b27b3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:76
            password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5159a92b5daa4730 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:81
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d670043eee44f2dc Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:82
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4f8ba7fb1e67cb6 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:97
            if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #926170138a70d7bc Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:160
        if (!isInitialized && process.env.MODE === MODE.QUEUE && this.queueEventsProducer) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75ad95afed5e5100 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:184
        if (process.env.MODE === MODE.QUEUE && this.queueEvents) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #624ea4dfc61546cb Environment-variable access.
repo/packages/server/src/utils/redis.ts:4
    const keepAliveRaw = process.env.REDIS_KEEP_ALIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c40dcc5c52923224 Environment-variable access.
repo/packages/server/src/utils/redis.ts:7
    if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40275ba6a955adc4 Environment-variable access.
repo/packages/server/src/utils/redis.ts:9
            url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0218ef1bb175e85 Environment-variable access.
repo/packages/server/src/utils/redis.ts:16
        username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0abb2f98c7ae4c5b Environment-variable access.
repo/packages/server/src/utils/redis.ts:17
        password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6331133c6ad2462f Environment-variable access.
repo/packages/server/src/utils/redis.ts:19
            host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d0ddc1c1f2ccf68 Environment-variable access.
repo/packages/server/src/utils/redis.ts:20
            port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80dd83f40475d2dc Environment-variable access.
repo/packages/server/src/utils/redis.ts:21
            tls: process.env.REDIS_TLS === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa151befbf3d0b80 Environment-variable access.
repo/packages/server/src/utils/redis.ts:22
            cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b45a2dd00bb2ae3e Environment-variable access.
repo/packages/server/src/utils/redis.ts:23
            key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #274c6b6564963cbe Environment-variable access.
repo/packages/server/src/utils/redis.ts:24
            ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58fc754fe3266b40 Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:67
            delete process.env.POSTHOG_PUBLIC_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4738596d348d180 Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:74
            process.env.POSTHOG_PUBLIC_API_KEY = 'ph-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84c15b93f38d61af Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:97
            process.env.POSTHOG_PUBLIC_API_KEY = 'ph-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a3676506ea0cb85 Environment-variable access.
repo/packages/server/src/utils/telemetry.ts:18
        if (process.env.POSTHOG_PUBLIC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af770e4230194aa2 Environment-variable access.
repo/packages/server/src/utils/telemetry.ts:19
            this.postHog = new PostHog(process.env.POSTHOG_PUBLIC_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a70c00d24c84882b Environment-variable access.
repo/packages/server/src/utils/upsertVector.ts:307
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/agentflow

npm first-party
high pii_flow production #c8953379881896e7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37 · flow /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:26 → /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37
            const res = await fetch(`${apiBaseUrl}/api/v1/chatflows`, {
                method: 'POST',
                headers: authHeaders,
                credentials: token ? 'omit' : 'include',
                body: JSON.stringify(body)
            })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0f512be2062222ed User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/agentflow/examples/src/TestRunDialog.tsx:44 · flow /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/TestRunDialog.tsx:32 → /tmp/closeopen-d65y7tid/repo/packages/agentflow/examples/src/TestRunDialog.tsx:44
            const res = await fetch(`${apiBaseUrl}/api/v1/internal-prediction/${agentflowId}`, {
                method: 'POST',
                headers: authHeaders,
                credentials: token ? 'omit' : 'include',
                body: JSON.stringify({ question: question.trim(), streaming: true, chatId })
            })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

first-party (npm): packages/ui

npm first-party
high pii_flow production #248c3d8393836233 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 · flow /tmp/closeopen-d65y7tid/repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 → /tmp/closeopen-d65y7tid/repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211
            getWorkspacesByUserIdApi.request(dialogProps.data.userId)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #62ea03f5d7d161ab User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274 · flow /tmp/closeopen-d65y7tid/repo/packages/ui/src/views/canvas/CanvasHeader.jsx:127 → /tmp/closeopen-d65y7tid/repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274
            updateChatflowApi.request(chatflow.id, updateBody)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 7 low-confidence finding(s)
low egress production #d5a7adbd1d5263b2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/ui/src/layout/MainLayout/Header/index.jsx:202
                    const response = await fetch('https://api.github.com/repos/FlowiseAI/Flowise')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #7eda2c56de08e99a Environment-variable access.
repo/packages/ui/src/serviceWorker.js:90
    if (process.env.NODE_ENV === 'production' && 'serviceWorker' in navigator) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0435081b09252752 Environment-variable access.
repo/packages/ui/src/serviceWorker.js:92
        const publicUrl = new URL(process.env.PUBLIC_URL, window.location.href)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f5441363f57b623 Environment-variable access.
repo/packages/ui/src/serviceWorker.js:101
            const swUrl = `${process.env.PUBLIC_URL}/service-worker.js`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #f9c4bd12ec071719 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/ui/src/ui-component/dialog/AboutDialog.jsx:16
            const latestReleaseReq = axios.get('https://api.github.com/repos/FlowiseAI/Flowise/releases/latest')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #891ac636eb46123f Environment-variable access.
repo/packages/ui/vite.config.js:47
            port: process.env.VITE_PORT ?? 8080,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d37b547000ec0c4 Environment-variable access.
repo/packages/ui/vite.config.js:48
            host: process.env.VITE_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/components

npm first-party
high pii_flow production #89756c5e3550cd36 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132 · flow /tmp/closeopen-d65y7tid/repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:129 → /tmp/closeopen-d65y7tid/repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132
        const response = await fetch(this.apiUrl, {
            method: 'POST',
            body: formData,
            headers
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 324 low-confidence finding(s)
low env_fs production #4b076d55f6bee101 Environment-variable access.
repo/packages/components/nodes/agents/ConversationalAgent/ConversationalAgent.ts:283
        verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b116b305e90ffe88 Environment-variable access.
repo/packages/components/nodes/agents/ConversationalRetrievalToolAgent/ConversationalRetrievalToolAgent.ts:360
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8034be4b2e50995 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:104
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0c5524e7e8a6988 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:113
        const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf08e94e24fd4fc7 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:115
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5048b0ac11e4783c Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:130
                verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #638e821857d2f70c Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:157
            const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ea78ef7fb368c1b Environment-variable access.
repo/packages/components/nodes/agents/ReActAgentChat/ReActAgentChat.ts:132
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe2ba37a6c920ece Environment-variable access.
repo/packages/components/nodes/agents/ReActAgentLLM/ReActAgentLLM.ts:105
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76f07138b9097ca0 Environment-variable access.
repo/packages/components/nodes/agents/ToolAgent/ToolAgent.ts:359
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56d05c42b5244cbe Environment-variable access.
repo/packages/components/nodes/agents/XMLAgent/XMLAgent.ts:284
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35b04a28331518b4 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:130
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c332e25a77efb53 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:131
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12bb2c69eb3ed764 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:138
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612b2d7395c76d2e Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:139
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4552ea41959fde88 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:87
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7ca2a6106d3b5d3 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:88
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2b281719db9b2b4 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:95
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0632c638295e41b2 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:96
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b26b7ee5754fc79a Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/GETApiChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa83328e417434a3 Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/OpenAPIChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea0fc8a7a0dbe17c Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/POSTApiChain.ts:124
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4d00cb74334538a Environment-variable access.
repo/packages/components/nodes/chains/ConversationChain/ConversationChain.ts:139
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e69bf2fceb913e8 Environment-variable access.
repo/packages/components/nodes/chains/ConversationalRetrievalQAChain/ConversationalRetrievalQAChain.ts:229
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf426b082a282662 Environment-variable access.
repo/packages/components/nodes/chains/GraphCypherQAChain/GraphCypherQAChain.ts:423
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #035e955075b15545 Environment-variable access.
repo/packages/components/nodes/chains/LLMChain/LLMChain.ts:109
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed2c7f8036e5cbd5 Environment-variable access.
repo/packages/components/nodes/chains/LLMChain/LLMChain.ts:117
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5641692bea26d896 Environment-variable access.
repo/packages/components/nodes/chains/MultiPromptChain/MultiPromptChain.ts:71
            llmChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf95ef2838c3cd97 Environment-variable access.
repo/packages/components/nodes/chains/MultiRetrievalQAChain/MultiRetrievalQAChain.ts:79
            retrievalQAChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false, returnSourceDocuments }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95739800b897d44b Environment-variable access.
repo/packages/components/nodes/chains/RetrievalQAChain/RetrievalQAChain.ts:58
        const chain = RetrievalQAChain.fromLLM(model, vectorStoreRetriever, { verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5bad702c3217a72 Environment-variable access.
repo/packages/components/nodes/chains/SqlDatabaseChain/SqlDatabaseChain.ts:245
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #3208bd6e59c2d026 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/chains/VectaraChain/VectaraChain.ts:312
            const response = await fetch(`https://api.vectara.io/v1/query`, {
                method: 'POST',
                headers: headers?.headers,
                body: JSON.stringify(data)
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8ad2262e57a3bfa2 Environment-variable access.
repo/packages/components/nodes/chains/VectorDBQAChain/VectorDBQAChain.ts:60
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cd54d8bf072301a Filesystem access.
repo/packages/components/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63fd156095db524a Filesystem access.
repo/packages/components/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:9
        const raw = JSON.parse(fs.readFileSync(modelsPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f1736a964ae35ae Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #332dfc683d0d94da Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10f406ae729e551e Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e66ded32c9f1ed1e Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:13
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d411d685d9834219 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:153
                    if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc0edf194d31bdc4 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:166
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #984501f72aee81ed Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:175
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71bd75d4e4aa9178 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:186
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #523bf6e0508aa650 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:192
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf3c02f6e5194686 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:194
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3aca0d18e4f69c3 Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:7
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #656aa36059e4ba80 Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:127
                    fs.writeFileSync(tempFilePath, fileData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #591fd54d513c8e0c Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:139
                    fs.writeFileSync(tempFilePath, fileBuffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd12d461c35355e3 Filesystem access.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #5d9951a0d9bbbea2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:227
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c9d0bbd509012618 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:454
            const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8b9065b7b3ada0e5 Filesystem access.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:702
        fs.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e4cf2d509b244d5f Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleSheets/GoogleSheets.ts:155
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3ee6c0640da01271 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:194
                const executablePath = process.env.PLAYWRIGHT_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #266d7b15d369ca5f Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:235
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ec4f5629a2d59a2 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:242
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61634ec50bb46520 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:253
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e11e91fbc28577d3 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:262
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d1a26997b52aa4f Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:264
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e61e90fc3f119986 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:185
                const executablePath = process.env.PUPPETEER_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1af30e2d0e5a5819 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:226
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac154129f9e17a5f Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:233
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f80a6e0d138b3dc5 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:244
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c00a9d0784a7283a Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:253
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2d7100a81774418 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:255
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a05bcd3d0448317 Filesystem access.
repo/packages/components/nodes/documentloaders/S3Directory/S3Directory.ts:217
                        fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3e7a574c93b15ba Environment-variable access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:130
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9bc4b6696e47ff1 Environment-variable access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:131
                optional: !!process.env.UNSTRUCTURED_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77692eecf700fc41 Filesystem access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:784
                    fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #296dc4020f4712a5 Filesystem access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:1020
        fsDefault.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6cd275505c70228 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:30
    private apiUrl = process.env.UNSTRUCTURED_API_URL || 'https://api.unstructuredapp.io/general/v0/general'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56d04b604bc6bece Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:32
    private apiKey: string | undefined = process.env.UNSTRUCTURED_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84519f14eb4d0569 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/UnstructuredFile.ts:57
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #263da845f05206b5 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/UnstructuredFile.ts:58
                optional: !!process.env.UNSTRUCTURED_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9af40d57612af8de Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:6
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23849db1d528b0b4 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:7
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8847d6df9e04e5f3 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:8
    (!!process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME || !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56870aeaecc2f981 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:9
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6edabb820a65f9c2 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:9
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9123c05df35981d Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5272865f0d0f884 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ed86a6ece49ae38 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fae21ce63475d033 Environment-variable access.
repo/packages/components/nodes/memory/AgentMemory/AgentMemory.ts:138
                : path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #902c8637a36f9d5f Environment-variable access.
repo/packages/components/nodes/memory/AgentMemory/SQLiteAgentMemory/SQLiteAgentMemory.ts:72
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50b97802e9b04335 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:144
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a93be6a5a2a326ab Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:145
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63a9e0f6ca6aaf23 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:151
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a59c3d4f17b7fa3f Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:152
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #871969a3fb3ad8f2 Environment-variable access.
repo/packages/components/nodes/multiagents/Worker/Worker.ts:235
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fe6fa9673b012ae Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:10
const serverCredentialsExists = !!process.env.POSTGRES_RECORDMANAGER_USER && !!process.env.POSTGRES_RECORDMANAGER_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #279f24c1e8e2d4dc Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:139
        const user = getCredentialParam('user', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #630febba6bc7a756 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:140
        const password = getCredentialParam('password', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e6f35801a2a59b4 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_RECORDMANAGER_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06fdf4dad8b6ef70 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_RECORDMANAGER_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #198e27faa0978e59 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_RECORDMANAGER_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e8ad303cc80e142 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_RECORDMANAGER_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d250f70d5f427b3 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_RECORDMANAGER_TABLE_NAME, 'upsertion_records')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6dc84be7043c463 Environment-variable access.
repo/packages/components/nodes/recordmanager/SQLiteRecordManager/SQLiteRecordManager.ts:124
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #26a9d5dcadaa72b2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/CohereRerankRetriever/CohereRerank.ts:44
            let returnedDocs = await axios.post(this.COHERE_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #778ec20425ab82db Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/JinaRerankRetriever/JinaRerank.ts:39
            let returnedDocs = await axios.post(this.JINA_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #9fcb9028b2d556f6 Environment-variable access.
repo/packages/components/nodes/retrievers/MultiQueryRetriever/MultiQueryRetriever.ts:75
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #86854626a643408d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/VoyageAIRetriever/VoyageAIRerank.ts:40
            let returnedDocs = await axios.post(this.VOYAGEAI_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ffbc8f32066befa6 Environment-variable access.
repo/packages/components/nodes/sequentialagents/Agent/Agent.ts:690
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8e328617ca55417 Environment-variable access.
repo/packages/components/nodes/tools/Arxiv/Arxiv.ts:119
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23cec70ed7e64e3d Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:77
                    process.env.CUSTOM_MCP_PROTOCOL === 'sse'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02772cf4845f88b9 Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:176
            if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2871585975299d70 Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:186
            if (process.env.CUSTOM_MCP_PROTOCOL === 'stdio' && serverParams!.command) toolkit = new MCPToolkit(serverParams, 'stdio')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #b09511d2eef85e7d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/tools/MCP/Pipedream/PipedreamMCP.ts:212
            const response = await axios.post('https://api.pipedream.com/v1/oauth/token', body, {
                headers: {
                    'Content-Type': 'application/json'
                }
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4f6746cbcf5fcceb Environment-variable access.
repo/packages/components/nodes/tools/MCP/Supergateway/SupergatewayMCP.ts:109
        if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9390141fce7e4dca Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:416
        const originalAllowList = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72a90b65b0cba39c Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:420
                delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ad1f2ece17924e8 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:422
                process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = originalAllowList

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82ca60921a83825d Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:427
            delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4da9a14e46afb0e4 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:435
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b81c9470eb82b44d Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:447
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #382f911734c8cf41 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:455
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR,API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dfc727a022e54dd Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:464
        const originalAllowedCommands = process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6206d0a74be893dc Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:469
            process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'node,npx,python,python3,docker'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5d2700e8afb041f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:474
                delete process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fff87007db675637 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:476
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = originalAllowedCommands

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06ddffa2c877ca5f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:536
            const original = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #671a2cad506e8a96 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:537
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_TOKEN'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccfefacf6b6a223b Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:549
                    delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d38c4eeb0a348c8 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:551
                    process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = original

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66f3b48261d2241f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:577
                delete process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1b2978c8a6553b5 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:588
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'python3'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd21108494190a70 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:599
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'npx,docker'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0210d2b958c1011f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:610
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = ' node , npx '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d03cff5471d30151 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:48
                    PATH: process.env.PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd117de245cca104 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:258
        (process.env.CUSTOM_MCP_ALLOWED_ENV_VARS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f340dfc676526fe Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:390
    const allowedCommands = (process.env.CUSTOM_MCP_ALLOWED_COMMANDS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b25e61bc5760836 Environment-variable access.
repo/packages/components/nodes/vectorstores/Pinecone/Pinecone_LlamaIndex.ts:238
        this.chunkSize = params?.chunkSize ?? Number.parseInt(process.env.PINECONE_CHUNK_SIZE ?? '100')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be7506114e0fd0e4 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/Postgres.ts:13
const serverCredentialsExists = !!process.env.POSTGRES_VECTORSTORE_USER && !!process.env.POSTGRES_VECTORSTORE_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de2d36dce050aee6 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/driver/Base.ts:68
        const user = getCredentialParam('user', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #138a7daabd07a950 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/driver/Base.ts:69
        const password = getCredentialParam('password', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfbfdbae6477037e Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_VECTORSTORE_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee0015a9eeac4cb7 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_VECTORSTORE_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01aa9cb8dae825c9 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_VECTORSTORE_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df8f3f4ee47dec02 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_VECTORSTORE_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80e6fc419d288b3c Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_VECTORSTORE_TABLE_NAME, 'documents')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de3cb9afae8dfe42 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:24
    return defaultChain(nodeData?.inputs?.contentColumnName, process.env.POSTGRES_VECTORSTORE_CONTENT_COLUMN_NAME, 'pageContent')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38830ec90444eccb Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:28
    return defaultChain(nodeData?.inputs?.schemaName, process.env.POSTGRES_VECTORSTORE_SCHEMA_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ce05458ffbc811e Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:154
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a3c94286ea5ea9d Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:155
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4029559a54343299 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:159
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0d9ac23827f48d3 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:160
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df2e8721aba79eef Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:172
                    if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6be7ee4918b02d48 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:231
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72e85186d989417f Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:232
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e353f12a9305a78d Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:236
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba55290d20401cf8 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:237
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cb9367bf0350256 Environment-variable access.
repo/packages/components/src/handler.test.ts:388
        for (const k of LANGSMITH_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df961c5bfa6e7f3b Environment-variable access.
repo/packages/components/src/handler.test.ts:389
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf0a3e720147dea6 Environment-variable access.
repo/packages/components/src/handler.test.ts:390
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91c283e982c65651 Environment-variable access.
repo/packages/components/src/handler.test.ts:391
        process.env.LANGSMITH_API_KEY = 'test-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d3d5d30ce72dc5d Environment-variable access.
repo/packages/components/src/handler.test.ts:397
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80464e417056f7f2 Environment-variable access.
repo/packages/components/src/handler.test.ts:400
            if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a4741367974eaa5 Environment-variable access.
repo/packages/components/src/handler.ts:81
        if (process.env.DEBUG === 'true') console.error(`Error setting up Arize tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc6aca44e0e8224b Environment-variable access.
repo/packages/components/src/handler.ts:135
        if (process.env.DEBUG === 'true') console.error(`Error setting up Phoenix tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60fd14c6862c6a1f Environment-variable access.
repo/packages/components/src/handler.ts:179
        if (process.env.DEBUG === 'true') console.error(`Error setting up Opik tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85e4a2aae4b209c1 Environment-variable access.
repo/packages/components/src/httpSecurity.ts:36
    const securityCheckEnabled = process.env.HTTP_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e70480248467c982 Environment-variable access.
repo/packages/components/src/httpSecurity.ts:37
    const httpDenyListString = process.env.HTTP_DENY_LIST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25c99e31a265f0f8 Filesystem access.
repo/packages/components/src/modelLoader.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ace747858e13882 Environment-variable access.
repo/packages/components/src/modelLoader.ts:38
        process.env.MODEL_LIST_CONFIG_JSON ?? 'https://raw.githubusercontent.com/FlowiseAI/Flowise/main/packages/components/models.json'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61e1258349cc122e Filesystem access.
repo/packages/components/src/modelLoader.ts:48
            const models = await fs.promises.readFile(modelFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3209edeb6bcfa6b5 Filesystem access.
repo/packages/components/src/modelLoader.ts:55
        const models = await fs.promises.readFile(getModelsJSONPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bb1ddb48763094a Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:40
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #939b75e67a439677 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:41
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f774bdec3e0d6be Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:42
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f991e5589ca222e Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:43
        const containerName = process.env.AZURE_BLOB_STORAGE_CONTAINER_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eb1f9deddbf8669 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:265
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1be036cec110e71 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:276
            storageConfig.accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #940879cca5076a01 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:277
            storageConfig.accessKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ebaee50e548c11c Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:285
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f15ed309e0b69ff0 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:286
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a787ef4bef91266 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:287
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c02924dcfe74b522 Environment-variable access.
repo/packages/components/src/storage/BaseStorageProvider.ts:63
        const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb9be33bbea83eda Environment-variable access.
repo/packages/components/src/storage/BaseStorageProvider.ts:64
            ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e0839899173a76d Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:32
        const keyFilename = process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecc9ed94ed9b98ea Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:33
        const projectId = process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fc529bac1019c30 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:34
        const bucketName = process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb75cf25987df951 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:333
                uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7795ee91cda0ee8 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c56740f5a91c928 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:40
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff6bd0744905dd48 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:60
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3029aea3469df4c9 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:74
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29c15e98db65e1aa Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:81
        return fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fc9f2b3068bc9e0 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:88
            return fs.readFileSync(fileInStorage)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0083d6810ec52492 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:114
                    return fs.readFileSync(targetPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa95624fddd7249a Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:344
        return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8db47be1fa30b964 Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:345
            ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31a1a5e9dbee6f30 Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:350
        return process.env.HOME || process.env.USERPROFILE || process.env.HOMEPATH || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce97cd426e22d551 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:34
        const accessKeyId = process.env.S3_STORAGE_ACCESS_KEY_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6ce64b26af1c8eb Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:35
        const secretAccessKey = process.env.S3_STORAGE_SECRET_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #341bb818e66c94d4 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:36
        const region = process.env.S3_STORAGE_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1d5604b1e7fbf74 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:37
        const bucket = process.env.S3_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #686fbc121f29623d Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:38
        const customURL = process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d92a13bd96abd122 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:39
        const forcePathStyle = process.env.S3_FORCE_PATH_STYLE === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc1a738360842dae Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:73
            region: process.env.S3_STORAGE_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee08c19ad15e1017 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:74
            endpoint: process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6760964f5efff1f3 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:536
            const instance = process.env.HOSTNAME || process.env.POD_NAME || String(process.pid)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67870308526ce6c9 Environment-variable access.
repo/packages/components/src/storage/StorageProviderFactory.ts:20
            const storageType = process.env.STORAGE_TYPE || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9748fe2dadf986fd Filesystem access.
repo/packages/components/src/storageUtils.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55fc4ecd43dad019 Environment-variable access.
repo/packages/components/src/storageUtils.ts:51
    const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2c6cefad540b13b Environment-variable access.
repo/packages/components/src/storageUtils.ts:52
        ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c1cd68e39996c50 Environment-variable access.
repo/packages/components/src/storageUtils.ts:64
    return process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaba4c1b71005a99 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:21
    for (const k of ENV_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2eec5b17aa25eef Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:28
    for (const k of ENV_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84c43df5b3fd596c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:37
        if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd768c7ef541dc78 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:48
        process.env.LANGSMITH_TRACING = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2f2f295cc29e12f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:49
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30505d6b4f0c95d1 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:52
        process.env.LANGSMITH_TRACING = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0ae44c66117501e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:55
        process.env.LANGSMITH_TRACING = 'TRUE'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4edb73a4a9219278 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:60
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a917c27afb3d7741 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:65
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3e8c1164610ea6a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:66
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9a209894e1bc05a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:75
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ee3cfabadd1fa8c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:76
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aae42a96188a35dd Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:77
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a31479ac44220f2 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:78
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c7b0731a648c73e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:87
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1552804beb59a320 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:88
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4f4200a6b840847 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:89
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1dc8ee4dab1c9270 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:90
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #409a602fca88167a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:91
        process.env.LANGSMITH_ENDPOINT = 'https://new.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff86b3bf8c47480a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:92
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3df47a83ffec7b6 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:93
        process.env.LANGSMITH_PROJECT = 'new-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab4f479ff064405c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:94
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50be93c40a8f3f1a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:103
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52a50b13c281c267 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:104
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8897d5c9864c4e9 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:113
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a745caf321e1737e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:114
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd0c49142c9f9d96 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:115
        process.env.LANGSMITH_ENDPOINT = 'https://api.smith.langchain.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3927b2c850ac79e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:116
        process.env.LANGSMITH_PROJECT = 'my-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #812b1e6bef3a01fa Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:129
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #818c26ef74129090 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:130
        process.env.LANGSMITH_API_KEY = 'k1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d67f2ba6296977b Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:135
        process.env.LANGSMITH_API_KEY = 'k2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #503beded48a7e4ac Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:144
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c27e0c669b58b31f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:145
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61d7aa74336d0cb6 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:152
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d4fbdc63021367c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:153
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b0b180793e096cb Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:197
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7abb527943572057 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:198
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9ed670fef34adf2 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:212
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b86e38625595eaca Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:213
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cdda6265840e647 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:214
        process.env.LANGSMITH_ENDPOINT = 'https://e.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54a2cfa15f48d6c0 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:215
        process.env.LANGSMITH_PROJECT = 'proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84ce29ed14bb26dc Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:233
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63f041e362fbc96c Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:234
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e99ffca2e7c431d Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:245
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dc1f4f2551c2fa9 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:246
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #775dc86cef9d50bc Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:259
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d6f837c1e8b30c8 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:260
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #448dcc15df1afda1 Environment-variable access.
repo/packages/components/src/tracingEnv.ts:71
    for (const k of LANGCHAIN_TRACING_FLAG_VARS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4af6a6ee5997412c Environment-variable access.
repo/packages/components/src/utils.test.ts:245
        delete process.env.ALLOW_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5732e115588867d Environment-variable access.
repo/packages/components/src/utils.test.ts:246
        delete process.env.TOOL_FUNCTION_EXTERNAL_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fdd15881a4b3884 Environment-variable access.
repo/packages/components/src/utils.test.ts:251
            process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b3e2f2d169a41f0 Environment-variable access.
repo/packages/components/src/utils.test.ts:278
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d2cad5a078c0cfc Environment-variable access.
repo/packages/components/src/utils.test.ts:284
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #055b0138ed98af6a Environment-variable access.
repo/packages/components/src/utils.test.ts:285
        process.env.TOOL_FUNCTION_EXTERNAL_DEP = 'pg'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7af5b13f2f5d5070 Filesystem access.
repo/packages/components/src/utils.ts:12
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de673325ec8dd123 Environment-variable access.
repo/packages/components/src/utils.ts:32
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b92d58ffd79e4ea0 Environment-variable access.
repo/packages/components/src/utils.ts:34
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42b543e5d10de73d Environment-variable access.
repo/packages/components/src/utils.ts:35
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cb9bc036a69b0f7 Environment-variable access.
repo/packages/components/src/utils.ts:36
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21f16ef8ff196546 Environment-variable access.
repo/packages/components/src/utils.ts:408
            if (process.env.DEBUG === 'true') console.error(`error with scraped URL: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0acf5c062f3bdeba Environment-variable access.
repo/packages/components/src/utils.ts:454
    if (process.env.DEBUG === 'true') console.info(`actively crawling ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4180f91c614da02e Environment-variable access.
repo/packages/components/src/utils.ts:459
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae07f66c14575a7a Environment-variable access.
repo/packages/components/src/utils.ts:465
            if (process.env.DEBUG === 'true') console.error(`non html response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ea027b08e82c709 Environment-variable access.
repo/packages/components/src/utils.ts:475
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48b51a2eb384f6a6 Environment-variable access.
repo/packages/components/src/utils.ts:510
    if (process.env.DEBUG === 'true') console.info(`actively scarping ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4feae0cf5504a4b9 Environment-variable access.
repo/packages/components/src/utils.ts:515
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a20632b43d8346a Environment-variable access.
repo/packages/components/src/utils.ts:521
            if (process.env.DEBUG === 'true') console.error(`non xml response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26b482f3322a4406 Environment-variable access.
repo/packages/components/src/utils.ts:528
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d7c312ffb7eb18b Environment-variable access.
repo/packages/components/src/utils.ts:540
        return typeof process !== 'undefined' ? process.env?.[name] : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #875ca4d72e938b85 Environment-variable access.
repo/packages/components/src/utils.ts:571
    return process.env.SECRETKEY_PATH ? path.join(process.env.SECRETKEY_PATH, 'encryption.key') : getEncryptionKeyFilePath()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58ca9a47d3e40c5f Environment-variable access.
repo/packages/components/src/utils.ts:579
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a4895852f72a7ab Environment-variable access.
repo/packages/components/src/utils.ts:580
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84aa6375d897188e Environment-variable access.
repo/packages/components/src/utils.ts:584
            const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05fcac6577d3b5b0 Filesystem access.
repo/packages/components/src/utils.ts:592
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73193cb92a8d3f32 Environment-variable access.
repo/packages/components/src/utils.ts:734
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8169af479b1cade Environment-variable access.
repo/packages/components/src/utils.ts:738
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cefdb5a482d6aa6 Environment-variable access.
repo/packages/components/src/utils.ts:1021
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21cd770ea9dda14b Filesystem access.
repo/packages/components/src/utils.ts:1048
            const content = await fs.promises.readFile(checkPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5f57e11124dd177 Environment-variable access.
repo/packages/components/src/utils.ts:1603
    const shouldUseE2BSandbox = useSandbox && process.env.E2B_APIKEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4eee386c2b76998 Environment-variable access.
repo/packages/components/src/utils.ts:1606
    if (process.env.SANDBOX_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f45e75089d4fcc7f Environment-variable access.
repo/packages/components/src/utils.ts:1607
        timeoutMs = parseInt(process.env.SANDBOX_TIMEOUT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63e4320881b44287 Environment-variable access.
repo/packages/components/src/utils.ts:1665
            const sbx = await Sandbox.create({ apiKey: process.env.E2B_APIKEY, timeoutMs })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4150de02562eccd Environment-variable access.
repo/packages/components/src/utils.ts:1729
        const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d563d3fee70136f Environment-variable access.
repo/packages/components/src/utils.ts:1730
            ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #294e7d49274f67c5 Environment-variable access.
repo/packages/components/src/utils.ts:1732
        const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84628c97f2f383a9 Environment-variable access.
repo/packages/components/src/utils.ts:1733
        let deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d03a8b2650b853 Environment-variable access.
repo/packages/components/src/validator.test.ts:55
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0798575e691e6b0 Environment-variable access.
repo/packages/components/src/validator.test.ts:58
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23019dc1287b2507 Environment-variable access.
repo/packages/components/src/validator.test.ts:75
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cebb91ad27068728 Environment-variable access.
repo/packages/components/src/validator.test.ts:78
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d24275a05d8a27a1 Environment-variable access.
repo/packages/components/src/validator.test.ts:365
            const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9acbc588bb9f4490 Environment-variable access.
repo/packages/components/src/validator.test.ts:366
            delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2c672774e1015fe Environment-variable access.
repo/packages/components/src/validator.test.ts:375
                    process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #780c034e431fd880 Environment-variable access.
repo/packages/components/src/validator.test.ts:396
        const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7293c40f4f6b2af Environment-variable access.
repo/packages/components/src/validator.test.ts:401
                process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6d3d60497ffa35f Environment-variable access.
repo/packages/components/src/validator.test.ts:403
                delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #528a50069969e0b3 Environment-variable access.
repo/packages/components/src/validator.test.ts:409
            process.env.BLOB_STORAGE_PATH = customStoragePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9c66704f6ead7e2 Environment-variable access.
repo/packages/components/src/validator.test.ts:418
            process.env.BLOB_STORAGE_PATH = path.join(userHome, 'custom-storage')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #184d2ae9f1c7bfd1 Environment-variable access.
repo/packages/components/src/validator.test.ts:453
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ac42da20130c6a6 Environment-variable access.
repo/packages/components/src/validator.test.ts:456
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1657ba3b99b09a48 Environment-variable access.
repo/packages/components/src/validator.test.ts:591
        const originalDatabasePath = process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faac2bb550eeb5a0 Environment-variable access.
repo/packages/components/src/validator.test.ts:595
                delete process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #598a9acd0ae53de3 Environment-variable access.
repo/packages/components/src/validator.test.ts:597
                process.env.DATABASE_PATH = originalDatabasePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a258afc3f5fdc6c Environment-variable access.
repo/packages/components/src/validator.test.ts:603
            process.env.DATABASE_PATH = customBase

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fee658a0c66f573b Environment-variable access.
repo/packages/components/src/validator.test.ts:609
            process.env.DATABASE_PATH = path.join(userHome, 'custom-flowise-data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a997fd762f99e6b Environment-variable access.
repo/packages/components/src/validator.test.ts:616
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #128430fc4ffc3ba8 Environment-variable access.
repo/packages/components/src/validator.test.ts:619
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #455c81de635af65b Environment-variable access.
repo/packages/components/src/validator.test.ts:788
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47c0a06b031d0fba Environment-variable access.
repo/packages/components/src/validator.test.ts:791
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83c44e828a82b987 Environment-variable access.
repo/packages/components/src/validator.ts:41
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3cb15b72c5754786 Environment-variable access.
repo/packages/components/src/validator.ts:70
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5500ed275c8c05aa Environment-variable access.
repo/packages/components/src/validator.ts:195
    if (process.env.BLOB_STORAGE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b73c1def8ef198f Environment-variable access.
repo/packages/components/src/validator.ts:196
        allowedDirs.push(path.resolve(process.env.BLOB_STORAGE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #178130e494b3720e Environment-variable access.
repo/packages/components/src/validator.ts:213
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #266b148c4d0ad1d9 Environment-variable access.
repo/packages/components/src/validator.ts:290
    if (process.env.DATABASE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #928e023d042b8fe9 Environment-variable access.
repo/packages/components/src/validator.ts:291
        dirs.push(path.resolve(process.env.DATABASE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #440873cdf0728863 Environment-variable access.
repo/packages/components/src/validator.ts:324
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a454d6e5be8be78 Environment-variable access.
repo/packages/components/src/validator.ts:423
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@elastic/elasticsearch

npm dependency
high pii_flow dependency Excluded from app score #1be2de119b0acc7d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:952 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:935 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:952
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0286fc262a51b3aa User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1574 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:1562 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:1574
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #ed0247e62a06fb78 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1612 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:1600 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:1612
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #c1d5687a7081a2f5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1688 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:1676 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:1688
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #4ca828a69a727930 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2274 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:2257 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:2274
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0ee3efe743f8f4e0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2454 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:2437 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:2454
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b5955d201a54fd42 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2927 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:2915 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/esm/api/api/security.js:2927
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #679993d3eb6a3c1a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:954 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:937 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:954
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #5365809f322ee2f9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1576 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:1564 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:1576
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b1106ac9979022cd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1614 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:1602 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:1614
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #97fa71719e075bbe User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1690 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:1678 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:1690
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #78a8dd4b74be01c5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2276 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:2259 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:2276
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #12423ac178a16381 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2456 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:2439 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:2456
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #740690933553c8dd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2929 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:2917 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/lib/api/api/security.js:2929
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

@mendable/firecrawl-js

npm dependency
high pii_flow tooling Excluded from app score unknown #fb4a8ab2afc39d91 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:43 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:24 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:43
  const res = await fetch(`${idmuxUrl}/`, {
    method: "POST",
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify(body),
  });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #422b56086a8ebdc8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/index.backup.ts:663 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/src/index.backup.ts:608 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/src/index.backup.ts:663
      const response: AxiosResponse = await axios.post(
        this.apiUrl + `/v1/scrape`,
        jsonData,
        { headers, timeout: params?.timeout !== undefined ? (params.timeout + 5000) : undefined },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #16a6f5a254c3c63f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/src/v1/index.ts:739 · flow /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/src/v1/index.ts:699 → /tmp/closeopen-d65y7tid/pkgs/npm/@[email protected]/src/v1/index.ts:739
      const response: AxiosResponse = await axios.post(
        this.apiUrl + `/v1/scrape`,
        jsonData,
        { headers, timeout: params?.timeout !== undefined ? (params.timeout + 5000) : undefined },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 17 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #e444eb9337d48f55 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v1/index.test.ts:8
const TEST_API_KEY = process.env.TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a95d1003dafb26c2 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v1/index.test.ts:9
const API_URL = process.env.API_URL ?? "https://api.firecrawl.dev";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #25bb50f8cf1792b9 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:18
  return process.env.TEST_URL ?? process.env.FIRECRAWL_API_URL ?? "https://api.firecrawl.dev";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b4105e3402355b66 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:24
  const idmuxUrl = process.env.IDMUX_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ea74df1ae05bd8f0 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:27
      apiKey: process.env.TEST_API_KEY ?? process.env.FIRECRAWL_API_KEY ?? "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a5dcd8cf1d16745c Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:28
      teamId: process.env.TEST_TEAM_ID ?? "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d012190aa40fa798 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:34
  const runNumberRaw = process.env.GITHUB_RUN_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4a24e5dc618f0374 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/utils/idmux.ts:37
    refName: process.env.GITHUB_REF_NAME ?? "local",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #da5855f79b8b21c6 Environment-variable access.
pkgs/npm/@[email protected]/src/__tests__/e2e/v2/watcher.test.ts:8
const API_URL = process.env.FIRECRAWL_API_URL ?? "https://api.firecrawl.dev";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e22152f9aac1b05c Environment-variable access.
pkgs/npm/@[email protected]/src/v1/index.ts:666
      if (typeof process !== 'undefined' && process.env && process.env.npm_package_version) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5511a94b7453902 Environment-variable access.
pkgs/npm/@[email protected]/src/v1/index.ts:667
        return process.env.npm_package_version as string;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb165b71a064de04 Environment-variable access.
pkgs/npm/@[email protected]/src/v1/index.ts:674
        process.env.JEST_WORKER_ID != null || process.env.NODE_ENV === 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47f1b4ccb0b63a05 Environment-variable access.
pkgs/npm/@[email protected]/src/v2/client.ts:141
    const apiKey = (opts.apiKey ?? process.env.FIRECRAWL_API_KEY ?? "").trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0ada27a25c6f99c Environment-variable access.
pkgs/npm/@[email protected]/src/v2/client.ts:142
    const apiUrl = (opts.apiUrl ?? process.env.FIRECRAWL_API_URL ?? "https://api.firecrawl.dev").replace(/\/$/, "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f46dcffead7f4132 Environment-variable access.
pkgs/npm/@[email protected]/src/v2/utils/getVersion.ts:3
    if (typeof process !== "undefined" && process.env && process.env.npm_package_version) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84d328f96671a271 Environment-variable access.
pkgs/npm/@[email protected]/src/v2/utils/getVersion.ts:4
      return process.env.npm_package_version as string;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cee199fd1cc99e6d Environment-variable access.
pkgs/npm/@[email protected]/tsup.config.ts:15
      "process.env.NODE_ENV": JSON.stringify(process.env.NODE_ENV || "production"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

axios

npm dependency
high pii_flow dependency Excluded from app score #7dfb6d353cb7e496 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:708 · flow /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/adapters/http.js:610 → /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/adapters/http.js:708
      req = transport.request(options, function handleResponse(res) {
        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (config.decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + config.maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (req.destroyed) return;
            reject(AxiosError.from(err, null, config, lastRequest));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #e029259947007217 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:708 · flow /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/adapters/http.js:616 → /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/adapters/http.js:708
      req = transport.request(options, function handleResponse(res) {
        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (config.decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + config.maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (req.destroyed) return;
            reject(AxiosError.from(err, null, config, lastRequest));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #2756df0b4e6e1a3e Environment-variable access.
pkgs/npm/[email protected]/lib/helpers/shouldBypassProxy.js:64
  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

flowise-components

npm dependency
high pii_flow dependency Excluded from app score #5366df2d1466af66 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:132 · flow /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:129 → /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:132
        const response = await fetch(this.apiUrl, {
            method: 'POST',
            body: formData,
            headers
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 315 low-confidence finding(s)
low env_fs dependency Excluded from app score #b76a65e9b31ffb58 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ConversationalAgent/ConversationalAgent.ts:283
        verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33703c3ee9bba845 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ConversationalRetrievalToolAgent/ConversationalRetrievalToolAgent.ts:360
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a1af9fe0c654c25 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:104
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #782fecccffede194 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:113
        const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6f26c8806b9450b Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:115
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc94ccdd63b6c075 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:130
                verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c63d39113dc99392 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:157
            const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cef4c7e73bbffb92 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ReActAgentChat/ReActAgentChat.ts:132
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10b7427105be1bb4 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ReActAgentLLM/ReActAgentLLM.ts:105
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cbdb4a68e094692 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ToolAgent/ToolAgent.ts:359
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79e524576e1fba8b Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/XMLAgent/XMLAgent.ts:284
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cdf83aa5be9e85e Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:130
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4db9821c1271436b Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:131
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2adf4fccc89303e Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:138
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ba64840845147da Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:139
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e1b89131b21d512 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:87
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93fc1bac1b72c931 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:88
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a29fadb5b53d5583 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:95
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8ecbd712bfb9cb3 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:96
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb9a1df607ce1aa5 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ApiChain/GETApiChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2b2fd3e4dad60c8 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ApiChain/OpenAPIChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a52720e351f315a3 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ApiChain/POSTApiChain.ts:124
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c97fa7b008cfa30 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ConversationChain/ConversationChain.ts:139
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfda32a6404078f9 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ConversationalRetrievalQAChain/ConversationalRetrievalQAChain.ts:229
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4035c16e6441bcd5 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/GraphCypherQAChain/GraphCypherQAChain.ts:423
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #795c8b4bf5001a76 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/LLMChain/LLMChain.ts:109
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ab3b5a25be17650 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/LLMChain/LLMChain.ts:117
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21bd2336c307c3d4 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/MultiPromptChain/MultiPromptChain.ts:71
            llmChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7539c51084a1e562 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/MultiRetrievalQAChain/MultiRetrievalQAChain.ts:79
            retrievalQAChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false, returnSourceDocuments }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e77adb44758ae061 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/RetrievalQAChain/RetrievalQAChain.ts:58
        const chain = RetrievalQAChain.fromLLM(model, vectorStoreRetriever, { verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74662f6e28d6f155 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/SqlDatabaseChain/SqlDatabaseChain.ts:245
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #94a51b37cc5cd3bd Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/chains/VectaraChain/VectaraChain.ts:312
            const response = await fetch(`https://api.vectara.io/v1/query`, {
                method: 'POST',
                headers: headers?.headers,
                body: JSON.stringify(data)
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #57e363301bcb4bec Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/VectorDBQAChain/VectorDBQAChain.ts:60
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f1c3e23e4429af4 Filesystem access.
pkgs/npm/[email protected]/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dff9b4ebb0f74df Filesystem access.
pkgs/npm/[email protected]/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:9
        const raw = JSON.parse(fs.readFileSync(modelsPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adbb3696b4e802e8 Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5c6c9e75f60a49d Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e040f337ea9debe3 Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4384d54379b4c245 Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:13
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7860f7368fe6e27e Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:153
                    if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fe5f901af4662d9 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:166
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5088cd24e9fa12b Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:175
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #871b3b3b02391fad Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:186
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b9aa11fc093f7e1 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:192
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31619c1695dde1b8 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:194
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c23aaaa178b0c9ad Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/Epub/Epub.ts:7
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78159923a7e9fb76 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/Epub/Epub.ts:127
                    fs.writeFileSync(tempFilePath, fileData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63d7a43eed4a6312 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/Epub/Epub.ts:139
                    fs.writeFileSync(tempFilePath, fileBuffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bc0c61da3ba64d3 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #ebbc21ce4c6dec99 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:227
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #a989cde87f38b8c2 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:454
            const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #59e0472eb2be4758 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:702
        fs.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #8fe90503cae62ae1 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleSheets/GoogleSheets.ts:155
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #8b970c543a955751 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:194
                const executablePath = process.env.PLAYWRIGHT_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bfd179e5b8ef501 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:235
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21d88c870ac1bac8 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:242
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e37d9e2c700f2a7 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:253
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #106d1447edfbb6e4 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:262
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a26f2fba6e2786a6 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:264
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0566801bcdc8b59 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:185
                const executablePath = process.env.PUPPETEER_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60348e825b5178b0 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:226
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cc351f6fbbf400d Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:233
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f37fd8eac0d5c8c Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:244
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91ac2070a1829983 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:253
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8706ac3624810aa5 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:255
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85e0d638d3174b79 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/S3Directory/S3Directory.ts:217
                        fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28a16b896e6c3020 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:130
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17ba275ef9f53f05 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:131
                optional: !!process.env.UNSTRUCTURED_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8ae0ccd21c84463 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:784
                    fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #428492b822e9a7af Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:1020
        fsDefault.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a4a2c99a9dc7a50 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:30
    private apiUrl = process.env.UNSTRUCTURED_API_URL || 'https://api.unstructuredapp.io/general/v0/general'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca6260b651684af3 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:32
    private apiKey: string | undefined = process.env.UNSTRUCTURED_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5784f16cc6ea0062 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/UnstructuredFile.ts:57
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6760154104a4d2e Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/UnstructuredFile.ts:58
                optional: !!process.env.UNSTRUCTURED_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8bd765ce753cb53 Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:6
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf097f0ccb40f089 Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:7
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25ad0f282c6badff Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:8
    (!!process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME || !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36f92f5b88e09951 Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:9
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #279c464c5d22ac31 Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:9
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b03e2efb0c68c900 Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d8eca6755ae2cc1 Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #684b43929e6d61ce Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6a0b6219d393367 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/AgentMemory/AgentMemory.ts:138
                : path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63baba150ddd2260 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/AgentMemory/SQLiteAgentMemory/SQLiteAgentMemory.ts:72
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9079d484e3506589 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:144
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d76b47289904bb54 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:145
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b55335dabc6775f Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:151
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93717dabab9b0957 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:152
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #543732846311d097 Environment-variable access.
pkgs/npm/[email protected]/nodes/multiagents/Worker/Worker.ts:235
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b23dc384f5b54e9 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:10
const serverCredentialsExists = !!process.env.POSTGRES_RECORDMANAGER_USER && !!process.env.POSTGRES_RECORDMANAGER_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45add5b8fb2daad7 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:139
        const user = getCredentialParam('user', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf26bc7bfa265f21 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:140
        const password = getCredentialParam('password', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6234a4274d6efb96 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_RECORDMANAGER_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a27e558edcf9e406 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_RECORDMANAGER_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5cb473c60ea7e29 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_RECORDMANAGER_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2364bfde78fcf2a Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_RECORDMANAGER_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccb65975382960a9 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_RECORDMANAGER_TABLE_NAME, 'upsertion_records')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4fee5e0b5ecf07f Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/SQLiteRecordManager/SQLiteRecordManager.ts:124
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #7651c79b29fe4a39 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/retrievers/CohereRerankRetriever/CohereRerank.ts:44
            let returnedDocs = await axios.post(this.COHERE_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #4a1aa53d00d8a68e Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/retrievers/JinaRerankRetriever/JinaRerank.ts:39
            let returnedDocs = await axios.post(this.JINA_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #c7a957d26836a079 Environment-variable access.
pkgs/npm/[email protected]/nodes/retrievers/MultiQueryRetriever/MultiQueryRetriever.ts:75
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #4f52343469345c6c Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/retrievers/VoyageAIRetriever/VoyageAIRerank.ts:40
            let returnedDocs = await axios.post(this.VOYAGEAI_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #c5fe31450970535b Environment-variable access.
pkgs/npm/[email protected]/nodes/sequentialagents/Agent/Agent.ts:690
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d9fbc35ee6a70cbb Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/Arxiv/Arxiv.ts:119
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #da1980ccdfdd43b8 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/CustomMCP/CustomMCP.ts:77
                    process.env.CUSTOM_MCP_PROTOCOL === 'sse'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #63c30d7645a7b82e Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/CustomMCP/CustomMCP.ts:176
            if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #144b66c3adfcf984 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/CustomMCP/CustomMCP.ts:186
            if (process.env.CUSTOM_MCP_PROTOCOL === 'stdio' && serverParams!.command) toolkit = new MCPToolkit(serverParams, 'stdio')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unknown #e8b968d0f0e5c06d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/tools/MCP/Pipedream/PipedreamMCP.ts:212
            const response = await axios.post('https://api.pipedream.com/v1/oauth/token', body, {
                headers: {
                    'Content-Type': 'application/json'
                }
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unknown #d082ac318afe51d4 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/Supergateway/SupergatewayMCP.ts:109
        if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8e1cc182594a8044 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:416
        const originalAllowList = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0c9691d6c9c6a264 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:420
                delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9adae87b8625e082 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:422
                process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = originalAllowList

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #967790104ad334cd Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:427
            delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e7eac603c3a4670f Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:435
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c69f9bb3600b75ee Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:447
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0a623893dd7655b2 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:455
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR,API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4a245b04493739f3 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:520
            const original = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9ced85acd228475c Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:521
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_TOKEN'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #58ac11090dd43288 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:533
                    delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #71633e40c3b7c2d6 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:535
                    process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = original

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9828ab72883116a1 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.ts:48
                    PATH: process.env.PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fd6b3ee38aa92b6f Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.ts:258
        (process.env.CUSTOM_MCP_ALLOWED_ENV_VARS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea80be5b3055719a Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Pinecone/Pinecone_LlamaIndex.ts:238
        this.chunkSize = params?.chunkSize ?? Number.parseInt(process.env.PINECONE_CHUNK_SIZE ?? '100')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db684fe891afdeec Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/Postgres.ts:13
const serverCredentialsExists = !!process.env.POSTGRES_VECTORSTORE_USER && !!process.env.POSTGRES_VECTORSTORE_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05f2da085403f4b3 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/driver/Base.ts:68
        const user = getCredentialParam('user', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1d7afb173199134 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/driver/Base.ts:69
        const password = getCredentialParam('password', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #689ccec5da28c5e5 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_VECTORSTORE_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3b9025573def0a8 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_VECTORSTORE_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4516d095d58bedf Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_VECTORSTORE_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a69d4178b72d5e14 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_VECTORSTORE_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21a56a0ae39b4e44 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_VECTORSTORE_TABLE_NAME, 'documents')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62f0645e453e6596 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:24
    return defaultChain(nodeData?.inputs?.contentColumnName, process.env.POSTGRES_VECTORSTORE_CONTENT_COLUMN_NAME, 'pageContent')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4536084dfb1e210 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:28
    return defaultChain(nodeData?.inputs?.schemaName, process.env.POSTGRES_VECTORSTORE_SCHEMA_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2f136ab107c48d5 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:154
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9f196b2e0d21913 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:155
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7283c2f69a7370c0 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:159
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a92112bb015e795 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:160
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb565614943675d4 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:172
                    if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d6166827a1cf1f3 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:231
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27700abff1d902ee Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:232
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #809af88970f59d84 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:236
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #258faa59e4649728 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:237
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7455a09a9073738 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:388
        for (const k of LANGSMITH_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3eb19f0fe974e75 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:389
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6da663736400ce2b Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:390
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbbc04149b142ce2 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:391
        process.env.LANGSMITH_API_KEY = 'test-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6870aa5524b05f22 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:397
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a9761924c1305ca Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:400
            if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97aa92aa0f51d61a Environment-variable access.
pkgs/npm/[email protected]/src/handler.ts:81
        if (process.env.DEBUG === 'true') console.error(`Error setting up Arize tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34fe82b8ec68ef2c Environment-variable access.
pkgs/npm/[email protected]/src/handler.ts:135
        if (process.env.DEBUG === 'true') console.error(`Error setting up Phoenix tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a017d404226df33 Environment-variable access.
pkgs/npm/[email protected]/src/handler.ts:179
        if (process.env.DEBUG === 'true') console.error(`Error setting up Opik tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #addf2b8f4ec24611 Environment-variable access.
pkgs/npm/[email protected]/src/httpSecurity.ts:36
    const securityCheckEnabled = process.env.HTTP_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71545e767e703e65 Environment-variable access.
pkgs/npm/[email protected]/src/httpSecurity.ts:37
    const httpDenyListString = process.env.HTTP_DENY_LIST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fe9997ae6f907cf Filesystem access.
pkgs/npm/[email protected]/src/modelLoader.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #031042e3a465369a Environment-variable access.
pkgs/npm/[email protected]/src/modelLoader.ts:38
        process.env.MODEL_LIST_CONFIG_JSON ?? 'https://raw.githubusercontent.com/FlowiseAI/Flowise/main/packages/components/models.json'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #204df82f94967a6c Filesystem access.
pkgs/npm/[email protected]/src/modelLoader.ts:48
            const models = await fs.promises.readFile(modelFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7be2dbd3d243c4de Filesystem access.
pkgs/npm/[email protected]/src/modelLoader.ts:55
        const models = await fs.promises.readFile(getModelsJSONPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #087f1675e7a187b5 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:40
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0457a738e0016f0d Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:41
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34c4a2750f416850 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:42
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b277d1ffd50953c6 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:43
        const containerName = process.env.AZURE_BLOB_STORAGE_CONTAINER_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #868a0a1bebadb40e Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:265
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e150af92d6a2ce23 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:276
            storageConfig.accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03fa3f62f441d063 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:277
            storageConfig.accessKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8f78305d6b30404 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:285
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4a5765c6a1fdbb4 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:286
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7afe686c891d850 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:287
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55aa185f7d1d7c34 Environment-variable access.
pkgs/npm/[email protected]/src/storage/BaseStorageProvider.ts:63
        const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6fdeb319acadea0 Environment-variable access.
pkgs/npm/[email protected]/src/storage/BaseStorageProvider.ts:64
            ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b60a23001005bde3 Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:32
        const keyFilename = process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0084eb86f2dbd5d0 Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:33
        const projectId = process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c45d4a436bf3d4d Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:34
        const bucketName = process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d23a7dc5e9b0098c Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:333
                uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b80f4dde9e075347 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac88b9a91f2b6e7d Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:40
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57b4273767759c08 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:60
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2907b5384d4c5e29 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:74
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51819acea9cc52ef Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:81
        return fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f7d6da0b66b1300 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:88
            return fs.readFileSync(fileInStorage)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8a00f8c13fb708a Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:114
                    return fs.readFileSync(targetPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55759c2c8959800f Environment-variable access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:344
        return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90afb7802ccc20a9 Environment-variable access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:345
            ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #567eb9e4e44e6429 Environment-variable access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:350
        return process.env.HOME || process.env.USERPROFILE || process.env.HOMEPATH || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4465df006e8704d1 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:34
        const accessKeyId = process.env.S3_STORAGE_ACCESS_KEY_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c16319adcd840f72 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:35
        const secretAccessKey = process.env.S3_STORAGE_SECRET_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf90c2b60f84af95 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:36
        const region = process.env.S3_STORAGE_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aec29cb0b42f977 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:37
        const bucket = process.env.S3_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d676603d6365093 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:38
        const customURL = process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #deb8adcd6803bfbe Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:39
        const forcePathStyle = process.env.S3_FORCE_PATH_STYLE === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc9b4be1353d95ac Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:73
            region: process.env.S3_STORAGE_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c297640981573d4d Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:74
            endpoint: process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60143525d0d02d03 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:536
            const instance = process.env.HOSTNAME || process.env.POD_NAME || String(process.pid)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c81ed8d1ba13544 Environment-variable access.
pkgs/npm/[email protected]/src/storage/StorageProviderFactory.ts:20
            const storageType = process.env.STORAGE_TYPE || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e69a108f12627cb Filesystem access.
pkgs/npm/[email protected]/src/storageUtils.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bac33dded587a6ce Environment-variable access.
pkgs/npm/[email protected]/src/storageUtils.ts:51
    const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ed970866a9bd65c Environment-variable access.
pkgs/npm/[email protected]/src/storageUtils.ts:52
        ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cef83f4abd0c524c Environment-variable access.
pkgs/npm/[email protected]/src/storageUtils.ts:64
    return process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb2265a1156b63bf Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:21
    for (const k of ENV_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b035903abdc61c4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:28
    for (const k of ENV_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79550a0bc7538bb4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:37
        if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28120c96a83874e4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:48
        process.env.LANGSMITH_TRACING = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3835fbad4d81d442 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:49
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #110555ad626a1620 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:52
        process.env.LANGSMITH_TRACING = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab0ae75314030648 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:55
        process.env.LANGSMITH_TRACING = 'TRUE'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c345e629758e594 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:60
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d7b6c548b42c45d Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:65
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a09274496c7c3cfe Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:66
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2cd9965bb6def02 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:75
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f4c49668e715bb1 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:76
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bf0de2b61a6adeb Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:77
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4d370c8bb676ca8 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:78
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3344e9aff9a28de6 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:87
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1016565d9cdadf86 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:88
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69cbf31b53b4a3b1 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:89
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c9898c8ba17c53d Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:90
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20164f34bb4bce8f Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:91
        process.env.LANGSMITH_ENDPOINT = 'https://new.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32ed7cc99946728b Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:92
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ded3e803233681d9 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:93
        process.env.LANGSMITH_PROJECT = 'new-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4269605e8d60edaa Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:94
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f17a4ec1af7a5db Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:103
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #958c2e381336ab28 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:104
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c27b557ede892e4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:113
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d364bb967cf26ea3 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:114
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #323fff373132492a Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:115
        process.env.LANGSMITH_ENDPOINT = 'https://api.smith.langchain.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #418931b0ff331cb8 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:116
        process.env.LANGSMITH_PROJECT = 'my-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96697144ef0ebea1 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:129
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #191a045fcce59a78 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:130
        process.env.LANGSMITH_API_KEY = 'k1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f463833f3b9a381 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:135
        process.env.LANGSMITH_API_KEY = 'k2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1222f6703832442 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:144
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f627c9f8f14fa59f Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:145
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26fd5969af39b47e Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:152
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a92a35d8134c3d53 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:153
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf205998d6b29b9f Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:197
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d206f716739bb38c Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:198
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afbf8e2cf9e8ff01 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:212
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c902446212c9b90 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:213
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #245bc38122889788 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:214
        process.env.LANGSMITH_ENDPOINT = 'https://e.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b27163694501a91 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:215
        process.env.LANGSMITH_PROJECT = 'proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e434ae249b921d62 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:233
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad224fec410fbd02 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:234
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e528b517a103d30d Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:245
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42c5ab739d323b99 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:246
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fda9ecb9d9a37182 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:259
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546bc205214e3ce7 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:260
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf766ed0bdf1e4f4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.ts:71
    for (const k of LANGCHAIN_TRACING_FLAG_VARS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9aa67b6acaf5116a Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:245
        delete process.env.ALLOW_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #996a2b5d5d11f6f8 Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:246
        delete process.env.TOOL_FUNCTION_EXTERNAL_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #046a7723d580997e Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:251
            process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4eb72af6e01d84fe Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:278
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad35b6f6c434e9b6 Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:284
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #452d32e97793557c Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:285
        process.env.TOOL_FUNCTION_EXTERNAL_DEP = 'pg'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d74c4df07c3c74ac Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:12
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2081477d5a2053e1 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:32
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b04b136255712242 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:34
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8158e9d6f999f60e Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:35
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #016eca2de6cd6c24 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:36
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04b4f93a8daec21d Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:408
            if (process.env.DEBUG === 'true') console.error(`error with scraped URL: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2c22e38021d46d9 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:454
    if (process.env.DEBUG === 'true') console.info(`actively crawling ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #268545091fa4e3a4 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:459
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1941832e5a4f69e Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:465
            if (process.env.DEBUG === 'true') console.error(`non html response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15e1d1c588d949d0 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:475
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f70a4fa76247c739 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:510
    if (process.env.DEBUG === 'true') console.info(`actively scarping ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e72c113ac0f40c4e Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:515
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #124af0c75f61bea2 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:521
            if (process.env.DEBUG === 'true') console.error(`non xml response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cef10100dde67ad2 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:528
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d08d8336bbd52bb Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:540
        return typeof process !== 'undefined' ? process.env?.[name] : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5aef3bdc04bd994 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:571
    return process.env.SECRETKEY_PATH ? path.join(process.env.SECRETKEY_PATH, 'encryption.key') : getEncryptionKeyFilePath()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #213dfb4bd5ae7f29 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:579
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69e514fd3fe27692 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:580
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fce36ff72c91d863 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:584
            const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d181d35d9cb2471 Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:592
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #439ad0b6724132cc Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:734
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9720ce04df93b125 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:738
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe204c75b5f0b915 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1021
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53238bb5a39ba2fa Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:1048
            const content = await fs.promises.readFile(checkPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #040bba61e07910b1 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1603
    const shouldUseE2BSandbox = useSandbox && process.env.E2B_APIKEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6665f7169a882f7 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1606
    if (process.env.SANDBOX_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46390af6e84b3772 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1607
        timeoutMs = parseInt(process.env.SANDBOX_TIMEOUT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f2d6ac8dcd1f15b Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1665
            const sbx = await Sandbox.create({ apiKey: process.env.E2B_APIKEY, timeoutMs })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eac46ecc4dfb20c5 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1729
        const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d1f7acfdbc609fd Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1730
            ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3439caeeafbddcfc Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1732
        const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3a5b4383cc3cb2d Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1733
        let deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #508c66bc00b312d0 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:55
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c5f0243451f9b6d Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:58
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9f6e4f3fdb8df79 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:75
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #882989983d06d943 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:78
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d564cec2baf6e827 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:365
            const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f016b6ae74bfa2d1 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:366
            delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ee4ff7fb878da95 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:375
                    process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3115629a3c850f3 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:396
        const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #820559d6b531e22f Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:401
                process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #640712783f8777e6 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:403
                delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0024b685949b6699 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:409
            process.env.BLOB_STORAGE_PATH = customStoragePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5e015221e26e53c Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:418
            process.env.BLOB_STORAGE_PATH = path.join(userHome, 'custom-storage')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c97a68a842350f8d Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:453
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #186c6f213eaab027 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:456
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a7967e7545204a2 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:591
        const originalDatabasePath = process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41816477757d7e49 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:595
                delete process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bac628bbb830785e Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:597
                process.env.DATABASE_PATH = originalDatabasePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41b89aa8afa38d44 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:603
            process.env.DATABASE_PATH = customBase

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fe4329ccdd8db2a Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:609
            process.env.DATABASE_PATH = path.join(userHome, 'custom-flowise-data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35a67cb32b2bb1b7 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:616
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30a50b7b3298a344 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:619
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3fcfc3887ea1ac9 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:788
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98e45ff710947226 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:791
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #629f5684207e2d78 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:41
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1ed41ae73c07d3b Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:70
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01591fab4cf3cc1e Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:195
    if (process.env.BLOB_STORAGE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58c834202bcb75a8 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:196
        allowedDirs.push(path.resolve(process.env.BLOB_STORAGE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80819420a8c64704 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:213
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6375896408cc9e3f Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:290
    if (process.env.DATABASE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8615d92ff460917b Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:291
        dirs.push(path.resolve(process.env.DATABASE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff0e790d9f6ee361 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:324
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b70c47c2b07cf546 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:423
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nodemailer

npm dependency
high pii_flow dependency Excluded from app score #61d9e50567936cff User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/fetch/index.js:148 · flow /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/fetch/index.js:55 → /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/fetch/index.js:148
        req = handler.request(reqOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #acc21d658859f8c4 Filesystem access.
pkgs/npm/[email protected]/lib/dkim/index.js:10
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27a3fd46f1bf5631 Filesystem access.
pkgs/npm/[email protected]/lib/mime-node/index.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b55ab3cc611295d Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:15
const ETHEREAL_API = (process.env.ETHEREAL_API || 'https://api.nodemailer.com').replace(/\/+$/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #503b7a8178b85610 Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:16
const ETHEREAL_WEB = (process.env.ETHEREAL_WEB || 'https://ethereal.email').replace(/\/+$/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd0c2ff7c8cd514d Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:17
const ETHEREAL_API_KEY = (process.env.ETHEREAL_API_KEY || '').replace(/\s*/g, '') || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1486d23977aafbd6 Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:18
const ETHEREAL_CACHE = ['true', 'yes', 'y', '1'].includes((process.env.ETHEREAL_CACHE || 'yes').toString().trim().toLowerCase());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6dc1a7300601851 Filesystem access.
pkgs/npm/[email protected]/lib/shared/index.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

posthog-node

npm dependency
medium telemetry dependency Excluded from app score #2c2ec48794999caf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:69
    posthog.withContext(buildRequestContextData(posthog, req), () => next())

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ae55fa1c707cefdc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:98
    posthog.addPendingPromise(
      ErrorTracking.buildEventMessage(
        posthog.getErrorPropertiesBuilder(),
        error,
        hint,
        contextData.distinctId,
        additionalProperties
      ).then((msg) => {
        return posthog._capturePreparedEvent(msg, false)
      })
    )

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #fb6f6e2d9add8bae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:100
        posthog.getErrorPropertiesBuilder(),

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #99588bd04d0904ef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:106
        return posthog._capturePreparedEvent(msg, false)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

winston

npm dependency
medium pii_flow dependency Excluded from app score #7f8d875a71e2b460 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/winston/transports/http.js:242 · flow /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/winston/transports/http.js:249 → /tmp/closeopen-d65y7tid/pkgs/npm/[email protected]/lib/winston/transports/http.js:242
    const req = (this.ssl ? https : http).request({
      ...this.options,
      method: 'POST',
      host: this.host,
      port: this.port,
      path: `/${path.replace(/^\//, '')}`,
      headers: headers,
      auth: (auth && auth.username && auth.password) ? (`${auth.username}:${auth.password}`) : '',
      agent: this.agent
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #319fe2ab0c7c3ed7 Filesystem access.
pkgs/npm/[email protected]/lib/winston/tail-file.js:10
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac146343759b9ae2 Filesystem access.
pkgs/npm/[email protected]/lib/winston/transports/file.js:11
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@anthropic-ai/sdk

npm dependency
expand_more 44 low-confidence finding(s)
low env_fs dependency Excluded from app score #4da4e91129583563 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.js:110
        configRaw = await fs.promises.readFile(configPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3210bcf6792d2d9e Filesystem access.
pkgs/npm/@[email protected]/core/credentials.js:210
        raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e52db4828415b46 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.js:308
        return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d495af8f5bf3ffbb Filesystem access.
pkgs/npm/@[email protected]/core/credentials.mjs:73
        configRaw = await fs.promises.readFile(configPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2f58777d8c89638 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.mjs:172
        raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae18c0fd2572e087 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.mjs:268
        return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e9b1a3260046e75 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/credential-chain.js:203
            const raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5840a081510716c3 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/credential-chain.mjs:166
            const raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #145532b5898284ee Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/identity-token.js:51
            content = await fs.promises.readFile(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a39020149ab0113 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/identity-token.mjs:14
            content = await fs.promises.readFile(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b944188c9b9f0ec1 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/types.js:195
            await fh.writeFile(JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65496026305ad70e Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/types.mjs:154
            await fh.writeFile(JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce2fea50d073018e Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/user-oauth.js:56
            raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e818d29aa10ecb5 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/user-oauth.mjs:20
            raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #347183fdc7e616bd Filesystem access.
pkgs/npm/@[email protected]/src/core/credentials.ts:154
    configRaw = await fs.promises.readFile(configPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #981c63f6f77ccca5 Filesystem access.
pkgs/npm/@[email protected]/src/core/credentials.ts:258
    raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55cfeed61e852f5d Filesystem access.
pkgs/npm/@[email protected]/src/core/credentials.ts:372
    return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d471cb0c6d3d91b7 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/credential-chain.ts:250
      const raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #741efd33348edc76 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/identity-token.ts:17
      content = await fs.promises.readFile(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #358000dab4fa0379 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/types.ts:222
      await fh.writeFile(JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c63000608afe9f2 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/user-oauth.ts:45
      raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #704965f03db9f749 Filesystem access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/fs-util.ts:112
    await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7c37107fc2b56278 Filesystem access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/node.ts:457
        data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #20f4a6cc15514783 Filesystem access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/node.ts:533
        data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f3af36959bc31277 Environment-variable access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/node.ts:806
  const dirs = (process.env['PATH'] ?? '').split(path.delimiter);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5bc1db345a7fb65c Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:4
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f6c495f9bb150649 Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:52
    await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3d481459fb00a285 Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:101
    return await fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a005c9d1cf07b4fe Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:256
      await handle.writeFile(command.file_text, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #52674c42f6c91c22 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/fs-util.js:115
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c0c35f0058bcece4 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/fs-util.mjs:107
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #99dcdddaf6ee55a9 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.js:390
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e7d3c66c0080f775 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.js:469
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #12d21349ae768c34 Environment-variable access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.js:755
    const dirs = (process.env['PATH'] ?? '').split(path.delimiter);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8aacc6aee41c281a Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.mjs:375
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3c54238abd821916 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.mjs:454
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7b52d25a2357edeb Environment-variable access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.mjs:740
    const dirs = (process.env['PATH'] ?? '').split(path.delimiter);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c7fbf75714bec155 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.js:43
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a31ce487a5052335 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.js:91
        return await fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e59ddc681125cb9e Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.js:213
            await handle.writeFile(command.file_text, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #25d613c45e7102f4 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:2
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c01896e205470535 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:38
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d786cbb8366bb997 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:86
        return await fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e2797559009cc14a Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:208
            await handle.writeFile(command.file_text, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@apidevtools/json-schema-ref-parser

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #5d40b6e12870d4af Filesystem access.
pkgs/npm/@[email protected]/lib/resolvers/file.ts:39
      return await fs.promises.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@dqbd/tiktoken

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #f733602b18888fd4 Filesystem access.
pkgs/npm/@[email protected]/lite/tiktoken.cjs:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16939a6f2d5d1cb9 Filesystem access.
pkgs/npm/@[email protected]/lite/tiktoken.cjs:29
    bytes = fs.readFileSync(candidate);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bf0d72c55d28f5e Filesystem access.
pkgs/npm/@[email protected]/tiktoken.cjs:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09e5cd3e02f0ea49 Filesystem access.
pkgs/npm/@[email protected]/tiktoken.cjs:29
    bytes = fs.readFileSync(candidate);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@elevenlabs/elevenlabs-js

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #4afa0d2747326b15 Filesystem access.
pkgs/npm/@[email protected]/core/file/file.js:87
            const fs = yield Promise.resolve().then(() => __importStar(require("fs")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dffa46b3235ee72 Filesystem access.
pkgs/npm/@[email protected]/core/file/file.js:130
            const fs = yield Promise.resolve().then(() => __importStar(require("fs")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1009fe44dfa6843b Filesystem access.
pkgs/npm/@[email protected]/scripts/rename-to-esm-files.js:3
const fs = require("fs").promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8fcf515ca255b977 Filesystem access.
pkgs/npm/@[email protected]/scripts/rename-to-esm-files.js:48
    const content = await fs.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #648763faabb2832e Filesystem access.
pkgs/npm/@[email protected]/scripts/rename-to-esm-files.js:66
        await fs.writeFile(file, newContent, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d040f69e6e4d929b Environment-variable access.
pkgs/npm/@[email protected]/wrapper/ElevenLabsClient.js:46
        const apiKey = (_a = options.apiKey) !== null && _a !== void 0 ? _a : process.env.ELEVENLABS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8eb64bb003baa88 Environment-variable access.
pkgs/npm/@[email protected]/wrapper/speech-engine/SpeechEngineServer.js:47
        const apiKey = (_b = this.options.apiKey) !== null && _b !== void 0 ? _b : process.env.ELEVENLABS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@getzep/zep-js

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #862026af3afb9c85 Environment-variable access.
pkgs/npm/@[email protected]/api/resources/memory/client/Client.js:1080
            const apiKeyValue = (_a = (yield core.Supplier.get(this._options.apiKey))) !== null && _a !== void 0 ? _a : process === null || process === void 0 ? void 0 : process.env["ZEP_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13dfbe5f934a0e57 Environment-variable access.
pkgs/npm/@[email protected]/api/resources/user/client/Client.js:505
            const apiKeyValue = (_a = (yield core.Supplier.get(this._options.apiKey))) !== null && _a !== void 0 ? _a : process === null || process === void 0 ? void 0 : process.env["ZEP_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dfb2e7b5fd0a0a47 Environment-variable access.
pkgs/npm/@[email protected]/examples/memory/memory_example.ts:15
const apiKey = process.env.ZEP_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9bab6f0fc2b99b57 Environment-variable access.
pkgs/npm/@[email protected]/examples/memory/memory_example.ts:16
const apiUrl = process.env.ZEP_API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ff5b570451d586a7 Environment-variable access.
pkgs/npm/@[email protected]/examples/users/users.ts:6
    const apiKey = process.env.ZEP_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3b29c9b66c39a919 Environment-variable access.
pkgs/npm/@[email protected]/examples/users/users.ts:7
    const apiUrl = process.env.ZEP_API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@grpc/grpc-js

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #05532d6efddd7359 Filesystem access.
pkgs/npm/@[email protected]/src/certificate-provider.ts:18
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3eed9b53c731d6d Environment-variable access.
pkgs/npm/@[email protected]/src/environment.ts:19
  (process.env.GRPC_NODE_USE_ALTERNATIVE_RESOLVER ?? 'false') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05d69829d4131ddc Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:51
  if (process.env.grpc_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f40bd6677905174 Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:53
    proxyEnv = process.env.grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5005cc80cf7fc486 Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:54
  } else if (process.env.https_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83337763f57e2da8 Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:56
    proxyEnv = process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #647b83bcfd44ae9e Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:57
  } else if (process.env.http_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b438cb40a0df01b Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:59
    proxyEnv = process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88941bcd939d140b Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:108
  let noProxyStr: string | undefined = process.env.no_grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd33101f543711e1 Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:111
    noProxyStr = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f5a2f5b9ee1a886 Environment-variable access.
pkgs/npm/@[email protected]/src/load-balancer-outlier-detection.ts:57
  (process.env.GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION ?? 'true') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #788cc9273333a373 Environment-variable access.
pkgs/npm/@[email protected]/src/logging.ts:39
  process.env.GRPC_NODE_VERBOSITY ?? process.env.GRPC_VERBOSITY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e70852c7dbfcd71a Environment-variable access.
pkgs/npm/@[email protected]/src/logging.ts:97
  process.env.GRPC_NODE_TRACE ?? process.env.GRPC_TRACE ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90c90a8159e12cf5 Filesystem access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:18
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ec118c0699fb853 Environment-variable access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:21
  process.env.GRPC_SSL_CIPHER_SUITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d65b6dee34ad47b Environment-variable access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:23
const DEFAULT_ROOTS_FILE_PATH = process.env.GRPC_DEFAULT_SSL_ROOTS_FILE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d959a94ea3be28c Filesystem access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:30
      defaultRootsData = fs.readFileSync(DEFAULT_ROOTS_FILE_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@ibm-cloud/watsonx-ai

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #7b8081c91a4d169f Filesystem access.
pkgs/npm/@[email protected]/base/base.js:32
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21ba0557be6eadf6 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:27
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c5d759aa2d65d09 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:61
            const certFile = readFileSync(options.caCert);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9a03f7cf94e72cc Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:68
            const certFile = readFileSync(options.caCert.auth.path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9560b4333290b729 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:97
                const certFile = readFileSync(options.caCert.service.path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa141f07852600b9 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:103
                const certFile = readFileSync(options.caCert.dataplatform.path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3aaf02ad60065ee Filesystem access.
pkgs/npm/@[email protected]/vml_v1.js:73
const fs_1 = __importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fa5e38ea2bf600d Filesystem access.
pkgs/npm/@[email protected]/vml_v1.mjs:36
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@mistralai/mistralai

npm dependency
expand_more 35 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #ae370e77c9d8efa0 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_audio_transcription_diarize.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #73eb484f140f1a5d Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_audio_transcription_stream.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1dd058fed5b5b825 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #19246c5ae2c800e0 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_chat_no_streaming.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8e27c07061b31327 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_chat_prediction.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3b76285453ef2c0a Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_chat_streaming.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f25e5b53542febca Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_chat_with_image_no_streaming.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d84b923821e1b9ca Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_conversation_agent.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #bb136582476f1abd Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_embeddings.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5a133e49c137d7ce Filesystem access.
pkgs/npm/@[email protected]/examples/src/async_files.ts:1
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #12968b1b2d9d580e Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_files.ts:6
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8b355c15c38f9b61 Filesystem access.
pkgs/npm/@[email protected]/examples/src/async_files.ts:19
const blob = new Blob([fs.readFileSync(filePath)], {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3376958361041b4b Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #cc4d9f3ac02f4be9 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:4
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #12d3658ad295027d Filesystem access.
pkgs/npm/@[email protected]/examples/src/async_jobs.ts:1
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #311bc54bc3287f8d Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_jobs.ts:6
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #07ce5f5ecbc813cf Filesystem access.
pkgs/npm/@[email protected]/examples/src/async_jobs.ts:19
const blob = new Blob([fs.readFileSync(filePath)], {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a18a3c55ceeac6e7 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_json_format.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b1f08e6f8101471f Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_list_models.ts:3
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b6a1a81dc453f618 Filesystem access.
pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:2
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0830971539131782 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:6
const apiKey = process.env.MISTRAL_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #da4dd0534cb249e2 Filesystem access.
pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:16
const uploaded_file = fs.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c410bde44d6a7be8 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_url.ts:3
const apiKey = process.env.MISTRAL_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3882e02e702fed2c Environment-variable access.
pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:4
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #958b0cd9177e1160 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/azure/async_chat_no_streaming.ts:3
const azureAPIKey = process.env["AZURE_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #914d4e384140f9f2 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/azure/async_chat_no_streaming.ts:8
const azureEndpoint = process.env["AZURE_ENDPOINT"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #70657f0351ce7579 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/error_handling.ts:4
const apiKey = process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #65aee2e7be97f832 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/gcp/async_chat_no_streaming.ts:3
const projectId = process.env["GOOGLE_PROJECT_ID"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c06b1a476ef9e946 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:38
      default: process.env["MISTRAL_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #51ef3d8aa86a4f26 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:43
      default: process.env["MISTRAL_BASE_URL"] ?? "wss://api.mistral.ai",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e4bd362275d62ddb Environment-variable access.
pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:107
  const apiKey = args.apiKey ?? process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #cca01c3c62220409 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:46
      default: process.env["MISTRAL_API_KEY"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ee1405a878778101 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:51
      default: process.env["MISTRAL_BASE_URL"] ?? "https://api.mistral.ai",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #58f74caee2548414 Environment-variable access.
pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:162
  const apiKey = args.apiKey ?? process.env["MISTRAL_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #069ad3425083adbb Environment-variable access.
pkgs/npm/@[email protected]/packages/mistralai-azure/examples/chatComplete.example.ts:17
  apiKey: process.env["MISTRAL_API_KEY"] ?? "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@oclif/core

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #afb6d76bd655baff Environment-variable access.
pkgs/npm/@[email protected]/lib/command.js:323
        keys.map((key) => delete process.env[key]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dca18eca20b94710 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:201
        const base = process.env[`XDG_${category.toUpperCase()}_HOME`] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a3404bfb8fa3dca Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:202
            (this.windows && process.env.LOCALAPPDATA) ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #905a87f8bdf29bc8 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:310
        this.home = process.env.HOME || (this.windows && this.windowsHome()) || (0, os_1.getHomeDir)() || (0, node_os_1.tmpdir)();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #112a7be94b6d1341 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:548
        return process.env[this.scopedEnvVarKeys(k).find((k) => process.env[k])];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55f030c56663a502 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:579
        return process.env.HOMEDRIVE && process.env.HOMEPATH && (0, node_path_1.join)(process.env.HOMEDRIVE, process.env.HOMEPATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4974adca666c35a Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:582
        return process.env.USERPROFILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31036ab4912e4f44 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:587
        const SHELL = process.env.SHELL ?? (0, node_os_1.userInfo)().shell?.split(node_path_1.sep)?.pop();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95d1a6162fe5afee Environment-variable access.
pkgs/npm/@[email protected]/lib/config/plugin.js:222
                if (!process.env.OCLIF_NEXT_VERSION && manifest.version.split('-')[0] !== this.version.split('-')[0]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f634e14c7cde2edd Environment-variable access.
pkgs/npm/@[email protected]/lib/config/ts-path.js:266
        debug(`Skipping typescript path lookup for ${root} because it's an ESM module (NODE_ENV: ${process.env.NODE_ENV}, root plugin module type: ${rootPlugin?.moduleType})`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9c1519b625f39f7 Environment-variable access.
pkgs/npm/@[email protected]/lib/execute.js:55
        process.env.NODE_ENV = 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66c0ecdfdf82ca94 Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:16
        process.env.CLI_FLAGS_DEBUG === '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #484a2c92c77e02ee Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:337
            if (fws.inputFlag.flag.env && process.env[fws.inputFlag.flag.env]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f51483f7ab46dcf2 Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:338
                const valueFromEnv = process.env[fws.inputFlag.flag.env];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5b5e61a14e0b41e Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:348
                        valueFunction: async (i) => (0, util_1.isTruthy)(process.env[i.inputFlag.flag.env] ?? 'false'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17a0bebce6559d89 Environment-variable access.
pkgs/npm/@[email protected]/lib/screen.js:18
const columns = Number.parseInt(process.env.OCLIF_COLUMNS, 10) || settings_1.settings.columns;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56793ba9b437c279 Environment-variable access.
pkgs/npm/@[email protected]/lib/util/read-pjson.js:16
    if (process.env.OCLIF_DISABLE_RC) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3acd8cf6be8c2e82 Environment-variable access.
pkgs/npm/@[email protected]/lib/util/util.js:58
    return !['development', 'test'].includes(process.env.NODE_ENV ?? '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4a4dca7f7c2e22d Environment-variable access.
pkgs/npm/@[email protected]/lib/ux/index.js:29
    !process.env.CI &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #075a15cae0f93f04 Environment-variable access.
pkgs/npm/@[email protected]/lib/ux/index.js:30
    !['dumb', 'emacs-color'].includes(process.env.TERM) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@opensearch-project/opensearch

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #065e4ae422a63076 Environment-variable access.
pkgs/npm/@[email protected]/lib/Client.js:130
    if (process.env.OPENSEARCH_CLIENT_APIVERSIONING === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e43c37d73cf17952 Environment-variable access.
pkgs/npm/@[email protected]/lib/Transport.js:87
    this[kApiVersioning] = process.env.OPENSEARCH_CLIENT_APIVERSIONING === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee956cdec476eb56 Environment-variable access.
pkgs/npm/@[email protected]/lib/tools.js:11
function strongPasswordRequired(os_version = process.env.OPENSEARCH_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@stripe/agent-toolkit

npm dependency
expand_more 8 low-confidence finding(s)
low egress dependency Excluded from app score #1e0c23705e421ccd Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/ai-sdk/index.js:165
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #8b2b9ceeb9b516cf Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/ai-sdk/index.mjs:138
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #d8729bd188fb2c3d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/langchain/index.js:165
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #0e33c9d6e9e48f25 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/langchain/index.mjs:138
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #76e372148751602d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/modelcontextprotocol/index.js:117
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #abfb06aa61c0800c Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/modelcontextprotocol/index.mjs:79
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #e2667968e6417827 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/openai/index.js:103
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #3b0a8608cc8bfaad Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]/openai/index.mjs:76
      new URL(MCP_SERVER_URL),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

@upstash/redis

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #77492b1e381d416e Environment-variable access.
pkgs/npm/@[email protected]/esm/platforms/node_with_fetch.js:47
            enableTelemetry: !process.env.UPSTASH_DISABLE_TELEMETRY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef9d737bb7a94d75 Environment-variable access.
pkgs/npm/@[email protected]/esm/platforms/node_with_fetch.js:51
            platform: process.env.VERCEL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7893c301e33fea6d Environment-variable access.
pkgs/npm/@[email protected]/esm/platforms/node_with_fetch.js:53
                : process.env.AWS_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ab97d94b1c91ac8 Environment-variable access.
pkgs/npm/@[email protected]/esm/platforms/nodejs.js:42
            enableTelemetry: !process.env.UPSTASH_DISABLE_TELEMETRY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6347e01ba90944bd Environment-variable access.
pkgs/npm/@[email protected]/esm/platforms/nodejs.js:48
            platform: process.env.VERCEL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aa03c374fa88b0c Environment-variable access.
pkgs/npm/@[email protected]/esm/platforms/nodejs.js:50
                : process.env.AWS_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32b8bfa502478ea0 Environment-variable access.
pkgs/npm/@[email protected]/script/platforms/node_with_fetch.js:73
            enableTelemetry: !process.env.UPSTASH_DISABLE_TELEMETRY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #561ceeb41cb26329 Environment-variable access.
pkgs/npm/@[email protected]/script/platforms/node_with_fetch.js:77
            platform: process.env.VERCEL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc8ef6bc0a73e2cf Environment-variable access.
pkgs/npm/@[email protected]/script/platforms/node_with_fetch.js:79
                : process.env.AWS_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e36c063b3dc13033 Environment-variable access.
pkgs/npm/@[email protected]/script/platforms/nodejs.js:68
            enableTelemetry: !process.env.UPSTASH_DISABLE_TELEMETRY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8471ede612b4929 Environment-variable access.
pkgs/npm/@[email protected]/script/platforms/nodejs.js:74
            platform: process.env.VERCEL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43e29f9f463c5d42 Environment-variable access.
pkgs/npm/@[email protected]/script/platforms/nodejs.js:76
                : process.env.AWS_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

connect-pg-simple

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #96992ec3a4b7e671 Environment-variable access.
pkgs/npm/[email protected]/index.js:137
        const conString = options.conString || process.env['DATABASE_URL'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90c66b6aea84ef7b Filesystem access.
pkgs/npm/[email protected]/index.js:183
        const tableDefString = await fs.readFile(pathModule.resolve(__dirname, './table.sql'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

connect-sqlite3

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #9358f03b8c7e5757 Filesystem access.
pkgs/npm/[email protected]/lib/connect-sqlite3.js:11
var sqlite3 = require('sqlite3'),
    events = require('events'),
    fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c9df44740fb1664 Filesystem access.
pkgs/npm/[email protected]/lib/connect-sqlite3.js:13
    fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #03d75559088082d3 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:4
if (process.env.DOTENV_CONFIG_ENCODING != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bf9c249ae3befc1 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:5
  options.encoding = process.env.DOTENV_CONFIG_ENCODING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f362be907bf75da9 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:8
if (process.env.DOTENV_CONFIG_PATH != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0983c4956bfc8d7 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:9
  options.path = process.env.DOTENV_CONFIG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd99fe6ead4c7166 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:12
if (process.env.DOTENV_CONFIG_QUIET != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fe2673b68e597df Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:13
  options.quiet = process.env.DOTENV_CONFIG_QUIET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2768d86943db2df8 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:16
if (process.env.DOTENV_CONFIG_DEBUG != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8bf50173dce1a64 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:17
  options.debug = process.env.DOTENV_CONFIG_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ffacb798d961e55 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:20
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c97657dc93d846b Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:21
  options.override = process.env.DOTENV_CONFIG_OVERRIDE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ff0362f447726ae Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:24
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92e292c58e35f46b Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:25
  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae80447d3c5ac7d6 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a190609634a3cb15 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:141
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a14b515ce502dff3 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:142
    return process.env.DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aff773fc3c568034 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:221
  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72a8e7b12724b923 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:222
  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9704d1499c63530e Filesystem access.
pkgs/npm/[email protected]/lib/main.js:277
      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #2e1d0f0d73d8304c Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express-mysql-session

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #2a66f25ca0f3a8a0 Filesystem access.
pkgs/npm/[email protected]/index.js:136
			const fs = require('fs').promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #675d7e5b186957a3 Filesystem access.
pkgs/npm/[email protected]/index.js:138
			return fs.readFile(schemaFilePath, 'utf-8').then(sql => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express-session

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #d3fe66f63f15d94c Environment-variable access.
pkgs/npm/[email protected]/index.js:33
var env = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

flowise-nim-container-manager

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #0c8dbf323d0d899b Filesystem access.
pkgs/npm/[email protected]/src/NimContainerManager.js:9
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8be5659694f4b80e Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:15
process.env.LLM_PROVIDER = "nvidia-nim";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab537998cc4cd7eb Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:16
process.env.NVIDIA_NIM_LLM_MODE = "managed";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cc7fccb4f2fee6b Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:49
      process.env.LLM_PROVIDER === "nvidia-nim" &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f07f5635cbe58023 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:50
      process.env.NVIDIA_NIM_LLM_MODE === "managed"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e1e183d4425e7ef Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:60
        process.env.NVIDIA_NIM_LLM_MODE = "remote";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3254ffcaddbc38ac Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:74
      if (process.env.LLM_PROVIDER !== "nvidia-nim") return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3728299e3c9537ad Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:75
      if (process.env.NVIDIA_NIM_LLM_MODE !== "managed") return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29ccdabe177f9c57 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:520
      process.env.NODE_ENV === "development"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #195ac2b893592d3f Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:588
    if (process.env.NODE_ENV === "development" || !!process.env.NGC_PATCH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbf19de4673fd1c6 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:629
          ...(process.env.NODE_ENV === "development" || !!process.env.NGC_PATCH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb5c7bbfa83a3ce4 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:874
    process.env.NVIDIA_NIM_LLM_NGC_API_KEY = newKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a1bddd8de476fc2 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:929
      process.env.NVIDIA_NIM_LLM_NGC_API_KEY = providedKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #670bc030cdfa97e7 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:990
    if (!!process.env.NVIDIA_NIM_LLM_NGC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17cbf0d987ca508d Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:992
        `Using stored NGC API key: ${process.env.NVIDIA_NIM_LLM_NGC_API_KEY.slice(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #645048175fe98cb3 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:995
        )}...${process.env.NVIDIA_NIM_LLM_NGC_API_KEY.slice(-5)}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed725c89db14d850 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:997
      this.ngcApiKey = process.env.NVIDIA_NIM_LLM_NGC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

flowise-ui

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #96a6d05bef687a3a Environment-variable access.
pkgs/npm/[email protected]/vite.config.js:47
            port: process.env.VITE_PORT ?? 8080,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3a392769ac32906 Environment-variable access.
pkgs/npm/[email protected]/vite.config.js:48
            host: process.env.VITE_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

handlebars

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #a4032deb80e78d86 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:18
  var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d7da9bcc0258b18 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:19
  var templateString = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cf6099cec0ea568 Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:4
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c4d0698a4a96865 Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:113
          fs.readFile(path, 'utf8', function(err, data) {
            /* istanbul ignore next : Race condition that being too lazy to test */
            if (err) {
              return callback(err);
            }

            if (opts.bom && data.indexOf('\uFEFF') === 0) {
              data = data.substring(1);
            }

            // Clean the template name
            let name = path;
            if (!root) {
              name = basename(name);
            } else if (name.indexOf(root) === 0) {
              name = name.substring(root.length + 1);
            }
            name = name.replace(extension, '');

            ret.push({
              path: path,
              name: name,
              source: data
            });

            callback();
          });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a4937a7494f7c8e Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:301
    fs.writeFileSync(opts.map, output.map, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #230394f927fb6e13 Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:306
    fs.writeFileSync(opts.output, output, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #7ce5e9f770a3eb0c Filesystem access.
pkgs/npm/[email protected]/storage/disk.js:1
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer-azure-blob-storage

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #1f33f92a490f9ea8 Environment-variable access.
pkgs/npm/[email protected]/lib/MulterAzureStorage.js:69
        options.connectionString = (options.connectionString || process.env.AZURE_STORAGE_CONNECTION_STRING || null);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c4209d060131f1d Environment-variable access.
pkgs/npm/[email protected]/lib/MulterAzureStorage.js:71
            options.accessKey = (options.accessKey || process.env.AZURE_STORAGE_ACCESS_KEY || null);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #654b760e417f47b1 Environment-variable access.
pkgs/npm/[email protected]/lib/MulterAzureStorage.js:72
            options.accountName = (options.accountName || process.env.AZURE_STORAGE_ACCOUNT || null);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer-cloud-storage

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #bc11b5bb0a8ad7be Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:118
        const bucket = opts.bucket || process.env.GCS_BUCKET || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acaa8760a6e6d78f Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:119
        const projectId = opts.projectId || process.env.GCLOUD_PROJECT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31b68ca05f8af129 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:120
        const keyFilename = opts.keyFilename || process.env.GCS_KEYFILE || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7427b6de89d14e9 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:9
        process.env.GCS_BUCKET = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d8569330c81e089 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:10
        process.env.GCLOUD_PROJECT = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1504311908d9efc Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:11
        process.env.GCS_KEYFILE = './test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #855d0f8440b211bb Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:14
        delete process.env.GCS_BUCKET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #206a291a840ab530 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:15
        delete process.env.GCLOUD_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e91640b1be6a1a46 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:16
        delete process.env.GCS_KEYFILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e3ffeccc1add870 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:12
    process.env.GCS_BUCKET = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77769360d2346771 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:13
    process.env.GCLOUD_PROJECT = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #375f6237a730d331 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:14
    process.env.GCS_KEYFILE = './test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fcc00b35802710f Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:19
    delete process.env.GCS_BUCKET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40f8be717665a02e Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:20
    delete process.env.GCLOUD_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #208cb42ecfbad84b Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:21
    delete process.env.GCS_KEYFILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #436d273f3a2af06e Environment-variable access.
pkgs/npm/[email protected]/src/index.ts:111
		const bucket = opts.bucket || process.env.GCS_BUCKET || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c242334a555c4dc Environment-variable access.
pkgs/npm/[email protected]/src/index.ts:112
		const projectId = opts.projectId || process.env.GCLOUD_PROJECT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97cd83552de73d82 Environment-variable access.
pkgs/npm/[email protected]/src/index.ts:113
		const keyFilename = opts.keyFilename || process.env.GCS_KEYFILE || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mysql2

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #5c81818d6ed21dd7 Environment-variable access.
pkgs/npm/[email protected]/lib/packets/index.js:60
  if (process.env.NODE_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nanoid

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #311041b921512fa0 Filesystem access.
pkgs/npm/[email protected]/bin/nanoid.js:20
  let pkg = JSON.parse(readFileSync(join(root, '..', 'package.json'), 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

openai

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #969e79245f6866c7 Environment-variable access.
pkgs/npm/[email protected]/azure.js:44
                endpoint = process.env['AZURE_OPENAI_ENDPOINT'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfef9c7c85d0f672 Environment-variable access.
pkgs/npm/[email protected]/azure.mjs:40
                endpoint = process.env['AZURE_OPENAI_ENDPOINT'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d04bf6ae109395af Environment-variable access.
pkgs/npm/[email protected]/src/azure.ts:97
        endpoint = process.env['AZURE_OPENAI_ENDPOINT'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pg

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #038036e9ade17fcc Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:15
    envVar = process.env['PG' + key.toUpperCase()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1e9650f4f4dbb2b Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:19
    envVar = process.env[envVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bc44450f6d9834a Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:26
  switch (process.env.PGSSLMODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58c2c0393793e39e Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:127
      this.connect_timeout = process.env.PGCONNECT_TIMEOUT || 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b9d581d2267cbdc Environment-variable access.
pkgs/npm/[email protected]/lib/defaults.js:5
  user = process.platform === 'win32' ? process.env.USERNAME : process.env.USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d86cbd9981b8ca2d Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:41
  forceNative = !!process.env.NODE_PG_FORCE_NATIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prom-client

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #e19f3a73e701333c Filesystem access.
pkgs/npm/[email protected]/lib/metrics/osMemoryHeapLinux.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5eb4f8a396aa4670 Filesystem access.
pkgs/npm/[email protected]/lib/metrics/osMemoryHeapLinux.js:53
				const stat = fs.readFileSync('/proc/self/status', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #056a4f5972703b45 Filesystem access.
pkgs/npm/[email protected]/lib/metrics/processMaxFileDescriptors.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfeed968a44edf8f Filesystem access.
pkgs/npm/[email protected]/lib/metrics/processMaxFileDescriptors.js:14
			const limits = fs.readFileSync('/proc/self/limits', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #769e22f7a49d691f Filesystem access.
pkgs/npm/[email protected]/lib/metrics/processOpenFileDescriptors.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

s3-streamlogger

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #17d70a3aaa1a720d Environment-variable access.
pkgs/npm/[email protected]/index.js:18
    if(!(options.bucket || process.env.BUCKET_NAME))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7cc115383462668 Environment-variable access.
pkgs/npm/[email protected]/index.js:21
    this.bucket                 = options.bucket || process.env.BUCKET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sqlite3

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #b3de97fdb75dff0d Filesystem access.
pkgs/npm/[email protected]/deps/extract.js:2
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typeorm

npm dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #c354cdd317bfc69c Environment-variable access.
pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:5
if ((process.env["NODE_OPTIONS"] ?? "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d1855d0704addaa Environment-variable access.
pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:13
                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5413a0a80e4fccbc Environment-variable access.
pkgs/npm/[email protected]/browser/driver/oracle/OracleDriver.js:221
            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92857ae3536566b2 Environment-variable access.
pkgs/npm/[email protected]/browser/driver/postgres/PostgresDriver.js:273
            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1656c4df710eb723 Filesystem access.
pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:66
                    const database = PlatformTools_1.PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c78c519032b6e56 Filesystem access.
pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:135
                await PlatformTools_1.PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b733f9cc4956126f Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.d.ts:3
export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e60eb3513b97cff Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:6
const fs_1 = tslib_1.__importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #317166f1ba159238 Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:12
var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86785e75797bd78c Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:170
        return fs_1.default.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c013d36b58a626b Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:176
        return fs_1.default.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca8f14ed608ff694 Filesystem access.
pkgs/npm/[email protected]/browser/util/ImportUtils.js:88
                const parsedPackage = JSON.parse(await promises_1.default.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf92dc2242f1f1cf Environment-variable access.
pkgs/npm/[email protected]/cli-ts-node-esm.js:5
if ((process.env["NODE_OPTIONS"] ?? "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8563bb133ff6d2b4 Environment-variable access.
pkgs/npm/[email protected]/cli-ts-node-esm.js:13
                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f035bedf357a8244 Filesystem access.
pkgs/npm/[email protected]/commands/CommandUtils.js:71
        await promises_1.default.writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b8244801bca5c8c Filesystem access.
pkgs/npm/[email protected]/commands/CommandUtils.js:79
        const file = await promises_1.default.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8f8a12f426f36e4 Filesystem access.
pkgs/npm/[email protected]/commands/InitCommand.js:79
            const packageJsonContents = await CommandUtils_1.CommandUtils.readFile(basePath + "/package.json");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f78d4b90ca72b5d3 Filesystem access.
pkgs/npm/[email protected]/commands/InitCommand.js:597
        const ourPackageJson = JSON.parse(await CommandUtils_1.CommandUtils.readFile(node_path_1.default.resolve(__dirname, "..", "package.json")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6fe202e7b105aa8 Environment-variable access.
pkgs/npm/[email protected]/driver/oracle/OracleDriver.js:221
            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b24aeb59e1baacf Environment-variable access.
pkgs/npm/[email protected]/driver/postgres/PostgresDriver.js:273
            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #409ccd531dbfc839 Filesystem access.
pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:66
                    const database = PlatformTools_1.PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #271d410a77b49987 Filesystem access.
pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:135
                await PlatformTools_1.PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c201c20ca705d62 Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.d.ts:3
export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2909cf9f797d51e9 Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:6
const fs_1 = tslib_1.__importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34321d3e337891de Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:12
var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd522b0d7e50fe6c Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:170
        return fs_1.default.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3731dc9931f5ab32 Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:176
        return fs_1.default.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c1f9078a985f98b Filesystem access.
pkgs/npm/[email protected]/util/ImportUtils.js:88
                const parsedPackage = JSON.parse(await promises_1.default.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

winston-daily-rotate-file

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #cf81707b31658992 Filesystem access.
pkgs/npm/[email protected]/daily-rotate-file.js:1
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @bull-board/express prod — dist-only: no readable source
  • @modelcontextprotocol/sdk prod — dist-only: no readable source
  • @keyv/redis prod — dist-only: no readable source
  • @types/bcryptjs prod — no javascript source
  • bullmq prod — dist-only: no readable source
  • cache-manager prod — dist-only: no readable source
  • express-rate-limit prod — dist-only: no readable source
  • geoip-lite prod — tarball exceeds byte cap
  • global-agent prod — dist-only: no readable source
  • node-cron prod — dist-only: no readable source
  • rate-limit-redis prod — dist-only: no readable source
  • winston-azure-blob prod — dist-only: no readable source
  • @azure/storage-blob prod — dist-only: no readable source
  • @brave/brave-search-mcp-server prod — dist-only: no readable source
  • @datastax/astra-db-ts prod — dist-only: no readable source
  • @e2b/code-interpreter prod — dist-only: no readable source
  • @getzep/zep-cloud prod — dist-only: no readable source
  • @gomomento/sdk prod — dist-only: no readable source
  • @gomomento/sdk-core prod — dist-only: no readable source
  • @google/generative-ai prod — dist-only: no readable source
  • @langchain/anthropic prod — dist-only: no readable source
  • @langchain/aws prod — dist-only: no readable source
  • @langchain/baidu-qianfan prod — dist-only: no readable source
  • @langchain/cloudflare prod — dist-only: no readable source
  • @langchain/cohere prod — dist-only: no readable source
  • @langchain/deepseek prod — dist-only: no readable source
  • @langchain/exa prod — dist-only: no readable source
  • @langchain/google-genai prod — dist-only: no readable source
  • @langchain/groq prod — dist-only: no readable source
  • @langchain/langgraph prod — dist-only: no readable source
  • @langchain/mistralai prod — dist-only: no readable source
  • @langchain/mongodb prod — dist-only: no readable source
  • @langchain/ollama prod — dist-only: no readable source
  • @langchain/openai prod — dist-only: no readable source
  • @langchain/pinecone prod — dist-only: no readable source
  • @langchain/redis prod — dist-only: no readable source
  • @langchain/qdrant prod — dist-only: no readable source
  • @langchain/textsplitters prod — dist-only: no readable source
  • @langchain/tavily prod — dist-only: no readable source
  • @langchain/weaviate prod — dist-only: no readable source
  • @langchain/xai prod — dist-only: no readable source
  • @mem0/community prod — dist-only: no readable source
  • @modelcontextprotocol/server-postgres prod — dist-only: no readable source
  • @modelcontextprotocol/server-sequential-thinking prod — dist-only: no readable source
  • @modelcontextprotocol/server-slack prod — dist-only: no readable source
  • @pinecone-database/pinecone prod — dist-only: no readable source
  • @qdrant/js-client-rest prod — dist-only: no readable source
  • @upstash/vector prod — dist-only: no readable source
  • @zilliz/milvus2-sdk-node prod — dist-only: no readable source
  • apify-client prod — scan budget exceeded
  • assemblyai prod — scan budget exceeded
  • cheerio prod — scan budget exceeded
  • chromadb prod — scan budget exceeded
  • cohere-ai prod — scan budget exceeded
  • composio-core prod — scan budget exceeded
  • couchbase prod — scan budget exceeded
  • css-what prod — scan budget exceeded
  • d3-dsv prod — scan budget exceeded
  • epub2 prod — scan budget exceeded
  • exa-js prod — scan budget exceeded
  • faiss-node prod — scan budget exceeded
  • fast-json-patch prod — scan budget exceeded
  • form-data prod — scan budget exceeded
  • google-auth-library prod — scan budget exceeded
  • graphql prod — scan budget exceeded
  • groq-sdk prod — scan budget exceeded
  • html-to-text prod — scan budget exceeded
  • ioredis prod — scan budget exceeded
  • ipaddr.js prod — scan budget exceeded
  • jsdom prod — scan budget exceeded
  • json5 prod — scan budget exceeded
  • jsonpointer prod — scan budget exceeded
  • jsonrepair prod — scan budget exceeded
  • langchain prod — scan budget exceeded
  • langfuse prod — scan budget exceeded
  • langfuse-langchain prod — scan budget exceeded
  • langsmith prod — scan budget exceeded
  • langwatch prod — scan budget exceeded
  • linkifyjs prod — scan budget exceeded
  • llamaindex prod — scan budget exceeded
  • lunary prod — scan budget exceeded
  • mammoth prod — scan budget exceeded
  • meilisearch prod — scan budget exceeded
  • mongodb prod — scan budget exceeded
  • neo4j-driver prod — scan budget exceeded
  • node-fetch prod — scan budget exceeded
  • node-html-markdown prod — scan budget exceeded
  • notion-to-md prod — scan budget exceeded