Close Open Privacy Scan
App Privacy Score
High risk · 2277 finding(s)
Dependency score: 22 (High risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Potential data exfiltration in application code
External domains:
169.254.169.254ai-gateway.vercel.shai.google.devaiplatform.eu.rep.googleapis.comaiplatform.googleapis.comaiplatform.us.rep.googleapis.comapi.anthropic.comapi.deepseek.comapi.fireworks.aiapi.getunbound.aiapi.github.comapi.minimax.ioapi.minimaxi.comapi.mistral.aiapi.moonshot.aiapi.moonshot.cnapi.openai.comapi.poe.comapi.sambanova.aiapi.x.aiapi.z.aiapp.baseten.coapp.requesty.aiauth.openai.comautopush-generativelanguage.sandbox.googleapis.comaws.amazon.combaseten.cobedrock-agent-runtime.us-west-2.amazonaws.combedrock-mantle.us-east-1.api.awsbedrock-runtime.us-east-1.amazonaws.combitcoin.orgbsky.appchat.qwen.aichatgpt.comcline.botcloud.google.comcloud.sambanova.aicode.visualstudio.comcodestral.mistral.aiconsole.anthropic.comconsole.cloud.google.comconsole.mistral.aidashscope.aliyuncs.comdashscope.console.aliyun.comdate-fns.orgdevelopers.google.comdocs.anthropic.comdocs.cloud.google.comdocs.expo.devdocs.litellm.aidocs.mistral.aidummy.comemscripten.orgfireworks.aigateway.getunbound.aigateway.my-company.comgemini-api-demos.uc.r.appspot.comgenerativelanguage.googleapis.comgit-scm.comgithub.comgoo.glgoogle.aip.devhelp.openai.comimg.clerk.cominference.baseten.cojson-schema.orglmstudio.aimanagement.azure.commarketplace.visualstudio.commetadata.google.internalminimax.chatnews.google.comnpm.imoauth2.googleapis.comollama.aiollama.comontheline.trincoll.eduopen-vsx.orgopen.bigmodel.cnopenrouter.aiplatform.claude.complatform.deepseek.complatform.minimax.ioplatform.minimaxi.complatform.moonshot.aiplatform.moonshot.cnplatform.openai.compoe.compptr.devpurl.oclc.orgpurl.orgraw.githubusercontent.comrequesty.airoocodeinc.github.ioroomote.devrouter.requesty.aisambanova.aischemas.microsoft.comschemas.openxmlformats.orgschemas.zwobble.orgstorage.googleapis.comstuk.github.iotanstack.comvercel.comvpce-xxx.bedrock.region.vpce.amazonaws.comwww.allrecipes.comwww.anthropic.comwww.foodnetwork.comwww.googleapis.comwww.minimax.iowww.unicode.orgwww.w3.orgx.aix.comz.ai
repo/src/api/providers/openai-compatible.ts:64 → repo/src/api/providers/openai-compatible.ts:61repo/src/integrations/openai-codex/oauth.ts:236 → repo/src/integrations/openai-codex/oauth.ts:236repo/src/integrations/openai-codex/oauth.ts:287 → repo/src/integrations/openai-codex/oauth.ts:287repo/src/services/code-index/embedders/openai-compatible.ts:67 → repo/src/services/code-index/embedders/openai-compatible.ts:205hub Dependency data flows (162)
pkgs/npm/[email protected]/lib/adapters/http.js:861 → pkgs/npm/[email protected]/lib/adapters/http.js:1062pkgs/npm/[email protected]/auth/workload-identity-auth.js:46 → pkgs/npm/[email protected]/auth/workload-identity-auth.js:53pkgs/npm/[email protected]/auth/workload-identity-auth.mjs:42 → pkgs/npm/[email protected]/auth/workload-identity-auth.mjs:49pkgs/npm/[email protected]/src/auth/workload-identity-auth.ts:60 → pkgs/npm/[email protected]/src/auth/workload-identity-auth.ts:69pkgs/npm/@[email protected]__reposrc/sdk-samples/abort_signal.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/abort_signal.ts:27pkgs/npm/@[email protected]__reposrc/sdk-samples/api_error.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/api_error.ts:19pkgs/npm/@[email protected]__reposrc/sdk-samples/api_version.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/api_version.ts:19pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:83pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:103pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:109pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:117pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:124pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:133pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:161pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:17 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_file.ts:163pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:14 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:52pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:14 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:66pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:14 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:76pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:14 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:80pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:14 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:82pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:14 → pkgs/npm/@[email protected]__reposrc/sdk-samples/batch_embedding_inline.ts:84pkgs/npm/@[email protected]__reposrc/sdk-samples/benchmark_streaming.ts:296 → pkgs/npm/@[email protected]__reposrc/sdk-samples/benchmark_streaming.ts:305pkgs/npm/@[email protected]__reposrc/sdk-samples/chat_afc_streaming.ts:15 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chat_afc_streaming.ts:76pkgs/npm/@[email protected]__reposrc/sdk-samples/chat_afc_streaming.ts:15 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chat_afc_streaming.ts:84pkgs/npm/@[email protected]__reposrc/sdk-samples/chat_afc_streaming.ts:15 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chat_afc_streaming.ts:87pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:19pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:21pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:25pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:36pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:42pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/chats.ts:46pkgs/npm/@[email protected]__reposrc/sdk-samples/count_tokens.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/count_tokens.ts:21pkgs/npm/@[email protected]__reposrc/sdk-samples/direct_url.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/direct_url.ts:23pkgs/npm/@[email protected]__reposrc/sdk-samples/embed_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/embed_content.ts:21pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:25pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:34pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:40pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:47pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:59pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:76pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:96pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:97pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:118pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/file_search_stores.ts:131pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_afc_streaming.ts:16 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_afc_streaming.ts:80pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_streaming.ts:9 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_streaming.ts:31pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_code_execution.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_code_execution.ts:25pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_code_execution.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_code_execution.ts:26pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_file_upload.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_file_upload.ts:32pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_file_upload.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_file_upload.ts:58pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_function_calling.ts:13 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_function_calling.ts:55pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_function_calling_accept_json_schema.ts:10 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_function_calling_accept_json_schema.ts:52pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_latlong.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_latlong.ts:29pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_log_prob.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_log_prob.ts:24pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_model_configuration.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_model_configuration.ts:27pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_response_schema.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_response_schema.ts:38pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_response_schema_accept_json_schema.ts:9 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_response_schema_accept_json_schema.ts:42pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_safety_settings.ts:13 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_safety_settings.ts:36pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_search_grounding.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_search_grounding.ts:23pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_system_instructions.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_system_instructions.ts:20pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_text.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_text.ts:19pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_text_vertex_apikey.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_text_vertex_apikey.ts:20pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_url_context.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_url_context.ts:24pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_url_context.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_content_with_url_context.ts:26pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_image.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_image.ts:24pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_videos_rai_filtered.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/generate_videos_rai_filtered.ts:36pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_basic.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_basic.ts:19pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_client_state.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_client_state.ts:70pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_client_state.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_client_state.ts:92pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_client_state.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_client_state.ts:94pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_server_state.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_server_state.ts:56pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_server_state.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_server_state.ts:79pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_server_state.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_function_calling_server_state.ts:81pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_get.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_get.ts:19pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_get.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_get.ts:22pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_audio.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_audio.ts:38pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_audio_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_audio_with_generate_content.ts:42pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_audio_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_audio_with_generate_content.ts:66pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_image.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_image.ts:38pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_image_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_image_with_generate_content.ts:41pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_image_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_input_text_and_image_with_generate_content.ts:64pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_audio_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_audio_with_generate_content.ts:55pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_audio_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_audio_with_generate_content.ts:59pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_image_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_image_with_generate_content.ts:52pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_image_with_generate_content.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_multimodal_response_image_with_generate_content.ts:56pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateful.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateful.ts:22pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateful.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateful.ts:31pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateless.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateless.ts:34pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateless.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_stateless.ts:54pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_structured_output_json.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_structured_output_json.ts:22pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_code_execution.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_code_execution.ts:21pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_computer_use.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_computer_use.ts:22pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_functions.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_functions.ts:52pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_google_search.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_google_search.ts:21pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_mcp_server.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_mcp_server.ts:29pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_mime_type.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_mime_type.ts:49pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_url_context.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_tool_call_with_url_context.ts:22pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_with_config.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/interactions_with_config.ts:21pkgs/npm/@[email protected]__reposrc/sdk-samples/live_client_content.ts:13 → pkgs/npm/@[email protected]__reposrc/sdk-samples/live_client_content.ts:184pkgs/npm/@[email protected]__reposrc/sdk-samples/live_ephemeral.ts:13 → pkgs/npm/@[email protected]__reposrc/sdk-samples/live_ephemeral.ts:152pkgs/npm/@[email protected]__reposrc/sdk-samples/register_files.ts:9 → pkgs/npm/@[email protected]__reposrc/sdk-samples/register_files.ts:37pkgs/npm/@[email protected]__reposrc/sdk-samples/register_files.ts:9 → pkgs/npm/@[email protected]__reposrc/sdk-samples/register_files.ts:45pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:41pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:44pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:46pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:52pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:61pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:69pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:76pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:80pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:85pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:8 → pkgs/npm/@[email protected]__reposrc/sdk-samples/trigger_generic_operations.ts:89pkgs/npm/@[email protected]/lib/credentials/oidc-federation.js:39 → pkgs/npm/@[email protected]/lib/credentials/oidc-federation.js:42pkgs/npm/@[email protected]/lib/credentials/oidc-federation.mjs:36 → pkgs/npm/@[email protected]/lib/credentials/oidc-federation.mjs:39pkgs/npm/@[email protected]/lib/credentials/user-oauth.js:91 → pkgs/npm/@[email protected]/lib/credentials/user-oauth.js:94pkgs/npm/@[email protected]/lib/credentials/user-oauth.mjs:55 → pkgs/npm/@[email protected]/lib/credentials/user-oauth.mjs:58pkgs/npm/@[email protected]/src/lib/credentials/oidc-federation.ts:80 → pkgs/npm/@[email protected]/src/lib/credentials/oidc-federation.ts:83pkgs/npm/@[email protected]/src/lib/credentials/user-oauth.ts:92 → pkgs/npm/@[email protected]/src/lib/credentials/user-oauth.ts:95pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:30pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:42pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:45pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:51pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:53pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:3 → pkgs/npm/@[email protected]/examples/src/async_batch_jobs.ts:59pkgs/npm/@[email protected]/examples/src/async_chat_no_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_chat_no_streaming.ts:15pkgs/npm/@[email protected]/examples/src/async_chat_prediction.ts:3 → pkgs/npm/@[email protected]/examples/src/async_chat_prediction.ts:33pkgs/npm/@[email protected]/examples/src/async_chat_with_image_no_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_chat_with_image_no_streaming.ts:27pkgs/npm/@[email protected]/examples/src/async_embeddings.ts:3 → pkgs/npm/@[email protected]/examples/src/async_embeddings.ts:20pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:24pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:28pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:32pkgs/npm/@[email protected]/examples/src/async_files.ts:6 → pkgs/npm/@[email protected]/examples/src/async_files.ts:36pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4 → pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:127pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4 → pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:128pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:4 → pkgs/npm/@[email protected]/examples/src/async_function_calling.ts:147pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:150pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/async_function_calling_streaming.ts:151pkgs/npm/@[email protected]/examples/src/async_json_format.ts:3 → pkgs/npm/@[email protected]/examples/src/async_json_format.ts:16pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:6 → pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_file.ts:33pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_url.ts:3 → pkgs/npm/@[email protected]/examples/src/async_ocr_process_from_url.ts:15pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:4 → pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:52pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:4 → pkgs/npm/@[email protected]/examples/src/async_structured_outputs.ts:70pkgs/npm/@[email protected]/examples/src/azure/async_chat_no_streaming.ts:3 → pkgs/npm/@[email protected]/examples/src/azure/async_chat_no_streaming.ts:27pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:23pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/prompt_lifecycle.ts:38pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:107 → pkgs/npm/@[email protected]/examples/src/realtime_microphone.ts:153pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:162 → pkgs/npm/@[email protected]/examples/src/realtime_transcription.ts:213pkgs/npm/@[email protected]/examples/src/reasoning.ts:3 → pkgs/npm/@[email protected]/examples/src/reasoning.ts:35pkgs/npm/@[email protected]/examples/src/reasoning.ts:3 → pkgs/npm/@[email protected]/examples/src/reasoning.ts:42pkgs/npm/@[email protected]/examples/src/reasoning.ts:3 → pkgs/npm/@[email protected]/examples/src/reasoning.ts:47pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:14 → pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:61pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:14 → pkgs/npm/@[email protected]/examples/src/reasoning_multi_turn.ts:74pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:7 → pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:30pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:7 → pkgs/npm/@[email protected]/examples/src/reasoning_response_shape.ts:32pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:30pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:47pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:3 → pkgs/npm/@[email protected]/examples/src/skill_lifecycle.ts:50pkgs/npm/@[email protected]/packages/mistralai-azure/examples/chatComplete.example.ts:18 → pkgs/npm/@[email protected]/packages/mistralai-azure/examples/chatComplete.example.ts:35pkgs/npm/@[email protected]__reposrc/src/client/auth.ts:394 → pkgs/npm/@[email protected]__reposrc/src/client/auth.ts:421pkgs/npm/@[email protected]__reposrc/src/client/auth.ts:455 → pkgs/npm/@[email protected]__reposrc/src/client/auth.ts:480pkgs/npm/@[email protected]__reposrc/src/server/auth/providers/proxyProvider.ts:175 → pkgs/npm/@[email protected]__reposrc/src/server/auth/providers/proxyProvider.ts:175pkgs/npm/@[email protected]__reposrc/src/server/auth/providers/proxyProvider.ts:212 → pkgs/npm/@[email protected]__reposrc/src/server/auth/providers/proxyProvider.ts:212</> First-Party Code
first-party (npm): src
npm first-party this.provider = createOpenAICompatible({
name: config.providerName,
baseURL: config.baseURL,
apiKey: config.apiKey,
headers: {
...DEFAULT_HEADERS,
...(config.headers || {}),
},
})
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await fetch(OPENAI_CODEX_OAUTH_CONFIG.tokenEndpoint, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: body.toString(),
signal: AbortSignal.timeout(30000),
})
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await fetch(OPENAI_CODEX_OAUTH_CONFIG.tokenEndpoint, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: body.toString(),
signal: AbortSignal.timeout(30000),
})
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await fetch(url, {
method: "POST",
headers: {
"Content-Type": "application/json",
// Azure OpenAI uses 'api-key' header, while OpenAI uses 'Authorization'
// We'll try 'api-key' first for Azure compatibility
"api-key": this.apiKey,
Authorization: `Bearer ${this.apiKey}`,
},
body: JSON.stringify({
input: batchTexts,
model: model,
encoding_format: "base64",
}),
})
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 436 low-confidence finding(s)
constants: require("fs").constants,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsSync from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsSync from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return exists ? JSON.parse(await fs.readFile(filePath, "utf8")) : undefined
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = fsSync.readFileSync(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return exists ? JSON.parse(await fs.readFile(filePath, "utf8")) : undefined
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
axios
.post<OllamaModelInfoResponse>(
`${baseUrl}/api/show`,
{
model: ollamaModel.model,
},
{ headers },
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await axios.get("https://api.getunbound.ai/models", { headers })
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(url, {
method: "POST",
headers,
body: JSON.stringify(requestBody),
signal: this.abortController?.signal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await fetch(url, {
method: "POST",
headers,
body: JSON.stringify(requestBody),
signal: this.abortController.signal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const credsStr = await fs.readFile(keyFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
Accept: "application/json",
},
body: objectToUrlEncoded(bodyData),
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await fs.writeFile(filePath, JSON.stringify(newCredentials, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await this.queueWrite(() => fs.writeFile(filePath, yaml.stringify({ customModes: [] }, { lineWidth: 0 })))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "test") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(settingsPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, yaml.stringify(settings, { lineWidth: 0 }), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, yaml.stringify({ customModes: [] }, { lineWidth: 0 }))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const roomodesContent = await fs.readFile(roomodesPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const roomodesContent = await fs.readFile(roomodesPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(targetPath, ruleFile.content, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalNodeEnv = process.env.NODE_ENV
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = "development"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = originalNodeEnv
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawData = JSON.parse(await fs.readFile(filePath, "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return JSON.parse(await fs.readFile(filePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fsSync from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(ignorePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsSync from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { PathLike } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import type { PathLike } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { Dirent } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsSync from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(indexPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(data, null, "\t"), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(data, null, "\t"), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tasksDir, "task-1", GlobalFileNames.historyItem), JSON.stringify(item1))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tasksDir, "task-2", GlobalFileNames.historyItem), JSON.stringify(item2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tasksDir, GlobalFileNames.historyIndex), JSON.stringify(index))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(taskDir, GlobalFileNames.historyItem), JSON.stringify(item))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(taskDir, GlobalFileNames.historyItem), JSON.stringify(existingItem))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(path.join(taskDir, GlobalFileNames.historyItem), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(indexPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(indexPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(updated))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, "<<<corrupt data>>>", "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(oldPath, "not json at all {[!", "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify("hello"), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(oldPath, JSON.stringify({ key: "value" }), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, "{not valid json!!!", "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify("hello"), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(oldPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const parsedData = JSON.parse(await fs.readFile(filePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalContent: string = await fs.readFile(absolutePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(absolutePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(moveAbsolutePath, newContent, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
currentContent = await fs.readFile(absolutePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fileContent = await fs.readFile(absolutePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.ROO_CLI_RUNTIME === "1" ? 0 : requestedAgentTimeout
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const imageBuffer = await fs.readFile(inputImageFullPath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(absolutePath, imageBuffer)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = await fs.readFile(fullPath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawContent = await fs.readFile(fullPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fileContent = await fs.readFile(absolutePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
task.diffViewProvider.originalContent = await fs.readFile(absolutePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalCliRuntime = process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = originalCliRuntime
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileBuffer = await fs.readFile(filePath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCliRuntime = process.env.ROO_CLI_RUNTIME === "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
localPort = fs.readFileSync(portFilePath, "utf8").trim()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await axios.post(`${baseUrlDomain}/api/v1/auth/keys`, { code })
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
apiConversationHistory = JSON.parse(await fs.readFile(apiConversationHistoryFilePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalRooCliRuntimeEnv = process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = originalRooCliRuntimeEnv
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(apiHistoryPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempFilePath, fullContent, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(absPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(saveUri.fsPath, result.yaml, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const yamlContent = await fs.readFile(fileUri[0].fsPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, templateContent, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempFilePath, message.text, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(sourceFilePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempFilePath, prettifiedContent, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const socketPath = process.env.ROO_CODE_IPC_SOCKET_PATH
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "development") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isTestEnv = process.env.NODE_ENV === "test"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.originalContent = await fs.readFile(absolutePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(absolutePath, "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(absolutePath, content, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filepath, content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await vscode.workspace.fs.writeFile(saveUri, Buffer.from(markdownContent))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await workbook.xlsx.readFile(filePathOrWorkbook)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dataBuffer = await fs.readFile(filePath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const rawContent = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await vscode.workspace.fs.writeFile(vscode.Uri.file(tempFilePath), imageBuffer)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const imageData = await vscode.workspace.fs.readFile(vscode.Uri.file(tempFilePath))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await vscode.workspace.fs.writeFile(saveUri, imageBuffer)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs, { createReadStream } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await vscode.workspace.fs.writeFile(uriToProcess, Buffer.from(contentToCreate, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = await fs.readFile(imagePath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createReadStream } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(WHAM_USAGE_URL, { method: "GET", headers })
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.ZDOTDIR) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env.ROO_ZDOTDIR = process.env.ZDOTDIR
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
vscode.workspace.fs.writeFile(vscode.Uri.file(zshrcPath), Buffer.from(zshrcContent)).then(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.EXISTING_VAR = "existing"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LANG = "C"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.LC_ALL = "POSIX"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
console.log(`Running CMD tests on Windows ${process.env.OS} ${process.arch}`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.PWSH_AVAILABLE = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
currentTheme = await fs.readFile(themePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
currentTheme = await fs.readFile(
path.join(getExtensionUri().fsPath, "integrations", "theme", "default-themes", filename),
"utf-8",
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const includeThemeString = await fs.readFile(
path.join(getExtensionUri().fsPath, "integrations", "theme", "default-themes", parsed.include),
"utf-8",
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(this.dotGitDir, "info", "exclude"), patterns.join("\n"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: await fs.readFile(absPath, "utf8").catch(() => "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, textFileContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Goodbye, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(newFile, "New file content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(fileToDelete, "New file content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Hola, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Hola, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(unstagedFile, "Initial unstaged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(stagedFile, "Initial staged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(mixedFile, "Initial mixed")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(unstagedFile, "Modified unstaged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(stagedFile, "Modified staged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(mixedFile, "Modified mixed - staged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(mixedFile, "Modified mixed - unstaged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(unstagedFile, "utf-8")).toBe("Modified unstaged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(stagedFile, "utf-8")).toBe("Modified staged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(mixedFile, "utf-8")).toBe("Modified mixed - unstaged")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(untrackedFile, "I am untracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Changed tracked file")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(untrackedFile, "utf-8")).toBe("I am untracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(untrackedFile, "utf-8")).toBe("I am untracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Changed tracked file")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "I am tracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(untrackedFile, "I am untracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fs.readFile(testFile, "utf-8")).rejects.toThrow()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fs.readFile(untrackedFile, "utf-8")).rejects.toThrow()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("I am tracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(untrackedFile, "utf-8")).toBe("I am untracked!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fs.readFile(testFile, "utf-8")).rejects.toThrow()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fs.readFile(untrackedFile, "utf-8")).rejects.toThrow()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(ignoredFile, "Initial ignored content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(ignoredFile, "Modified ignored content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(ignoredFile, "utf-8")).toBe("Modified ignored content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(gitattributesPath, "*.lfs filter=lfs diff=lfs merge=lfs -text")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect((await fs.readFile(excludesPath, "utf-8")).split("\n")).not.toContain("*.lfs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect((await fs.readFile(excludesPath, "utf-8")).split("\n")).toContain("*.lfs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(lfsFile, "Binary file content simulation")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(lfsFile, "Modified binary content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(lfsFile, "utf-8")).toBe("Modified binary content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(newTestFile, "Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(newTestFile, "utf-8")).toBe("Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(newTestFile, "Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(newTestFile, "utf-8")).toBe("Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(newTestFile, "utf-8")).toBe("Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(newTestFile, "utf-8")).toBe("Ahoy, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(nestedFile, "Content in nested repo")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(mainFile, "Content in main repo")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(headFile, "HEAD")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(mainFile, "Content in main repo")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(newTestFile, "Testing events!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Changed content for checkpoint event test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Content for restore test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Changed after checkpoint")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Content for restore test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Content for multiple listeners test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Content for remove listener test - part 1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Content for remove listener test - part 2")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Modified content for allowEmpty test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Another modification for allowEmpty test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Setup content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Regular change")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Another regular change")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Regular change")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Regular change")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Another regular change")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Content before empty")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFile, "Work done in new task")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testFile, "utf-8")).toBe("Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(hooksDir, "pre-commit"), "#!/bin/sh\nexit 1", { mode: 0o755 })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalTemplateDir = process.env.GIT_TEMPLATE_DIR
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GIT_TEMPLATE_DIR = templateDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GIT_TEMPLATE_DIR = originalTemplateDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GIT_TEMPLATE_DIR
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(externalFile, "External content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalGitDir = process.env.GIT_DIR
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GIT_DIR = externalDotGit
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testWorkspaceFile, "Modified with GIT_DIR set")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GIT_DIR
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GIT_DIR = externalDotGit
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testWorkspaceFile, "Another modification")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(await fs.readFile(testWorkspaceFile, "utf-8")).toBe("Modified with GIT_DIR set")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GIT_DIR = originalGitDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GIT_DIR
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(workspaceDir, "main.txt"), "main content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(workspaceDir, "main.txt"), "main content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.readFile(attributesPath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cacheData = await vscode.workspace.fs.readFile(this.cachePath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(ignorePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { stat } from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await vscode.workspace.fs.readFile(vscode.Uri.file(filePath))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFile } from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { stat } from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await vscode.workspace.fs
.readFile(vscode.Uri.file(filePath))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { Dirent } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.readFile(symlinkedPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(resolvedPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, ".gitignore"), "node_modules/\nbuild/\ndist/\n*.log\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "src", "index.ts"), "console.log('hello')")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "allowed-dir", "file.txt"), "content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, ".gitignore"), "node_modules/\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "src", ".gitignore"), "temp/\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, ".gitignore"), "node_modules/\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, ".gitignore"), "node_modules/\nbuild/\nignored-dir/\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "src", "index.ts"), "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "node_modules", "package.json"), "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "build", "output.js"), "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "ignored-dir", "file.txt"), "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, ".gitignore"), "node_modules/\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.promises.writeFile(path.join(tempDir, "src", ".gitignore"), "temp/\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.promises.readFile(gitignoreFile, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "test") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "test" || !vscode.workspace.createFileSystemWatcher) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(projectMcpPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
mcpSettingsFilePath,
`{
"mcpServers": {
}
}`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "test" || !vscode.workspace.createFileSystemWatcher) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(configPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await connection.client.request({ method: "tools/list" }, ListToolsResultSchema)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const content = await fs.readFile(configPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(configPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await connection.client.request({ method: "resources/list" }, ListResourcesResultSchema)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await connection.client.request(
{ method: "resources/templates/list" },
ListResourceTemplatesResultSchema,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const globalContent = await fs.readFile(globalPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const projectContent = await fs.readFile(projectPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(settingsPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const projectContent = await fs.readFile(projectMcpPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(configPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(configPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(configPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await connection.client.request(
{
method: "resources/read",
params: {
uri,
},
},
ReadResourceResultSchema,
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await connection.client.request(
{
method: "tools/call",
params: {
name: toolName,
arguments: toolArguments,
},
},
CallToolResultSchema,
{
timeout,
},
)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const content = await fs.readFile(normalizedPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.writeFile(filePath, JSON.stringify(data), "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(skillMdPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(skill.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(skillMdPath, skillContent, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(skill.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(skill.path, newContent, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "test" || !vscode.workspace.createFileSystemWatcher) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV === "test" || !vscode.workspace.createFileSystemWatcher) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const DEBUG = process.env.DEBUG ? parseInt(process.env.DEBUG, 10) : 0
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
name: process.env.PKG_NAME || name,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version: process.env.PKG_VERSION || version,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
outputChannel: process.env.PKG_OUTPUT_CHANNEL || "Roo-Code",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sha: process.env.PKG_SHA,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fsPromises from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.TEST_VAR = "testValue"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.API_KEY = "12345"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ENDPOINT = "https://example.com"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.EXISTING_VAR = "exists"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.MUTATE_TEST = "mutated"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GLOBAL_AGENT_HTTP_PROXY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GLOBAL_AGENT_HTTPS_PROXY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.GLOBAL_AGENT_NO_PROXY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.GLOBAL_AGENT_HTTP_PROXY).toBeUndefined()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.GLOBAL_AGENT_HTTPS_PROXY).toBeUndefined()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.GLOBAL_AGENT_HTTP_PROXY).toBe("http://localhost:8080")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.GLOBAL_AGENT_HTTPS_PROXY).toBe("http://localhost:8080")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_TLS_REJECT_UNAUTHORIZED).toBeUndefined()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_TLS_REJECT_UNAUTHORIZED).toBe("0")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.NODE_TLS_REJECT_UNAUTHORIZED).toBeUndefined()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as actualFsPromises from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsSyncActual from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises" // This will now be the mocked version
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(currentTestFilePath, JSON.stringify({ initial: "content" }))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const readContent = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(lockTestFilePath, JSON.stringify({ initial: "lock test content" }))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.SHELL
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.COMSPEC
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.COMSPEC = "C:\\Windows\\System32\\cmd.exe"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.COMSPEC = "D:\\CustomCmd\\cmd.exe"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SHELL = "/usr/local/bin/zsh"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SHELL = "/usr/bin/fish"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SHELL = "/bin/zsh"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.SHELL
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.COMSPEC = "C:\\Windows\\System32\\cmd.exe"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.SHELL = "/opt/custom/shell"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.SHELL
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { promises as fs } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const configContent = await fs.readFile(configPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const headContent = await fs.readFile(headPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { writeFileSync, mkdirSync } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(this.filePath, "", { flag: "w" })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(this.filePath, JSON.stringify(sessionStart) + "\n", { flag: "w" })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(this.filePath, output, { flag: "a" })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(this.filePath, JSON.stringify(sessionEnd) + "\n", { flag: "a" })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(testLogPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(testLogPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(testLogPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(testLogPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
export const logger = process.env.NODE_ENV === "test" ? new CompactLogger() : noopLogger
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const jsonContent = await fs.readFile(oldJsonPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(newYamlPath, yamlContent, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = originalNodeTlsRejectUnauthorized
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NODE_TLS_REJECT_UNAUTHORIZED
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalNodeTlsRejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0" // lgtm[js/disabling-certificate-validation]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GLOBAL_AGENT_HTTP_PROXY = config.serverUrl
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GLOBAL_AGENT_HTTPS_PROXY = config.serverUrl
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GLOBAL_AGENT_NO_PROXY = "" // Proxy all requests
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fsSync from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { constants as fsConstants } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm)
npm first-partyexpand_more 12 low-confidence finding(s)
import { existsSync, writeFileSync } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.BOOTSTRAP_IN_PROGRESS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.npm_execpath && process.env.npm_execpath.includes("pnpm")) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync("package.json", JSON.stringify({ name: "temp", private: true }, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const json = JSON.parse(fs.readFileSync(filePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const { promises: fs } = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync("./apps/vscode-nightly/package.nightly.json", "utf-8"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const srcPackageJson = JSON.parse(fs.readFileSync("./src/package.json", "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync("./src/package.json", "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): apps/cli
npm first-partyexpand_more 92 low-confidence finding(s)
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cliRoot = process.env.ROO_CLI_ROOT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? path.resolve(process.env.ROO_CLI_ROOT)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const cliRoot = process.env.ROO_CLI_ROOT ? path.resolve(process.env.ROO_CLI_ROOT) : defaultCliRoot
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const RUN_INTEGRATION_TESTS = process.env.RUN_CLI_INTEGRATION_TESTS === "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const OPENROUTER_API_KEY = process.env.OPENROUTER_API_KEY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const initialRooCliRuntimeEnv = process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = initialRooCliRuntimeEnv
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = initialRooCliRuntimeEnv
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ROO_CLI_RUNTIME).toBe("1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ROO_CLI_RUNTIME).toBe("1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ROO_CLI_RUNTIME).toBeUndefined()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = "preexisting-value"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ROO_CLI_RUNTIME).toBe("1")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(process.env.ROO_CLI_RUNTIME).toBe("preexisting-value")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const CLI_PACKAGE_ROOT = process.env.ROO_CLI_ROOT || findCliPackageRoot()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.previousCliRuntimeEnv = process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_CLI_RUNTIME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROO_CLI_RUNTIME = this.previousCliRuntimeEnv
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(promptFilePath, promptContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const readContent = fs.readFileSync(promptFilePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(promptFilePath, multiLinePrompt)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const readContent = fs.readFileSync(promptFilePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(promptFilePath, longPrompt)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const readContent = fs.readFileSync(promptFilePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(promptFilePath, shellSensitivePrompt)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const readContent = fs.readFileSync(promptFilePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
prompt = fs.readFileSync(flagOptions.promptFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(expectedSettingsFile, JSON.stringify(settingsData), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(expectedSettingsFile, JSON.stringify(settingsData), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedData = await fs.readFile(expectedSettingsFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedData = await fs.readFile(expectedSettingsFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const savedData = await fs.readFile(expectedSettingsFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(filePath, JSON.stringify(data, null, "\t"), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.readFile(settingsPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(getSettingsPath(), JSON.stringify(merged, null, 2), {
mode: 0o600,
})
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROO_EXTENSION_PATH
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ANTHROPIC_API_KEY = "test-anthropic-key"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OPENROUTER_API_KEY = "test-openrouter-key"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.OPENAI_API_KEY = "test-openai-key"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ANTHROPIC_API_KEY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.ROO_EXTENSION_PATH) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envPath = process.env.ROO_EXTENSION_PATH
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env[envVar]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { constants as fsConstants } from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync(candidate, "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homeDir = process.env.HOME || process.env.USERPROFILE || ""
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envOverride = process.env.ROOCODE_NERD_FONT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROOCODE_NERD_FONT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROOCODE_NERD_FONT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROOCODE_NERD_FONT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "false"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "1"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.ROOCODE_NERD_FONT = "0"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.ROOCODE_NERD_FONT
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): apps/docs
npm first-partyexpand_more 3 low-confidence finding(s)
const res = await fetch("https://api.github.com/repos/RooCodeInc/Roo-Code")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res = await fetch("https://marketplace.visualstudio.com/_apis/public/gallery/extensionquery", {
method: "POST",
headers: {
"Content-Type": "application/json",
Accept: "application/json;api-version=7.1-preview.1",
},
body: JSON.stringify({
filters: [
{
criteria: [
{
filterType: 7,
value: "RooVeterinaryInc.roo-cline",
},
],
},
],
flags: 914,
}),
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
) : process.env.NODE_ENV === "production" ? (
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): apps/vscode-e2e
npm first-partyexpand_more 60 low-confidence finding(s)
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testGrep = process.argv.find((arg, i) => process.argv[i - 1] === "--grep") || process.env.TEST_GREP
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const testFile = process.argv.find((arg, i) => process.argv[i - 1] === "--file") || process.env.TEST_FILE
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version: process.env.VSCODE_VERSION || "1.101.2",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
openRouterApiKey: process.env.OPENROUTER_API_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.TEST_GREP) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mochaOptions.grep = process.env.TEST_GREP
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
console.log(`Running tests matching pattern: ${process.env.TEST_GREP}`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.TEST_FILE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const specificFile = process.env.TEST_FILE.endsWith(".js")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env.TEST_FILE
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: `${process.env.TEST_FILE}.js`
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
throw new Error(`No test files found matching criteria: ${process.env.TEST_FILE || "all tests"}`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file.path, file.content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const actualContent = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const actualContent = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const actualContent = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const actualContent = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const actualContent = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(file.path, file.content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(outputPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(testFile.path, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.rootFile1, "This is root file 1 content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.rootFile2,
`function testFunction() {
console.log("Hello from root file 2");
}`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.nestedFile1,
`# Nested File 1
This is a markdown file in the nested directory.`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.nestedFile2,
`{
"name": "nested-config",
"version": "1.0.0",
"description": "Test configuration file"
}`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.deepNestedFile,
`interface TestInterface {
id: number;
name: string;
}`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.hiddenFile, "Hidden file content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.configFile,
`app:
name: test-app
version: 1.0.0
database:
host: localhost
port: 5432`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.readmeFile,
`# List Files Test Directory
This directory contains various files and subdirectories for testing the list_files tool functionality.
## Structure
- Root files (txt, js)
- Nested directory with files (md, json)
- Deep nested directory with TypeScript file
- Hidden file
- Configuration files (yaml)`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(sourceFile, "Content from symlinked file")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.simple, "Hello, World!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.multiline, "Line 1\nLine 2\nLine 3\nLine 4\nLine 5")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.empty, "")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.large, largeContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.xmlContent,
"<root>\n <child>Test content</child>\n <data>Some data</data>\n</root>",
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.nested, "Content in nested directory")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.jsFile,
`function calculateTotal(items) {
return items.reduce((sum, item) => sum + item.price, 0)
}
function validateUser(user) {
if (!user.email || !user.name) {
throw new Error("Invalid user data")
}
return true
}
// TODO: Add more validation functions
const API_URL = "https://api.example.com"
export { calculateTotal, validateUser }`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.tsFile,
`interface User {
id: number
name: string
email: string
isActive: boolean
}
interface Product {
id: number
title: string
price: number
category: string
}
class UserService {
async getUser(id: number): Promise<User> {
// TODO: Implement user fetching
throw new Error("Not implemented")
}
async updateUser(user: User): Promise<void> {
// Implementation here
}
}
export { User, Product, UserService }`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.jsonFile,
`{
"name": "test-app",
"version": "1.0.0",
"description": "A test application for search functionality",
"main": "index.js",
"scripts": {
"start": "node index.js",
"test": "jest",
"build": "webpack"
},
"dependencies": {
"express": "^4.18.0",
"lodash": "^4.17.21"
},
"devDependencies": {
"jest": "^29.0.0",
"webpack": "^5.0.0"
}
}`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.textFile,
`# Project Documentation
This is a test project for demonstrating search functionality.
## Features
- User management
- Product catalog
- Order processing
- Payment integration
## Installation
1. Clone the repository
2. Run npm install
3. Configure environment variables
4. Start the application
## API Endpoints
- GET /users - List all users
- POST /users - Create new user
- PUT /users/:id - Update user
- DELETE /users/:id - Delete user
## TODO
- Add authentication
- Implement caching
- Add error handling
- Write more tests`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.nestedJsFile,
`// Nested utility functions
function formatCurrency(amount) {
return new Intl.NumberFormat('en-US', {
style: 'currency',
currency: 'USD'
}).format(amount)
}
function debounce(func, wait) {
let timeout
return function executedFunction(...args) {
const later = () => {
clearTimeout(timeout)
func(...args)
}
clearTimeout(timeout)
timeout = setTimeout(later, wait)
}
}
module.exports = { formatCurrency, debounce }`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.configFile,
`# Application Configuration
app:
name: "Test Application"
version: "1.0.0"
port: 3000
database:
host: "localhost"
port: 5432
name: "testdb"
user: "testuser"
redis:
host: "localhost"
port: 6379
logging:
level: "info"
file: "app.log"`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
testFiles.readmeFile,
`# Search Files Test Project
This project contains various file types for testing the search_files functionality.
## File Types Included
- **JavaScript files** (.js) - Contains functions and exports
- **TypeScript files** (.ts) - Contains interfaces and classes
- **JSON files** (.json) - Configuration and package files
- **Text files** (.txt) - Documentation and notes
- **YAML files** (.yaml) - Configuration files
- **Markdown files** (.md) - Documentation
## Search Patterns to Test
1. Function definitions: \`function\\s+\\w+\`
2. TODO comments: \`TODO.*\`
3. Import/export statements: \`(import|export).*\`
4. Interface definitions: \`interface\\s+\\w+\`
5. Configuration keys: \`"\\w+":\\s*\`
## Expected Results
The search should find matches across different file types and provide context for each match.`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.simple, "Initial content for MCP test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.testData, JSON.stringify({ test: "data", value: 42 }, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(testFiles.mcpConfig, JSON.stringify(mcpConfig, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
actualContent = await fs.readFile(wsFilePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
actualContent = await fs.readFile(location, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
actualContent = await fs.readFile(wsNestedPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
actualContent = await fs.readFile(wsFilePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
actualContent = await fs.readFile(nestedPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): apps/vscode-nightly
npm first-partyexpand_more 7 low-confidence finding(s)
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const overrideJson = JSON.parse(fs.readFileSync(path.join(__dirname, "package.nightly.json"), "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync(path.join(srcDir, "package.json"), "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(buildDir, "package.json"), JSON.stringify(generatedPackageJson, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const nlsPkg = JSON.parse(fs.readFileSync(path.join(srcDir, "package.nls.json"), "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(path.join(__dirname, "package.nls.nightly.json"), "utf8"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(buildDir, "package.nls.json"),
JSON.stringify({ ...nlsPkg, ...nlsNightlyPkg }, null, 2),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/core
npm first-partyexpand_more 74 low-confidence finding(s)
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fakeScriptPath, "#!/usr/bin/env node\nconsole.log('fake esbuild')")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
inputFile,
`
export const greeting = "Hello, World!"
export function add(a: number, b: number): number {
return a + b
}
`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputContent = fs.readFileSync(outputFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(inputFile, `export const value = 42`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputContent = fs.readFileSync(outputFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(inputFile, `export const value = {{{ invalid syntax`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(libFile, `export const PI = 3.14159`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
mainFile,
`
import { PI } from "./lib.js"
export const circumference = (r: number) => 2 * PI * r
`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputContent = fs.readFileSync(outputFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(inputFile, `export const value = process.env.NODE_ENV`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
inputFile,
`
import fs from "fs"
export function fileExists(p: string): boolean {
return fs.existsSync(p)
}
`,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputContent = fs.readFileSync(outputFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(inputFile, `export const greeting = "Hello"`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputContent = fs.readFileSync(outputFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(inputFile, `export const value = 42`)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const outputContent = fs.readFileSync(outputFile, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(tasksDir, "_index.json"),
JSON.stringify({
entries: [
{ id: "a", task: "Task A", ts: 100, status: "completed" },
{ id: "b", task: "Task B", ts: 300, mode: "code" },
{ id: "invalid", ts: 200 },
],
}),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(tasksDir, "_index.json"),
JSON.stringify({
entries: [{ id: "a", task: "Task A", ts: 100 }],
}),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(tasksDir, "c", "history_item.json"),
JSON.stringify({ id: "c", task: "Task C", ts: 500, workspace: "/tmp/project" }),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(tasksDir, "_index.json"),
JSON.stringify({
entries: [
{ id: "stale", task: "Stale Task", ts: 999 },
{ id: "live", task: "Live Task", ts: 100 },
],
}),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tasksDir, "_index.json"), "{not-valid-json")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(tasksDir, "good", "history_item.json"),
JSON.stringify({ id: "good", task: "Good Task", ts: 10, status: "active" }),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tasksDir, "bad-json", "history_item.json"), "{oops")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(
path.join(tasksDir, "bad-shape", "history_item.json"),
JSON.stringify({ id: "bad-shape", task: 123, ts: "not-a-number" }),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tempDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(repoDir, "README.md"), "test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(repoDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tempDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tempDir, ".gitignore"), gitignoreContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tempDir, ".gitignore"), gitignoreContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tempDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(path.join(tempDir, ".worktreeinclude"), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(tempDir, ".worktreeinclude"), "old content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await fs.readFile(path.join(tempDir, ".worktreeinclude"), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), ".env")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, "node_modules", "package.json"), '{"name": "test"}')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const copiedContent = await fs.readFile(path.join(targetDir, "node_modules", "package.json"), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "node_modules\ndist")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), "node_modules\n.env")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".env"), "SECRET=123")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, "node_modules", "test.txt"), "test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, "dist", "main.js"), "console.log('dist')")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), ".git")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), ".git")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".git", "config"), "[core]")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), ".env.local")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), ".env.local")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".env.local"), "LOCAL_VAR=value")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const copiedContent = await fs.readFile(path.join(targetDir, ".env.local"), "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "# comment\nnode_modules\n# another comment")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "node_modules\n.env.local")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), "node_modules\n.env.local")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, "node_modules", "test.txt"), "test")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".env.local"), "LOCAL_VAR=value")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".worktreeinclude"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(sourceDir, ".gitignore"), "node_modules")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs/promises"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gitignoreContent = await fs.readFile(gitignorePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(dir, ".worktreeinclude"), content, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fs.readFile(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/types
npm first-partyexpand_more 14 low-confidence finding(s)
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outPath, JSON.stringify(jsonSchema, null, "\t") + "\n", "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageContent = JSON.parse(fs.readFileSync(filePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, JSON.stringify(packageContent, null, 2) + "\n")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const monorepoPackageContent = fs.readFileSync(monorepoPackagePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const npmMetadataContent = fs.readFileSync(npmMetadataPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(npmPackagePath, outputContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const npmPackage = JSON.parse(fs.readFileSync(npmPackagePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const updatedPackage = JSON.parse(fs.readFileSync(npmPackagePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const checkedIn = JSON.parse(fs.readFileSync(schemaPath, "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
schema = JSON.parse(fs.readFileSync(schemaPath, "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): packages/vscode-shim
npm first-partyexpand_more 71 low-confidence finding(s)
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "test content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Hello, world!")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = await fsAPI.readFile(uri)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await expect(fsAPI.readFile(uri)).rejects.toThrow()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsAPI.writeFile(uri, new TextEncoder().encode("Written content"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(filePath, "utf-8")).toBe("Written content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fsAPI.writeFile(uri, new TextEncoder().encode("Nested content"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(filePath, "utf-8")).toBe("Nested content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "delete me")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Line 1\nLine 2\nLine 3")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Line 1\nLine 2\nLine 3")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Hello\nWorld")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Hello World")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(filePath, "utf-8")).toBe("Hi World")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "World")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(filePath, "utf-8")).toBe("Hello World")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Hello World")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(filePath, "utf-8")).toBe("Hello")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expect(fs.readFileSync(filePath, "utf-8")).toBe("New content")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, "Original")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalEnv = process.env.DEBUG
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DEBUG = originalEnv
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DEBUG
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DEBUG = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DEBUG = "true"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalHome = process.env.HOME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HOME = tempDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HOME = originalHome
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const storedId = fs.readFileSync(idPath, "utf-8").trim()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(idPath, "existing-machine-id-12345")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HOME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.USERPROFILE = tempDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HOME = tempDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
originalHome = process.env.HOME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HOME = tempDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HOME = originalHome
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.HOME
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.USERPROFILE = tempDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.HOME = tempDir
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(uri.fsPath)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(uri.fsPath, content)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = fs.readFileSync(uri.fsPath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = fs.readFileSync(filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, newContent, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
shell: process.env.SHELL || "/bin/bash",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
options.storageDir || path.join(process.env.HOME || process.env.USERPROFILE || ".", ".vscode-mock")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJSON = JSON.parse(fs.readFileSync(packageJsonPath, "utf-8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(this.filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(this.filePath, JSON.stringify(this.data, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(this.filePath, "utf-8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(this.filePath, JSON.stringify(this.secrets, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DEBUG) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homeDir = process.env.HOME || process.env.USERPROFILE || "."
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFileSync(idPath, "utf-8").trim()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(idPath, machineId)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homeDir = process.env.HOME || process.env.USERPROFILE || "."
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (npm): webview-ui
npm first-partyexpand_more 17 low-confidence finding(s)
if (process.env.NODE_ENV === "production") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const version = process.env.PKG_VERSION || "unknown"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== "production") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== "production") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mode = process.env.NODE_ENV
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let jsContent = fs.readFileSync(jsPath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(jsPath, jsContent)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mapContent = JSON.parse(fs.readFileSync(mapPath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(mapContent, null, 2))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
path.join(outDir, "sourcemap-manifest.json"),
JSON.stringify({
enabled: true,
version: process.env.PKG_VERSION || "unknown",
buildTime: new Date().toISOString(),
}),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
version: process.env.PKG_VERSION || "unknown",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(resolve(__dirname, "..", ".vite-port"), port.toString())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "..", "src", "package.json"), "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
"process.env.VSCODE_TEXTMATE_DEBUG": JSON.stringify(process.env.VSCODE_TEXTMATE_DEBUG),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(path.join(__dirname, "..", "apps", "vscode-nightly", "package.nightly.json"), "utf8"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
@google/genai
npm dependency console.debug(text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('text response: ', response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('text response: ', response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Uploaded file as: ${uploadedFile.name}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Creating batch embedding job with file: ${inputFile}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Created batch job: ${batchJob.name}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('result: ', result);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Batch job not done yet, current state: ${
result.state
}. Waiting 60 seconds...`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Batch job finished with state: ${result.state}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.error('Batch job failed:', result.error);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.warn(`Batch job finished with unexpected state: ${result.state}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Created batch job: ${batchJob.name}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Batch job not done yet, current state: ${
result.state
}. Waiting 10 seconds...`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Batch job finished with state: ${result.state}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.dest?.inlinedEmbedContentResponses);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.error('Batch job failed:', result.error);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.warn(`Batch job finished with state: ${result.state}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
const response = await fetch(url, {
method: 'POST',
headers: {
'x-goog-api-key': apiKey,
'content-type': 'application/json',
},
body: JSON.stringify(requestBody),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
console.log(chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('History: ', JSON.stringify(chat.getHistory(), null, 2));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug('chat response 1: ', response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug('chat response 2: ', response2.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug('chat history: ', JSON.stringify(content, null, 2));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug('chat response 1 chunk: ', chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug('chat response 2 chunk: ', chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug('chat history: ', JSON.stringify(content, null, 2));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(JSON.stringify(response));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(JSON.stringify(response));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('list file search store: ', fileSearchStore);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('get file search store: ', fileSearchStore);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('create file search store: ', fileSearchStore);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('uploaded file: ', file.name);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('operation: ', op);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('operation: ', op);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('text response: ', response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
'grounding metadata: ',
JSON.stringify(response.candidates?.[0]?.groundingMetadata, null, 2),
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('list documents: ', document);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('get document: ', document);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.executableCode);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.codeExecutionResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`current file status: ${getFile.state}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.functionCalls);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.functionCalls);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response!.candidates![0]!.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(JSON.stringify(response));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(JSON.stringify(response?.candidates?.[0]?.safetyRatings));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(JSON.stringify(response?.candidates?.[0]?.groundingMetadata));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response.candidates[0].urlContextMetadata);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response?.generatedImages?.[0]?.image?.imageBytes);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`No videos generated due to: ${JSON.stringify(
operation.response?.raiMediaFilteredReasons,
null,
2,
)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Function call: ${step.name} with arguments ${JSON.stringify(
step.arguments,
)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Final response: ${response2}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Output: ${step}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`Function call: ${step.name} with arguments ${JSON.stringify(
step.arguments,
)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Final response: ${response2}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Output: ${step}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(getResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(generateContentResponse.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(generateContentResponse.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(
'Generate Content response text: ',
generateContentResponse.text,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(
'Generate Content response data: ',
generateContentResponse.data,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(
'Generate Content response text: ',
generateContentResponse.text,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(
'Generate Content response data: ',
generateContentResponse.data,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Model: ', response1);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Model: ', response2);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Model: ', response1);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Model: ', response2);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.debug(response);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Token:', JSON.stringify(token));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Token:', JSON.stringify(token));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Registered file: ', file);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Trigger created successfully! ID: ${triggerId}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Getting trigger by ID:', triggerId);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Got trigger:', fetchedTrigger);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Trigger:', trigger);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Paused trigger status:', pausedTrigger.status);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Resumed trigger status:', resumedTrigger.status);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Trigger execution details:', executionResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Listing executions for trigger:', triggerId);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Trigger executions:', executions);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log('Deleting trigger:', triggerId);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
expand_more 362 low-confidence finding(s)
import {readFileSync} from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(new URL('./package.json', import.meta.url), 'utf8'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, header + content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(filePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filePath, HEADER + content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const manifestContent = fs.readFileSync(manifestPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs.readFileSync(absolutePath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(absolutePath, newContent, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isCI = process.env.CI === 'true' || process.env.KOKORO_JOB_TYPE !== undefined;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
apiKey: process.env.GEMINI_API_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GOOGLE_GENAI_USE_VERTEXAI) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tempFilePath, jsonlContent);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const contentString = await fs.readFile(tempFilePath, {encoding: 'utf8'});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
apiKey: process.env.GEMINI_API_KEY!,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.GOOGLE_GENAI_USE_VERTEXAI) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const SKIP_HTTP = process.env.SKIP_HTTP === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const MODE = (process.env.MODE || 'live') as 'live' | 'record' | 'mock';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mockedData = fs.readFileSync(MOCK_FILE);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(MOCK_FILE, Buffer.concat(buffers));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GCLOUD_API_KEY ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GOOGLE_API_KEY ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const url = new URL(
'https://generativelanguage.googleapis.com/v1beta/interactions',
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
delete process.env.GOOGLE_GEMINI_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GCLOUD_API_KEY ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GOOGLE_API_KEY ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GEMINI_API_KEY ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const client = new GoogleGenAI({apiKey: process.env.GEMINI_API_KEY});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fileName, data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(fileName, data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_API_KEY = process.env.GOOGLE_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_API_KEY = process.env.GOOGLE_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_API_KEY = process.env.GOOGLE_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const audioResponse = await fetch(audioUrl);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const audioResponse = await fetch(audioUrl);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const imageResponse = await fetch(imageUrl);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const imageResponse = await fetch(imageUrl);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GOOGLE_GENAI_MLDEV_USE_EPHEMERAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_API_KEY = process.env.GOOGLE_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const voiceSampleAudio = fs.readFileSync(voiceSamplePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
consentAudio = fs.readFileSync(voiceConsentPath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(filename, fileBuffer);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_API_KEY = process.env.GOOGLE_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GEMINI_API_KEY = process.env.GEMINI_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_PROJECT = process.env.GOOGLE_CLOUD_PROJECT;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_CLOUD_LOCATION = process.env.GOOGLE_CLOUD_LOCATION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const GOOGLE_GENAI_USE_VERTEXAI = process.env.GOOGLE_GENAI_USE_VERTEXAI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await this.apiClient.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await this.apiClient.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'PATCH',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'PATCH',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = await apiClient.request({
path: '',
body: chunk,
httpMethod: 'POST',
httpOptions: {
...httpOptions,
apiVersion: '',
baseUrl: finalUrl,
headers: mergedHeaders,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await this.apiClient.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await this.apiClient.request({
path: pathname,
httpMethod: 'GET',
queryParams: queryParams,
httpOptions: httpOptions,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await this.apiClient.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this._httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'PATCH',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'PATCH',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'DELETE',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import {createWriteStream} from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import {writeFile} from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(params.downloadPath, response as string, {
encoding: 'base64',
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await apiClient.request({
path: `files/${name}:download`,
httpMethod: 'GET',
queryParams: {
'alt': 'media',
},
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.readFile(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(tmpPath, data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
response = await apiClient.request({
path: '',
body: chunk,
httpMethod: 'POST',
httpOptions: {
...httpOptions,
apiVersion: '',
baseUrl: finalUrl,
headers: mergedHeaders,
},
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(transformedBody),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'GET',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
response = this.apiClient
.request({
path: path,
queryParams: queryParams,
body: JSON.stringify(body),
httpMethod: 'POST',
httpOptions: params.config?.httpOptions,
abortSignal: params.config?.abortSignal,
})
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@mistralai/mistralai
npm dependencyconsole.log(`Created job with ID: ${job.id}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Job status: ${job.status}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Job is done, status ${job.status}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(response.body);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(output);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`Error file ID: ${job.errorFile}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Chat:", chatResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chatResponse.choices[0]?.message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("JSON:", chatResponse.choices[0].message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Embeddings Batch:", embeddingsBatchResponse.data);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(createdFile);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(files);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(retrievedFile);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(deletedFile);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`calling functionName: ${functionName}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`functionParams: ${toolCall.function.arguments}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(response.choices[0].message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`calling functionName: ${functionName}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`functionParams: ${toolCall.function.arguments}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Chat:", chatResponse.choices[0].message.content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("OCR ", ocrResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("OCR:", ocrResponse);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("\n", parsedAccumulatedStream);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("\n", chatResponse.choices[0].message.parsed);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log("Success", chatResult);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`created prompt ${promptId} (v${prompt.version})`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`production -> v${live.version}: ${live.definition?.content}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.error(`\nTranscription error: ${errorMessage}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.error(`Transcription error: ${errorMessage}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(content);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(inner.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(chunk.text);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`turn ${i + 1}: prompt=${String(promptTokens).padStart(4)} ` +
`completion=${String(completionTokens).padStart(4)} -> ${finalText(message.content)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`TOTAL: prompt=${totalPrompt} completion=${totalCompletion} ` +
`(sum ${totalPrompt + totalCompletion})`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`typeof content = ${Array.isArray(content) ? "Array" : typeof content}`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(JSON.stringify(content, null, 2));
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`created skill ${skillId} (v${skill.version}), assets: ${Object.keys(
skill.definition?.assets ?? {},
)}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(`published v${version.version}, moved 'main' to it`);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(
`main -> v${runnable.version}: ${runnable.definition?.description}`,
);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
console.log(result);
PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.
Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.
expand_more 51 low-confidence finding(s)
return this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await observability.runWithContext(activeContext, () => this.wrappedClient.request(request));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const blob = new Blob([fs.readFileSync(filePath)], {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const blob = new Blob([fs.readFileSync(filePath)], {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.MISTRAL_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const uploaded_file = fs.readFileSync(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.MISTRAL_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const azureAPIKey = process.env["AZURE_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const azureEndpoint = process.env["AZURE_ENDPOINT"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const projectId = process.env["GOOGLE_PROJECT_ID"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_API_KEY"],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_BASE_URL"] ?? "wss://api.mistral.ai",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = args.apiKey ?? process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_API_KEY"],
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
default: process.env["MISTRAL_BASE_URL"] ?? "https://api.mistral.ai",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = args.apiKey ?? process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env["MISTRAL_API_KEY"];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
apiKey: process.env["MISTRAL_API_KEY"] ?? "",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return await this.wrappedClient.request(request);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
() => this.wrappedClient.request(request)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let response = await this.#httpClient.request(req);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@anthropic-ai/sdk
npm dependency resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': `${types_1.OAUTH_API_BETA_HEADER},${types_1.FEDERATION_BETA_HEADER}`,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${version_1.VERSION} oidcFederationProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': `${OAUTH_API_BETA_HEADER},${FEDERATION_BETA_HEADER}`,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} oidcFederationProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': types_1.OAUTH_API_BETA_HEADER,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${version_1.VERSION} userOAuthProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': OAUTH_API_BETA_HEADER,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} userOAuthProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': `${OAUTH_API_BETA_HEADER},${FEDERATION_BETA_HEADER}`,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} oidcFederationProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
resp = await config.fetch(url, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'anthropic-beta': OAUTH_API_BETA_HEADER,
'User-Agent': config.userAgent || `anthropic-sdk-typescript/${VERSION} userOAuthProvider`,
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 224 low-confidence finding(s)
configRaw = await fs.promises.readFile(configPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
configRaw = await fs.promises.readFile(configPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.promises.readFile(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.promises.readFile(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fh.writeFile(JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fh.writeFile(JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.post('/v1/agents?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/agents/${agentID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/agents/${agentID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/agents?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/agents/${agentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/agents/${agentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/deployments?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/pause?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/run?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/deployments/${deploymentID}/unpause?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/deployments?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/pause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/run?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/deployments/${deploymentID}/unpause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/dreams?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/dreams/${dreamID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/dreams/${dreamID}/cancel?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/dreams?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/dreams/${dreamID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/dreams/${dreamID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/environments?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environmentID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environmentID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/environments?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environmentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environmentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}/ack?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}/heartbeat?beta=true`, {
query: { desired_ttl_seconds, expected_last_heartbeat },
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/environments/${environment_id}/work/${workID}/stop?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}/ack?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}/heartbeat?beta=true`, {
query: { desired_ttl_seconds, expected_last_heartbeat },
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/environments/${environment_id}/work/${workID}/stop?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/files?beta=true', (0, uploads_1.multipartFormRequestOptions)({
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString() },
(0, stainless_helper_header_1.stainlessHelperHeaderFromFile)(body.file),
options?.headers,
]),
}, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/files?beta=true', multipartFormRequestOptions({
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString() },
stainlessHelperHeaderFromFile(body.file),
options?.headers,
]),
}, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memoryStoreID}/memories?beta=true`, {
query: { view },
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query: { view },
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memoryStoreID}/memories?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/memory_stores?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memoryStoreID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memoryStoreID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/memory_stores?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memoryStoreID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memoryStoreID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}/redact?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}/redact?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/batches?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{
'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString(),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/batches?beta=true', {
body,
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString(),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages?beta=true', {
body,
timeout: timeout ?? 600000,
...options,
headers: (0, headers_1.buildHeaders)([
{
...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
helperHeader,
options?.headers,
]),
stream: modifiedParams.stream ?? false,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/count_tokens?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{
'anthropic-beta': [...(betas ?? []), 'token-counting-2024-11-01'].toString(),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages?beta=true', {
body,
timeout: timeout ?? 600000,
...options,
headers: buildHeaders([
{
...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
helperHeader,
options?.headers,
]),
stream: modifiedParams.stream ?? false,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/count_tokens?beta=true', {
body,
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'token-counting-2024-11-01'].toString(),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}/events?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}/events?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}/resources?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}/resources?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/sessions?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${sessionID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/sessions?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${sessionID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/sessions/${session_id}/threads/${threadID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/sessions/${session_id}/threads/${threadID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/skills?beta=true', (0, uploads_1.multipartFormRequestOptions)({
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
}, this._client, false));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/skills?beta=true', multipartFormRequestOptions({
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
}, this._client, false));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/skills/${skillID}/versions?beta=true`, (0, uploads_1.multipartFormRequestOptions)({
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
}, this._client, false));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/skills/${skillID}/versions?beta=true`, multipartFormRequestOptions({
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
}, this._client, false));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/certificates?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnel_id}/certificates/${certificateID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/certificates?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnel_id}/certificates/${certificateID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/tunnels?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/reveal_token?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/tunnels/${tunnelID}/rotate_token?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/tunnels?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/reveal_token?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/tunnels/${tunnelID}/rotate_token?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/user_profiles?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/user_profiles/${userProfileID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/user_profiles/${userProfileID}/enrollment_url?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/user_profiles?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/user_profiles/${userProfileID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/user_profiles/${userProfileID}/enrollment_url?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vaultID}/credentials?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vault_id}/credentials/${credentialID}/mcp_oauth_validate?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vaultID}/credentials?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vault_id}/credentials/${credentialID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vault_id}/credentials/${credentialID}/mcp_oauth_validate?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/vaults?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vaultID}?beta=true`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/vaults/${vaultID}/archive?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/vaults?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vaultID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/vaults/${vaultID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/complete', {
body,
timeout: this._client._options.timeout ?? 600000,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params.stream ?? false,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/complete', {
body,
timeout: this._client._options.timeout ?? 600000,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params.stream ?? false,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/batches', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/v1/messages/batches/${messageBatchID}/cancel`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/batches', {
body,
...options,
headers: buildHeaders([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/v1/messages/batches/${messageBatchID}/cancel`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages', {
body,
timeout: timeout ?? 600000,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
helperHeader,
options?.headers,
]),
stream: params.stream ?? false,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/count_tokens', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages', {
body,
timeout: timeout ?? 600000,
...options,
headers: buildHeaders([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
helperHeader,
options?.headers,
]),
stream: params.stream ?? false,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/count_tokens', {
body,
...options,
headers: buildHeaders([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
configRaw = await fs.promises.readFile(configPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.promises.readFile(credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await fs.promises.readFile(path, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fh.writeFile(JSON.stringify(data, null, 2));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.post('/v1/agents?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/agents/${agentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/agents/${agentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/deployments?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/pause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/run?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/deployments/${deploymentID}/unpause?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/dreams?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/dreams/${dreamID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/dreams/${dreamID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'dreaming-2026-04-21'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/environments?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environmentID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environmentID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}/ack?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}/heartbeat?beta=true`, {
query: { desired_ttl_seconds, expected_last_heartbeat },
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/environments/${environment_id}/work/${workID}/stop?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/v1/files?beta=true',
multipartFormRequestOptions(
{
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'files-api-2025-04-14'].toString() },
stainlessHelperHeaderFromFile(body.file),
options?.headers,
]),
},
this._client,
),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memoryStoreID}/memories?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memory_store_id}/memories/${memoryID}?beta=true`, {
query: { view },
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/memory_stores?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memoryStoreID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/memory_stores/${memoryStoreID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/v1/memory_stores/${memory_store_id}/memory_versions/${memoryVersionID}/redact?beta=true`,
{
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'agent-memory-2026-07-22'].toString() },
options?.headers,
]),
},
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/batches?beta=true', {
body,
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString(),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/messages/batches/${messageBatchID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'message-batches-2024-09-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages?beta=true', {
body,
timeout: timeout ?? 600000,
...options,
headers: buildHeaders([
{
...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
helperHeader,
options?.headers,
]),
stream: modifiedParams.stream ?? false,
}) as APIPromise<BetaMessage> | APIPromise<Stream<BetaRawMessageStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/count_tokens?beta=true', {
body,
...options,
headers: buildHeaders([
{
'anthropic-beta': [...(betas ?? []), 'token-counting-2024-11-01'].toString(),
...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined),
},
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}/events?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${session_id}/resources/${resourceID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}/resources?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/sessions?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${sessionID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/sessions/${session_id}/threads/${threadID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/v1/skills?beta=true',
multipartFormRequestOptions(
{
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
},
this._client,
false,
),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/v1/skills/${skillID}/versions?beta=true`,
multipartFormRequestOptions(
{
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'skills-2025-10-02'].toString() },
options?.headers,
]),
},
this._client,
false,
),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/certificates?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnel_id}/certificates/${certificateID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/tunnels?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/reveal_token?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/tunnels/${tunnelID}/rotate_token?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'mcp-tunnels-2026-06-22'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/user_profiles?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/user_profiles/${userProfileID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/user_profiles/${userProfileID}/enrollment_url?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'user-profiles-2026-03-24'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vaultID}/credentials?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vault_id}/credentials/${credentialID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vault_id}/credentials/${credentialID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/v1/vaults/${vault_id}/credentials/${credentialID}/mcp_oauth_validate?beta=true`,
{
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
},
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/vaults?beta=true', {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vaultID}?beta=true`, {
body,
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/vaults/${vaultID}/archive?beta=true`, {
...options,
headers: buildHeaders([
{ 'anthropic-beta': [...(betas ?? []), 'managed-agents-2026-04-01'].toString() },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/complete', {
body,
timeout: (this._client as any)._options.timeout ?? 600000,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'anthropic-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params.stream ?? false,
}) as APIPromise<Completion> | APIPromise<Stream<Completion>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/batches', {
body,
...options,
headers: buildHeaders([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/v1/messages/batches/${messageBatchID}/cancel`, options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages', {
body,
timeout: timeout ?? 600000,
...options,
headers: buildHeaders([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
helperHeader,
options?.headers,
]),
stream: params.stream ?? false,
}) as APIPromise<Message> | APIPromise<Stream<RawMessageStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/v1/messages/count_tokens', {
body,
...options,
headers: buildHeaders([
{ ...(user_profile_id != null ? { 'anthropic-user-profile-id': user_profile_id } : undefined) },
options?.headers,
]),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dirs = (process.env['PATH'] ?? '').split(path.delimiter);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(command.file_text, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dirs = (process.env['PATH'] ?? '').split(path.delimiter);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
data = await fs.readFile(abs, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const dirs = (process.env['PATH'] ?? '').split(path.delimiter);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(command.file_text, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(content, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return await fs.readFile(fullPath, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await handle.writeFile(command.file_text, 'utf-8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@modelcontextprotocol/sdk
npm dependency const response = await fetch(tokenUrl, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: params,
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await fetch(tokenUrl, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: params,
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await fetch(this._endpoints.tokenUrl, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: params.toString(),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await fetch(this._endpoints.tokenUrl, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: params.toString(),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 99 low-confidence finding(s)
await client.request({ method: "resources/list" }, ListResourcesResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
expect(extractResourceMetadataUrl(mockResponse)).toEqual(new URL(resourceUrl));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
weatherClient.request(
{
method: "weather/get",
params: {
city: "Seattle",
},
},
WeatherResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const value = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const result = await client.request(toolRequest, CallToolResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const toolsResult = await client.request(toolsRequest, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return client.request(request, CallToolResultSchema)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await this.client.request(request, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await this.client.request(request, CallToolResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const serverUrl = process.env.MCP_SERVER_URL || DEFAULT_SERVER_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const resourcesResult = await client.request({
method: 'resources/list',
params: {}
}, ListResourcesResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const toolsResult = await client.request(toolsRequest, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(request, CallToolResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(request, CallToolResultSchema, {
resumptionToken: notificationsToolLastEventId,
onresumptiontoken: onLastEventIdUpdate
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const promptsResult = await client.request(promptsRequest, ListPromptsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const promptResult = await client.request(promptRequest, GetPromptResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const resourcesResult = await client.request(resourcesRequest, ListResourcesResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const toolsResult = await client.request(toolsRequest, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(request, CallToolResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await client1.request({
method: 'tools/list',
params: {}
}, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await client2.request({
method: 'tools/list',
params: {}
}, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const toolsResult = await client.request({
method: 'tools/list',
params: {}
}, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const resourcesResult = await client.request({
method: 'resources/list',
params: {}
}, ListResourcesResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const promptsResult = await client.request({
method: 'prompts/list',
params: {}
}, ListPromptsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const greetingResult = await client.request({
method: 'tools/call',
params: {
name: 'greet',
arguments: {
name: 'Stateless Transport'
}
}
}, CallToolResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const toolsResult = await client.request({
method: 'tools/list',
params: {}
}, ListToolsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const resourcesResult = await client.request({
method: 'resources/list',
params: {}
}, ListResourcesResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const promptsResult = await client.request({
method: 'prompts/list',
params: {}
}, ListPromptsResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const greetingResult = await client.request({
method: 'tools/call',
params: {
name: 'greet',
arguments: {
name: 'Stateful Transport'
}
}
}, CallToolResultSchema);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const toolPromise = client1.request({
method: 'tools/call',
params: {
name: 'run-notifications',
arguments: {
count: 3,
interval: 10
}
}
}, CallToolResultSchema, {
resumptionToken: lastEventId,
onresumptiontoken: onLastEventIdUpdate
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await client2.request({
method: 'tools/call',
params: {
name: 'run-notifications',
arguments: {
count: 1,
interval: 5
}
}
}, CallToolResultSchema, {
resumptionToken: lastEventId, // Pass the lastEventId from the previous session
onresumptiontoken: onLastEventIdUpdate
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = await request(app).post("/test");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const postResponse = await request(multiMethodApp).post("/multi");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const putResponse = await request(multiMethodApp).put("/multi");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const expectedUrl = new URL("https://auth.example.com/authorize");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('http://auth.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com#fragment')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com?param=value')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
serviceDocumentationUrl: new URL('https://docs.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://mcp.example.com'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
issuerUrl: new URL('https://auth.example.com')
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resourceServerUrl: new URL('https://api.example.com'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resourceServerUrl: new URL('https://api.example.com'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
serviceDocumentationUrl: new URL('https://docs.example.com'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
resourceServerUrl: new URL('https://api.example.com'),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await client.request(
{
method: "tools/call",
params: {
name: "long-operation",
arguments: { steps: 3 },
_meta: {
progressToken: "progress-test-1"
}
}
},
CallToolResultSchema,
{
onprogress: (progress) => {
progressUpdates.push(progress);
}
}
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/list",
},
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/call",
params: {
name: "test",
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const listResult = await client.request(
{
method: "tools/list",
},
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const callResult = await client.request(
{
method: "tools/call",
params: {
name: "test",
arguments: {
name: "test",
value: 42,
},
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/list",
},
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/list",
},
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/list",
},
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{ method: "tools/list" },
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{ method: "tools/list" },
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{ method: "tools/list" },
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "tools/call",
params: {
name: "test",
arguments: {
name: "test",
value: "not a number",
},
},
},
CallToolResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "tools/call",
params: {
name: "test (new api)",
arguments: {
name: "test",
value: "not a number",
},
},
},
CallToolResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const listResult = await client.request(
{
method: "tools/list",
},
ListToolsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/call",
params: {
name: "test",
arguments: {
input: "hello",
},
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await client.request(
{
method: "tools/call",
params: {
name: "test-tool",
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/call",
params: {
name: "request-id-test",
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
await client.request(
{
method: "tools/call",
params: {
name: "test-tool",
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/call",
params: {
name: "test",
arguments: {
input: "hello",
},
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "tools/call",
params: {
name: "error-test",
},
},
CallToolResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "tools/call",
params: {
name: "nonexistent-tool",
},
},
CallToolResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/list",
},
ListResourcesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/read",
params: {
uri: "test://resource",
},
},
ReadResourceResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/read",
params: {
uri: "test://resource/123",
},
},
ReadResourceResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let result = await client.request(
{ method: "resources/list" },
ListResourcesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
result = await client.request(
{ method: "resources/list" },
ListResourcesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{ method: "resources/templates/list" },
ListResourceTemplatesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result2 = await client.request(
{ method: "resources/templates/list" },
ListResourceTemplatesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/list",
},
ListResourcesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/templates/list",
},
ListResourceTemplatesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/list",
},
ListResourcesResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/read",
params: {
uri: "test://resource/books/123",
},
},
ReadResourceResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "resources/read",
params: {
uri: "test://error",
},
},
ReadResourceResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "resources/read",
params: {
uri: "test://nonexistent",
},
},
ReadResourceResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "completion/complete",
params: {
ref: {
type: "ref/resource",
uri: "test://resource/{category}",
},
argument: {
name: "category",
value: "",
},
},
},
CompleteResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "completion/complete",
params: {
ref: {
type: "ref/resource",
uri: "test://resource/{category}",
},
argument: {
name: "category",
value: "m",
},
},
},
CompleteResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "resources/read",
params: {
uri: "test://resource",
},
},
ReadResourceResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "prompts/list",
},
ListPromptsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "prompts/get",
params: {
name: "test",
},
},
GetPromptResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const listResult = await client.request(
{
method: "prompts/list",
},
ListPromptsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const getResult = await client.request(
{
method: "prompts/get",
params: {
name: "test",
arguments: {
name: "test",
value: "value",
},
},
},
GetPromptResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let result = await client.request(
{ method: "prompts/list" },
ListPromptsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
result = await client.request(
{ method: "prompts/list" },
ListPromptsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "prompts/list",
},
ListPromptsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "prompts/list",
},
ListPromptsResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "prompts/get",
params: {
name: "test",
arguments: {
name: "test",
value: "ab", // Too short
},
},
},
GetPromptResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.request(
{
method: "prompts/get",
params: {
name: "nonexistent-prompt",
},
},
GetPromptResultSchema,
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "completion/complete",
params: {
ref: {
type: "ref/prompt",
name: "test-prompt",
},
argument: {
name: "name",
value: "",
},
},
},
CompleteResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "completion/complete",
params: {
ref: {
type: "ref/prompt",
name: "test-prompt",
},
argument: {
name: "name",
value: "A",
},
},
},
CompleteResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const result = await client.request(
{
method: "prompts/get",
params: {
name: "request-id-test",
},
},
GetPromptResultSchema,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
openai
npm dependency const response = await this.fetch(this.tokenExchangeUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await this.fetch(this.tokenExchangeUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
const response = await this.fetch(this.tokenExchangeUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
});
A credential read from the environment/filesystem is applied as authorization on the same outbound request (an auth header). This is intentional authentication to the service the credential belongs to, not unexpected data exfiltration.
Fix: Confirm the destination is the credential's own service; scope the credential and avoid logging it. No action if this is the intended authenticated API call.
expand_more 336 low-confidence finding(s)
const url = new URL(AZURE_IMDS_BASE_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(AZURE_IMDS_BASE_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
endpoint = process.env['AZURE_OPENAI_ENDPOINT'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
endpoint = process.env['AZURE_OPENAI_ENDPOINT'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.post('/organization/admin_api_keys', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/admin_api_keys', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/certificates', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/certificates/${certificateID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/certificates', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/certificates/${certificateID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/data_retention', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/data_retention', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/groups', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/groups/${groupID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/groups', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/groups/${groupID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/groups/${groupID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/groups/${groupID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/invites', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/invites', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/data_retention`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/data_retention`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/groups`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/groups`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${project_id}/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${project_id}/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/hosted_tool_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/hosted_tool_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/model_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/model_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/projects', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/archive`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/projects', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/archive`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/rate_limits/${rateLimitID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/rate_limits/${rateLimitID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${projectID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${project_id}/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${projectID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${project_id}/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/service_accounts/${serviceAccountID}/api_keys`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/service_accounts/${serviceAccountID}/api_keys`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/service_accounts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/service_accounts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/service_accounts/${serviceAccountID}`, { body, ...options, __security: { adminAPIKeyAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/spend_alerts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/spend_alerts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/projects/${project_id}/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/projects/${project_id}/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${projectID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/projects/${project_id}/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${projectID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/projects/${project_id}/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/roles', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/roles', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/spend_alerts', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/spend_alerts', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/organization/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/organization/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/speech', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: 'application/octet-stream' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/speech', {
body,
...options,
headers: buildHeaders([{ Accept: 'application/octet-stream' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/transcriptions', (0, uploads_1.multipartFormRequestOptions)({
body,
...options,
stream: body.stream ?? false,
__metadata: { model: body.model },
__security: { bearerAuth: true },
}, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/transcriptions', multipartFormRequestOptions({
body,
...options,
stream: body.stream ?? false,
__metadata: { model: body.model },
__security: { bearerAuth: true },
}, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/translations', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __metadata: { model: body.model }, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/translations', multipartFormRequestOptions({ body, ...options, __metadata: { model: body.model }, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/batches', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/batches/${batchID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/batches', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/batches/${batchID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/assistants', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/assistants/${assistantID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/assistants', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/assistants/${assistantID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/chatkit/sessions', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/chatkit/sessions/${sessionID}/cancel`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/chatkit/sessions', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/chatkit/sessions/${sessionID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/sessions', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/sessions', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/transcription_sessions', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/transcription_sessions', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/input_tokens?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/input_tokens?beta=true', {
body,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/responses/${responseID}/cancel?beta=true`, {
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/compact?beta=true', {
body,
...options,
headers: (0, headers_1.buildHeaders)([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses?beta=true', {
body,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/responses/${responseID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/compact?beta=true', {
body,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${threadID}/messages`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/messages/${messageID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${threadID}/messages`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/messages/${messageID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${threadID}/runs`, {
query: { include },
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/runs/${runID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/runs/${runID}/cancel`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${thread_id}/runs/${runID}/submit_tool_outputs`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${threadID}/runs`, {
query: { include },
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/runs/${runID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/runs/${runID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${thread_id}/runs/${runID}/submit_tool_outputs`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/threads', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/threads/${threadID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/threads/runs', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: body.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/threads', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/threads/${threadID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/threads/runs', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: body.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/chat/completions', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/chat/completions/${completionID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/chat/completions', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/chat/completions/${completionID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/completions', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/completions', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/containers', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/containers', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/containers/${containerID}/files`, (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/containers/${containerID}/files`, maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/conversations', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/conversations/${conversationID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/conversations', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/conversations/${conversationID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/conversations/${conversationID}/items`, {
query: { include },
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/conversations/${conversationID}/items`, {
query: { include },
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = this._client.post('/embeddings', {
body: {
...body,
encoding_format: encoding_format,
},
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response = this._client.post('/embeddings', {
body: {
...body,
encoding_format: encoding_format,
},
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/evals', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/evals/${evalID}`, { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/evals', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/evals/${evalID}`, { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/evals/${evalID}/runs`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/evals/${evalID}/runs`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/files', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/files', multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/alpha/graders/run', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/alpha/graders/validate', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/alpha/graders/run', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/alpha/graders/validate', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/jobs', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}/pause`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/fine_tuning/jobs/${fineTuningJobID}/resume`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/jobs', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/fine_tuning/jobs/${fineTuningJobID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/fine_tuning/jobs/${fineTuningJobID}/pause`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/fine_tuning/jobs/${fineTuningJobID}/resume`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/variations', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/edits', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, stream: body.stream ?? false, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/generations', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/variations', multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/edits', multipartFormRequestOptions({ body, ...options, stream: body.stream ?? false, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/generations', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/moderations', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/moderations', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/accept`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/hangup`, {
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/refer`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/realtime/calls/${callID}/reject`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/accept`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/hangup`, {
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/refer`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/realtime/calls/${callID}/reject`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/client_secrets', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/client_secrets', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/input_tokens', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/input_tokens', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
})._thenUnwrap((rsp) => {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/responses/${responseID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/compact', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
})._thenUnwrap((rsp) => {
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/responses/${responseID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/compact', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/skills', (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/skills/${skillID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/skills', maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/skills/${skillID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/skills/${skillID}/versions`, (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/skills/${skillID}/versions`, maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/uploads/${uploadID}/parts`, (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/uploads/${uploadID}/parts`, multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/uploads', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/uploads/${uploadID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/uploads/${uploadID}/complete`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/uploads', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/uploads/${uploadID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/uploads/${uploadID}/complete`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vectorStoreID}/file_batches`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vector_store_id}/file_batches/${batchID}/cancel`, {
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vectorStoreID}/file_batches`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vector_store_id}/file_batches/${batchID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vectorStoreID}/files`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vector_store_id}/files/${fileID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vectorStoreID}/files`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vector_store_id}/files/${fileID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/vector_stores', {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/vector_stores/${vectorStoreID}`, {
body,
...options,
headers: (0, headers_1.buildHeaders)([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/vector_stores', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/vector_stores/${vectorStoreID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos/characters', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos/edits', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos/extensions', (0, uploads_1.multipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post((0, path_1.path) `/videos/${videoID}/remix`, (0, uploads_1.maybeMultipartFormRequestOptions)({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos', multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos/characters', multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos/edits', multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/videos/extensions', multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path `/videos/${videoID}/remix`, maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client));
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(AZURE_IMDS_BASE_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const url = new URL(
`http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity`,
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
endpoint = process.env['AZURE_OPENAI_ENDPOINT'];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return this._client.post('/organization/admin_api_keys', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/certificates', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/certificates/${certificateID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/data_retention', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/groups', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/groups/${groupID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/groups/${groupID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/invites', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/data_retention`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/groups`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${project_id}/groups/${groupID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/hosted_tool_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/model_permissions`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/projects', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/archive`, {
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${project_id}/rate_limits/${rateLimitID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${projectID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${project_id}/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/organization/projects/${project_id}/service_accounts/${serviceAccountID}/api_keys`,
{ body, ...options, __security: { adminAPIKeyAuth: true } },
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/service_accounts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/organization/projects/${project_id}/service_accounts/${serviceAccountID}`,
{ body, ...options, __security: { adminAPIKeyAuth: true } },
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/spend_alerts`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${project_id}/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/projects/${project_id}/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${projectID}/users`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/projects/${project_id}/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/roles', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/roles/${roleID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/organization/spend_alerts', {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/spend_alerts/${alertID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/users/${userID}/roles`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/organization/users/${userID}`, {
body,
...options,
__security: { adminAPIKeyAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/audio/speech', {
body,
...options,
headers: buildHeaders([{ Accept: 'application/octet-stream' }, options?.headers]),
__security: { bearerAuth: true },
__binaryResponse: true,
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/audio/transcriptions',
multipartFormRequestOptions(
{
body,
...options,
stream: body.stream ?? false,
__metadata: { model: body.model },
__security: { bearerAuth: true },
},
this._client,
),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/audio/translations',
multipartFormRequestOptions(
{ body, ...options, __metadata: { model: body.model }, __security: { bearerAuth: true } },
this._client,
),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/batches', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/batches/${batchID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/assistants', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/assistants/${assistantID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/chatkit/sessions', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/chatkit/sessions/${sessionID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'chatkit_beta=v1' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/sessions', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/transcription_sessions', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/input_tokens?beta=true', {
body,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses?beta=true', {
body,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
stream: params.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<BetaResponse> | APIPromise<Stream<BetaResponseStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/responses/${responseID}/cancel?beta=true`, {
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/compact?beta=true', {
body,
...options,
headers: buildHeaders([
{ ...(betas?.toString() != null ? { 'openai-beta': betas?.toString() } : undefined) },
options?.headers,
]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${threadID}/messages`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/messages/${messageID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${threadID}/runs`, {
query: { include },
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
}) as APIPromise<Run> | APIPromise<Stream<AssistantsAPI.AssistantStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/runs/${runID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/runs/${runID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${thread_id}/runs/${runID}/submit_tool_outputs`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: params.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
}) as APIPromise<Run> | APIPromise<Stream<AssistantsAPI.AssistantStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/threads', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/threads/${threadID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/threads/runs', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
stream: body.stream ?? false,
__synthesizeEventData: true,
__security: { bearerAuth: true },
}) as APIPromise<RunsAPI.Run> | APIPromise<Stream<AssistantsAPI.AssistantStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/chat/completions', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<ChatCompletion> | APIPromise<Stream<ChatCompletionChunk>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/chat/completions/${completionID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/completions', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<Completion> | APIPromise<Stream<Completion>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/containers', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/containers/${containerID}/files`,
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/conversations', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/conversations/${conversationID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/conversations/${conversationID}/items`, {
query: { include },
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const response: APIPromise<CreateEmbeddingResponse> = this._client.post('/embeddings', {
body: {
...body,
encoding_format: encoding_format as EmbeddingCreateParams['encoding_format'],
},
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/evals', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/evals/${evalID}`, { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/evals/${evalID}/runs`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/evals/${eval_id}/runs/${runID}`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/files',
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/alpha/graders/run', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/alpha/graders/validate', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/fine_tuning/jobs', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/fine_tuning/jobs/${fineTuningJobID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/fine_tuning/jobs/${fineTuningJobID}/pause`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/fine_tuning/jobs/${fineTuningJobID}/resume`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/images/variations',
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/images/edits',
multipartFormRequestOptions(
{ body, ...options, stream: body.stream ?? false, __security: { bearerAuth: true } },
this._client,
),
) as APIPromise<ImagesResponse> | APIPromise<Stream<ImageEditStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/images/generations', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<ImagesResponse> | APIPromise<Stream<ImageGenStreamEvent>>;
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/moderations', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/accept`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/hangup`, {
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/refer`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/realtime/calls/${callID}/reject`, {
body,
...options,
headers: buildHeaders([{ Accept: '*/*' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/realtime/client_secrets', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/input_tokens', {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
this._client.post('/responses', {
body,
...options,
stream: body.stream ?? false,
__security: { bearerAuth: true },
}) as APIPromise<Response> | APIPromise<Stream<ResponseStreamEvent>>
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/responses/${responseID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/responses/compact', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/skills',
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/skills/${skillID}`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/skills/${skillID}/versions`,
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/uploads/${uploadID}/parts`,
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/uploads', { body, ...options, __security: { bearerAuth: true } });
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/uploads/${uploadID}/cancel`, {
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/uploads/${uploadID}/complete`, {
body,
...options,
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vectorStoreID}/file_batches`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vector_store_id}/file_batches/${batchID}/cancel`, {
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vectorStoreID}/files`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vector_store_id}/files/${fileID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post('/vector_stores', {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(path`/vector_stores/${vectorStoreID}`, {
body,
...options,
headers: buildHeaders([{ 'OpenAI-Beta': 'assistants=v2' }, options?.headers]),
__security: { bearerAuth: true },
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/videos',
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/videos/characters',
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/videos/edits',
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
'/videos/extensions',
multipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
return this._client.post(
path`/videos/${videoID}/remix`,
maybeMultipartFormRequestOptions({ body, ...options, __security: { bearerAuth: true } }, this._client),
);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
axios
npm dependency req = transport.request(options, function handleResponse(res) {
clearConnectPhaseTimer();
if (req.destroyed) return;
const streams = [res];
const responseLength = utils.toFiniteNumber(res.headers['content-length']);
if (onDownloadProgress || maxDownloadRate) {
const transformStream = new AxiosTransformStream({
maxRate: utils.toFiniteNumber(maxDownloadRate),
});
onDownloadProgress &&
transformStream.on(
'progress',
flushOnFinish(
transformStream,
progressEventDecorator(
responseLength,
progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
)
)
);
streams.push(transformStream);
}
// decompress the response body transparently if required
let responseStream = res;
// return the last request in case of redirects
const lastRequest = res.req || req;
// if decompress disabled we should not decompress
if (decompress !== false && res.headers['content-encoding']) {
// if no content, but headers still say that it is encoded,
// remove the header not confuse downstream operations
if (method === 'HEAD' || res.statusCode === 204) {
delete res.headers['content-encoding'];
}
switch ((res.headers['content-encoding'] || '').toLowerCase()) {
/*eslint default-case:0*/
case 'gzip':
case 'x-gzip':
case 'compress':
case 'x-compress':
// add the unzipper to the body stream processing pipeline
streams.push(zlib.createUnzip(zlibOptions));
// remove the content-encoding in order to not confuse downstream operations
delete res.headers['content-encoding'];
break;
case 'deflate':
streams.push(new ZlibHeaderTransformStream());
// add the unzipper to the body stream processing pipeline
streams.push(zlib.createUnzip(zlibOptions));
// remove the content-encoding in order to not confuse downstream operations
delete res.headers['content-encoding'];
break;
case 'br':
if (isBrotliSupported) {
streams.push(zlib.createBrotliDecompress(brotliOptions));
delete res.headers['content-encoding'];
}
break;
case 'zstd':
if (isZstdSupported) {
streams.push(zlib.createZstdDecompress(zstdOptions));
delete res.headers['content-encoding'];
}
break;
}
}
responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];
const response = {
status: res.statusCode,
statusText: res.statusMessage,
headers: new AxiosHeaders(res.headers),
config,
request: lastRequest,
};
if (responseType === 'stream') {
// Enforce maxContentLength on streamed responses; previously this
// was applied only to buffered responses.
if (maxContentLength > -1) {
const limit = maxContentLength;
const source = responseStream;
async function* enforceMaxContentLength() {
let totalResponseBytes = 0;
for await (const chunk of source) {
totalResponseBytes += chunk.length;
if (totalResponseBytes > limit) {
throw new AxiosError(
'maxContentLength size of ' + limit + ' exceeded',
AxiosError.ERR_BAD_RESPONSE,
config,
lastRequest
);
}
yield chunk;
}
}
responseStream = stream.Readable.from(enforceMaxContentLength(), {
objectMode: false,
});
}
response.data = responseStream;
settle(resolve, reject, response);
} else {
const responseBuffer = [];
let totalResponseBytes = 0;
responseStream.on('data', function handleStreamData(chunk) {
responseBuffer.push(chunk);
totalResponseBytes += chunk.length;
// make sure the content length is not over the maxContentLength if specified
if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
// stream.destroy() emit aborted event before calling reject() on Node.js v16
rejected = true;
responseStream.destroy();
abort(
new AxiosError(
'maxContentLength size of ' + maxContentLength + ' exceeded',
AxiosError.ERR_BAD_RESPONSE,
config,
lastRequest
)
);
}
});
responseStream.on('aborted', function handlerStreamAborted() {
if (rejected) {
return;
}
const err = new AxiosError(
'stream has been aborted',
AxiosError.ERR_BAD_RESPONSE,
config,
lastRequest,
response
);
responseStream.destroy(err);
reject(err);
});
responseStream.on('error', function handleStreamError(err) {
if (rejected) return;
reject(AxiosError.from(err, null, config, lastRequest, response));
});
responseStream.on('end', function handleStreamEnd() {
try {
let responseData =
responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
if (responseType !== 'arraybuffer') {
responseData = responseData.toString(responseEncoding);
if (!responseEncoding || responseEncoding === 'utf8') {
responseData = utils.stripBOM(responseData);
}
}
response.data = responseData;
} catch (err) {
return reject(AxiosError.from(err, null, config, response.request, response));
}
settle(resolve, reject, response);
});
}
abortEmitter.once('abort', (err) => {
if (!responseStream.destroyed) {
responseStream.emit('error', err);
responseStream.destroy();
}
});
});
User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.
Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 3 low-confidence finding(s)
const req = session.request(http2Headers);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
req = transport.request(options, function handleResponse(res) {
clearConnectPhaseTimer();
if (req.destroyed) return;
const streams = [res];
const responseLength = utils.toFiniteNumber(res.headers['content-length']);
if (onDownloadProgress || maxDownloadRate) {
const transformStream = new AxiosTransformStream({
maxRate: utils.toFiniteNumber(maxDownloadRate),
});
onDownloadProgress &&
transformStream.on(
'progress',
flushOnFinish(
transformStream,
progressEventDecorator(
responseLength,
progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
)
)
);
streams.push(transformStream);
}
// decompress the response body transparently if required
let responseStream = res;
// return the last request in case of redirects
const lastRequest = res.req || req;
// if decompress disabled we should not decompress
if (decompress !== false && res.headers['content-encoding']) {
// if no content, but headers still say that it is encoded,
// remove the header not confuse downstream operations
if (method === 'HEAD' || res.statusCode === 204) {
delete res.headers['content-encoding'];
}
switch ((res.headers['content-encoding'] || '').toLowerCase()) {
/*eslint default-case:0*/
case 'gzip':
case 'x-gzip':
case 'compress':
case 'x-compress':
// add the unzipper to the body stream processing pipeline
streams.push(zlib.createUnzip(zlibOptions));
// remove the content-encoding in order to not confuse downstream operations
delete res.headers['content-encoding'];
break;
case 'deflate':
streams.push(new ZlibHeaderTransformStream());
// add the unzipper to the body stream processing pipeline
streams.push(zlib.createUnzip(zlibOptions));
// remove the content-encoding in order to not confuse downstream operations
delete res.headers['content-encoding'];
break;
case 'br':
if (isBrotliSupported) {
streams.push(zlib.createBrotliDecompress(brotliOptions));
delete res.headers['content-encoding'];
}
break;
case 'zstd':
if (isZstdSupported) {
streams.push(zlib.createZstdDecompress(zstdOptions));
delete res.headers['content-encoding'];
}
break;
}
}
responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];
const response = {
status: res.statusCode,
statusText: res.statusMessage,
headers: new AxiosHeaders(res.headers),
config,
request: lastRequest,
};
if (responseType === 'stream') {
// Enforce maxContentLength on streamed responses; previously this
// was applied only to buffered responses.
if (maxContentLength > -1) {
const limit = maxContentLength;
const source = responseStream;
async function* enforceMaxContentLength() {
let totalResponseBytes = 0;
for await (const chunk of source) {
totalResponseBytes += chunk.length;
if (totalResponseBytes > limit) {
throw new AxiosError(
'maxContentLength size of ' + limit + ' exceeded',
AxiosError.ERR_BAD_RESPONSE,
config,
lastRequest
);
}
yield chunk;
}
}
responseStream = stream.Readable.from(enforceMaxContentLength(), {
objectMode: false,
});
}
response.data = responseStream;
settle(resolve, reject, response);
} else {
const responseBuffer = [];
let totalResponseBytes = 0;
responseStream.on('data', function handleStreamData(chunk) {
responseBuffer.push(chunk);
totalResponseBytes += chunk.length;
// make sure the content length is not over the maxContentLength if specified
if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
// stream.destroy() emit aborted event before calling reject() on Node.js v16
rejected = true;
responseStream.destroy();
abort(
new AxiosError(
'maxContentLength size of ' + maxContentLength + ' exceeded',
AxiosError.ERR_BAD_RESPONSE,
config,
lastRequest
)
);
}
});
responseStream.on('aborted', function handlerStreamAborted() {
if (rejected) {
return;
}
const err = new AxiosError(
'stream has been aborted',
AxiosError.ERR_BAD_RESPONSE,
config,
lastRequest,
response
);
responseStream.destroy(err);
reject(err);
});
responseStream.on('error', function handleStreamError(err) {
if (rejected) return;
reject(AxiosError.from(err, null, config, lastRequest, response));
});
responseStream.on('end', function handleStreamEnd() {
try {
let responseData =
responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
if (responseType !== 'arraybuffer') {
responseData = responseData.toString(responseEncoding);
if (!responseEncoding || responseEncoding === 'utf8') {
responseData = utils.stripBOM(responseData);
}
}
response.data = responseData;
} catch (err) {
return reject(AxiosError.from(err, null, config, response.request, response));
}
settle(resolve, reject, response);
});
}
abortEmitter.once('abort', (err) => {
if (!responseStream.destroyed) {
responseStream.emit('error', err);
responseStream.destroy();
}
});
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@ai-sdk/google-vertex
npm dependencyexpand_more 1 low-confidence finding(s)
const response = await fetch('https://oauth2.googleapis.com/token', {
method: 'POST',
headers: withUserAgentSuffix(
{ 'Content-Type': 'application/x-www-form-urlencoded' },
`ai-sdk/google-vertex/${VERSION}`,
getRuntimeEnvironmentUserAgent(),
),
body: new URLSearchParams({
grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
assertion: jwt,
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
@aws-sdk/credential-providers
npm dependencyexpand_more 2 low-confidence finding(s)
return fromTemporaryCredentials$1(options, fromNodeProviderChain, async ({ profile = process.env.AWS_PROFILE }) => loadConfig({
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fromTemporaryCredentialsBase(options, fromNodeProviderChain, async ({ profile = process.env.AWS_PROFILE }) => loadConfig({
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@qdrant/js-client-rest
npm dependencyexpand_more 6 low-confidence finding(s)
import {writeFile} from 'fs/promises';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
buildEnd: () => writeFile('dist/cjs/package.json', '{"type":"commonjs"}'),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import * as fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const openapiFile = fs.readFileSync('./src/openapi/generated_schema.ts', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync('./src/openapi/generated_client_type.ts', generatedTypeFile);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync('./src/openapi/generated_api_client.ts', generatedConstructorFile);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@tanstack/react-query
npm dependencyexpand_more 5 low-confidence finding(s)
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NODE_ENV !== 'production') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
@vscode/codicons
npm dependencyexpand_more 20 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const mapping = JSON.parse(fs.readFileSync(mappingPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const metadata = JSON.parse(fs.readFileSync(metadataPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const metadata = fs.readFileSync(metadataPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let html = fs.readFileSync(htmlPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(htmlPath, html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs.readFileSync(path.join(iconsDir, file), 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let html = fs.readFileSync(htmlPath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(htmlPath, html);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(opts.f, 'utf8', (err, data) => {
if (err) {
console.error('Error reading file:', err);
return;
}
try {
const mapping = JSON.parse(data);
console.log("/*---------------------------------------------------------------------------------------------");
console.log(" * Copyright (c) Microsoft Corporation. All rights reserved.");
console.log(" * Licensed under the MIT License. See License.txt in the project root for license information.");
console.log(" *--------------------------------------------------------------------------------------------*/");
console.log("import { register } from './codiconsUtil.js';");
console.log("");
console.log("");
console.log("// This file is automatically generated by (microsoft/vscode-codicons)/scripts/export-to-ts.js");
console.log("// Please don't edit it, as your changes will be overwritten.");
console.log("// Instead, add mappings to codiconsDerived in codicons.ts.");
console.log("export const codiconsLibrary = {");
// New format: mapping is { "code": ["alias1", "alias2", ...] }
Object.entries(mapping).forEach(([code, aliases]) => {
const codeValue = parseInt(code);
const hexValue = decimalToHex(codeValue);
// Register each alias with the same code
aliases.forEach((name) => {
console.log(`\t${toCamelCase(name)}: register('${name}', ${hexValue}),`);
});
});
console.log("} as const;");
} catch (error) {
console.error('Error parsing JSON:', error);
}
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(file, "utf-8"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(result.symbol.sprite.path, result.symbol.sprite.contents);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(packageJsonPath, JSON.stringify(packageJson, null, 2) + '\n');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ai-sdk-provider-poe
npm dependencyexpand_more 21 low-confidence finding(s)
import { readFileSync } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const pkg = JSON.parse(readFileSync("package.json", "utf-8"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
readFileSync(new URL("../src/data/bundled-routing.json", import.meta.url), "utf8"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
port = Number(process.env.PORT ?? 3456),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const apiKey = process.env.POE_API_KEY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseURL = process.env.POE_BASE_URL ?? "https://api.poe.com/v1";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { readFileSync, writeFileSync } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const originalPkg = readFileSync("package.json", "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync("package.json", JSON.stringify(pkg, null, 2) + "\n");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync("package.json", originalPkg);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.POE_SNAPSHOT_DIR?.trim() || ".snapshots";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const raw = await fs.readFile(accessedKeysPath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const res = await fetch(API_URL);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res = await fetch("https://api.poe.com/v1/responses", {});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res = await fetch("https://api.poe.com/v1/responses", {});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res = await fetch("https://api.poe.com/v1/responses", {});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const res = await fetch("https://api.poe.com/v1/chat/completions", {});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
import { readFileSync } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const bannerImage = readFileSync(
new URL("./test/fixtures/banner.jpg", import.meta.url)
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
image: new URL(
"https://raw.githubusercontent.com/poe-platform/ai-sdk-provider-poe/refs/heads/main/tests/fixtures/banner.jpg"
),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const isRecordMode = process.env.POE_SNAPSHOT_MODE === "record" || cliTags.includes("snapshot:record");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ansi-to-html
npm dependencyexpand_more 1 low-confidence finding(s)
var stream = require('fs').createReadStream(file, {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
chokidar
npm dependencyexpand_more 2 low-confidence finding(s)
const envPoll = process.env.CHOKIDAR_USEPOLLING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envInterval = process.env.CHOKIDAR_INTERVAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
class-variance-authority
npm dependencyexpand_more 3 low-confidence finding(s)
branch: process.env.NEXT_PUBLIC_VERCEL_GIT_COMMIT_REF || "main",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_VERCEL_GIT_REPO_OWNER || "joe-bell",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NEXT_PUBLIC_VERCEL_GIT_REPO_SLUG || "cva",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
exceljs
npm dependencyexpand_more 6 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(filename, options, (error, data) => {
if (error) {
reject(error);
} else {
resolve(data);
}
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fast-xml-parser
npm dependencyexpand_more 6 low-confidence finding(s)
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const version = JSON.parse(fs.readFileSync(packageJsonPath).toString()).version;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(fileName, function(err, data) {
if (err) {
throw err;
}
callback(data.toString());
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(fileName, data, function(err) {
if (err) {
throw err;
}
console.log('JSON output has been written to ' + fileName);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const version = JSON.parse(fs.readFileSync(packageJsonPath).toString()).version;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fastest-levenshtein
npm dependencyexpand_more 3 low-confidence finding(s)
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync("data.json", JSON.stringify(data_1));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var data = JSON.parse(fs.readFileSync("data.json", "utf8"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
global-agent
npm dependencyexpand_more 24 low-confidence finding(s)
const rejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const defaultNodeTlsRejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = defaultNodeTlsRejectUnauthorized;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.GLOBAL_AGENT_FORCE_GLOBAL_AGENT = 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'null';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 1;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = true;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = false;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'yes';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'no';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
proxyController.HTTP_PROXY = process.env[configuration.environmentVariableNamespace + 'HTTP_PROXY'] ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
proxyController.HTTPS_PROXY = process.env[configuration.environmentVariableNamespace + 'HTTPS_PROXY'] ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
proxyController.NO_PROXY = process.env[configuration.environmentVariableNamespace + 'NO_PROXY'] ?? null;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
gray-matter
npm dependencyexpand_more 2 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const str = fs.readFileSync(filepath, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
mammoth
npm dependencyexpand_more 3 low-confidence finding(s)
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
monaco-vscode-textmate-theme-converter
npm dependencyexpand_more 12 low-confidence finding(s)
var themeFile = fs.readFileSync(inputFilePath).toString();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputFilePath, JSON.stringify(convertedTheme, null, 4));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return [4 /*yield*/, fs.readFile(filePath)];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return [4 /*yield*/, fs.writeFile(path.join(outDir, fileName), JSON.stringify(out))];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var themeFile = fs.readFileSync(inputFilePath).toString();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputFilePath, JSON.stringify(convertedTheme, null, 4));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return [4 /*yield*/, fs.readFile(filePath)];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return [4 /*yield*/, fs.writeFile(path.join(outDir, fileName), JSON.stringify(out))];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let themeFile = fs.readFileSync(inputFilePath).toString();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(outputFilePath, JSON.stringify(convertedTheme, null, 4));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let themeFile: string = (await fs.readFile(filePath)).toString();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(path.join(outDir, fileName), JSON.stringify(out));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
node-ipc
npm dependencyexpand_more 24 low-confidence finding(s)
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client.config.tls.key=fs.readFileSync(client.config.tls.private);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client.config.tls.cert=fs.readFileSync(client.config.tls.public);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(client.config.tls.trustedConnections[i])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.key=fs.readFileSync(this.config.tls.private);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.key=fs.readFileSync(`${__dirname}/../local-node-ipc-certs/private/server.key`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.cert=fs.readFileSync(this.config.tls.public);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.cert=fs.readFileSync(`${__dirname}/../local-node-ipc-certs/server.pub`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.dhparam=fs.readFileSync(this.config.tls.dhparam);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFileSync(this.config.tls.trustedConnections[i])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import {writeFileSync} from 'fs';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync('./coverage/lcov.svg', svgBadge);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var import_fs = __toModule(require("fs"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client.config.tls.key = import_fs.default.readFileSync(client.config.tls.private);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client.config.tls.cert = import_fs.default.readFileSync(client.config.tls.public);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
client.config.tls.ca.push(import_fs.default.readFileSync(client.config.tls.trustedConnections[i]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var import_fs2 = __toModule(require("fs"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.key = import_fs2.default.readFileSync(this.config.tls.private);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.key = import_fs2.default.readFileSync(`${__dirname}/../local-node-ipc-certs/private/server.key`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.cert = import_fs2.default.readFileSync(this.config.tls.public);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.cert = import_fs2.default.readFileSync(`${__dirname}/../local-node-ipc-certs/server.pub`);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.dhparam = import_fs2.default.readFileSync(this.config.tls.dhparam);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.config.tls.ca.push(import_fs2.default.readFileSync(this.config.tls.trustedConnections[i]));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
ollama
npm dependencyexpand_more 1 low-confidence finding(s)
const fileBuffer = await promises.readFile(resolve(image))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
os-name
npm dependencyexpand_more 1 low-confidence finding(s)
const osRelease = fs.readFileSync('/etc/os-release', 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pdf-parse
npm dependencyexpand_more 9 low-confidence finding(s)
const pkg = JSON.parse(await readFile(new URL('../package.json', import.meta.url)));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await readFile(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(options.output, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(options.output, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(options.output, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filepath, image.data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filepath, page.data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(dummyFile, 'dummy content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(dummyFile, 'dummy content');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
puppeteer-chromium-resolver
npm dependencyexpand_more 7 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const defaultHosts = process.env.PUPPETEER_DEFAULT_HOST || 'https://storage.googleapis.com';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let revision = options.revision || process.env.PUPPETEER_REVISION;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(statsPath, JSON.stringify(stats, null, 4));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
stats = JSON.parse(fs.readFileSync(statsPath));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const request = isHttps ? https.request(options) : http.request(options);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
puppeteer-core
npm dependencyexpand_more 43 low-confidence finding(s)
await fileHandle.writeFile(value);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await environment.value.fs.promises.readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await environment.value.fs.promises.readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await environment.value.fs.promises.writeFile(path, typedArray);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const fileContent = await environment.value.fs.promises.readFile(portPath, 'ascii');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await environment.value.fs.promises.readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await environment.value.fs.promises.readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await environment.value.fs.promises.writeFile(path, typedArray);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env['PUPPETEER_WEBDRIVER_BIDI_ONLY'] === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await environment.value.fs.promises.readFile(portPath, 'ascii');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fileHandle.writeFile(value);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const bidiOnly = process.env['PUPPETEER_WEBDRIVER_BIDI_ONLY'] === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const turnOnExperimentalFeaturesForTesting = process.env['PUPPETEER_TEST_EXPERIMENTAL_CHROME_FEATURES'] === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env['PUPPETEER_DANGEROUS_NO_SANDBOX'] === 'true' &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let t = new URL("https://example.com");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
content = await environment.value.fs.promises.readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
content = await environment.value.fs.promises.readFile(path, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await environment.value.fs.promises.writeFile(path, typedArray);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env['PUPPETEER_WEBDRIVER_BIDI_ONLY'] === 'true') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = await environment.value.fs.promises.readFile(
portPath,
'ascii',
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fileHandle.writeFile(value);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const bidiOnly = process.env['PUPPETEER_WEBDRIVER_BIDI_ONLY'] === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env['PUPPETEER_TEST_EXPERIMENTAL_CHROME_FEATURES'] === 'true';
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env['PUPPETEER_DANGEROUS_NO_SANDBOX'] === 'true' &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
sanitize-filename
npm dependencyexpand_more 3 low-confidence finding(s)
fs.writeFile(filepath, "foobar", function(err) {
t.ifError(err, "no error writing file");
fs.readFile(filepath, function(err, data) {
t.ifError(err, "no error reading file");
t.equal(data.toString(), "foobar", "file contents equals");
fs.unlink(filepath, function(err) {
t.ifError(err, "no error unlinking file");
t.end();
});
});
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(filepath, function(err, data) {
t.ifError(err, "no error reading file");
t.equal(data.toString(), "foobar", "file contents equals");
fs.unlink(filepath, function(err) {
t.ifError(err, "no error unlinking file");
t.end();
});
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tiktoken
npm dependencyexpand_more 4 low-confidence finding(s)
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
bytes = fs.readFileSync(candidate);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
bytes = fs.readFileSync(candidate);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tmp
npm dependencyexpand_more 1 low-confidence finding(s)
const fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
undici
npm dependencyexpand_more 13 low-confidence finding(s)
const llhttpWasmData = process.env.JEST_WORKER_ID ? require('../llhttp/llhttp-wasm.js') : undefined
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.UNDICI_NO_WASM_SIMD === '1') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
} else if (process.env.UNDICI_NO_WASM_SIMD === '0') {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return session.request(headers, options)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.no_proxy ?? process.env.NO_PROXY ?? ''
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
colors: !disableColors && !process.env.CI
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await readFile(resolve(path), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(resolvedPath, JSON.stringify(data, null, 2), { flush: true })
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? transcode(readFileSync('./undici-fetch.js'), 'utf8', 'latin1')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
: readFileSync('./undici-fetch.js')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync('./undici-fetch.js', buffer.toString('latin1'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
vscode-material-icons
npm dependencyexpand_more 1 low-confidence finding(s)
const port = process.env.PORT || 3000;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
web-tree-sitter
npm dependencyexpand_more 16 low-confidence finding(s)
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename, binary2 ? void 0 : "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary2 = await fs2.readFile(input);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary2 = await fs2.readFile(input);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename, binary2 ? void 0 : "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename, binary2 ? void 0 : "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary2 = await fs2.readFile(input);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
binary2 = await fs2.readFile(input);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var ret = fs.readFileSync(filename, binary2 ? void 0 : "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
zhipu-ai-provider
npm dependencyexpand_more 10 low-confidence finding(s)
const value = process.env[name];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const baseURL = process.env.ZHIPU_BASE_URL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const providerName = process.env.ZHIPU_PROVIDER;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
text: process.env.ZHIPU_TEXT_MODEL ?? "glm-4.7-flash",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reasoning: process.env.ZHIPU_REASONING_MODEL ?? "glm-4.7-flash",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
vision: process.env.ZHIPU_VISION_MODEL ?? "glm-4.6v-flash",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
embedding: process.env.ZHIPU_EMBEDDING_MODEL ?? "embedding-3",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
image: process.env.ZHIPU_IMAGE_MODEL ?? "glm-image",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.EXAMPLE_IMAGE_URL ??
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
http.post(url, async ({ request }) => {
const requestBody = await request.text();
const requestHeaders: Record<string, string> = {};
request.headers.forEach((value, key) => {
requestHeaders[key] = value;
});
let requestBodyJson: unknown;
try {
requestBodyJson = JSON.parse(requestBody);
} catch (e) {
console.error("Failed to parse request body:", requestBody);
throw e;
}
const call: ServerCall = {
requestBody,
requestHeaders,
requestBodyJson,
};
urlConfig.calls.push(call);
allCalls.push(call);
const response = urlConfig.response;
if (response.type === "json-value") {
return HttpResponse.json(response.body as Record<string, unknown>, {
headers: response.headers,
});
}
if (response.type === "stream-chunks") {
return new Response(response.chunks.join(""), {
headers: {
"Content-Type": "text/event-stream",
"Cache-Control": "no-cache",
Connection: "keep-alive",
...response.headers,
},
});
}
return new Response(null, { status: 500 });
}),
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
Skipped dependencies
Production
- @lmstudio/sdk prod — dist-only: no readable source
- @roo-code/core prod — registry 404
- @roo-code/ipc prod — registry 404
- partial-json prod — dist-only: no readable source
- tree-sitter-wasms prod — no javascript source
- hast-util-to-jsx-runtime prod — scan budget exceeded
- i18next-http-backend prod — scan budget exceeded
- katex prod — scan budget exceeded
- knuth-shuffle-seeded prod — scan budget exceeded
- lru-cache prod — scan budget exceeded
- lucide-react prod — scan budget exceeded
- mermaid prod — scan budget exceeded
- react prod — scan budget exceeded
- react-compiler-runtime prod — scan budget exceeded
- react-dom prod — scan budget exceeded
- react-i18next prod — scan budget exceeded
- react-icons prod — scan budget exceeded
- react-markdown prod — scan budget exceeded
- react-remark prod — scan budget exceeded
- react-textarea-autosize prod — scan budget exceeded
- react-use prod — scan budget exceeded
- react-virtuoso prod — scan budget exceeded
- rehype-highlight prod — scan budget exceeded
- rehype-katex prod — scan budget exceeded
- remark-gfm prod — scan budget exceeded
- remark-math prod — scan budget exceeded
- remove-markdown prod — scan budget exceeded
- shiki prod — scan budget exceeded
- source-map prod — scan budget exceeded
- stacktrace-js prod — scan budget exceeded
- styled-components prod — scan budget exceeded
- tailwind-merge prod — scan budget exceeded
- tailwindcss prod — scan budget exceeded
- tailwindcss-animate prod — scan budget exceeded
- unist-util-visit prod — scan budget exceeded
- use-sound prod — scan budget exceeded
- vscrui prod — scan budget exceeded
- @inkjs/ui prod — scan budget exceeded
- @roo-code/vscode-shim prod — scan budget exceeded
- @trpc/client prod — scan budget exceeded
- @vscode/ripgrep prod — scan budget exceeded
- commander prod — scan budget exceeded
- cross-spawn prod — scan budget exceeded
- fuzzysort prod — scan budget exceeded
- ink prod — scan budget exceeded
- superjson prod — scan budget exceeded
- zustand prod — scan budget exceeded
- @docusaurus/core prod — scan budget exceeded
- @docusaurus/plugin-client-redirects prod — scan budget exceeded
- @docusaurus/plugin-content-docs prod — scan budget exceeded
- @docusaurus/plugin-sitemap prod — scan budget exceeded
- @docusaurus/preset-classic prod — scan budget exceeded
- @docusaurus/theme-common prod — scan budget exceeded
- @easyops-cn/autocomplete.js prod — scan budget exceeded
- @easyops-cn/docusaurus-search-local prod — scan budget exceeded
- @mdx-js/react prod — scan budget exceeded
- prism-react-renderer prod — scan budget exceeded