Close Open Privacy Scan

bolt Snapshot: commit 038d2ca
science engine v1.5
schedule 2026-07-15T02:22:14.702130+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

smart_toy MCP server detected: @ai-sdk/anthropic, @ai-sdk/openai, @google/generative-ai, @langchain/anthropic +12 more — detected in dependencies, not a safety judgment.
Incomplete scan — only 0/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

0 /100
High privacy risk — application leak confirmed

High risk · 3089 finding(s)

Dependency score: 100 (Low risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −25
egress −15
env_fs −3

list Scan Summary

91 high 557 medium 2441 low
First-party packages: 40
Dependency packages: 0
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: 169.254.169.254169.254.170.2169.254.170.23192.168.1.100a.b.app.n8n.clouda.coma.exampleaccount.box.comaccounts.google.comaccounts.spotify.comaccounts.zoho.comaccounts.zoho.com.auaccounts.zoho.com.cnaccounts.zoho.euaccounts.zoho.inacme.app.n8n.cloudactionnetwork.orgacuityscheduling.comadaptivecards.ioadb-xxx.azuredatabricks.netadb-xxx.cloud.databricks.comadb-xxxxx.xx.azure.databricks.comadoption.microsoft.comai-gateway.vercel.shairtable.comaka.msallowed.exampleanalytics.google.comanalyticsadmin.googleapis.comanalyticsdata.googleapis.comanalyticsreporting.googleapis.comanywhere.exampleapiapi-b2b.backenster.comapi-docs.deepseek.comapi-eu.dhl.comapi-free.deepl.comapi-rootapi-rs.n8n.ioapi-ssl.bitly.comapi-staging.n8n.ioapi.adalo.comapi.affinity.coapi.airtable.comapi.airtop.aiapi.anthropic.comapi.apitemplate.ioapi.atlassian.comapi.bamboohr.comapi.bannerbear.comapi.baserow.ioapi.beeminder.comapi.bitbucket.orgapi.bitwarden.comapi.botframework.comapi.box.comapi.brandfetch.ioapi.brevo.comapi.cal.comapi.calendly.comapi.clickup.comapi.clockify.meapi.cloudflare.comapi.cohere.aiapi.coingecko.comapi.convertkit.comapi.copper.comapi.currents.devapi.custom-service.comapi.datadoghq.comapi.deepl.comapi.deepseek.comapi.dropboxapi.comapi.dropcontact.ioapi.duckduckgo.comapi.egoiapp.comapi.eu.iterable.comapi.figma.comapi.firecrawl.devapi.form.ioapi.frankfurter.devapi.getflow.comapi.getgo.comapi.getmetal.ioapi.getresponse.comapi.getzep.comapi.github.comapi.gong.ioapi.google.comapi.groq.comapi.gumroad.comapi.harvestapp.comapi.helpscout.netapi.hsforms.comapi.hubapi.comapi.humantic.aiapi.hunter.ioapi.imperva.comapi.infusionsoft.comapi.intercom.ioapi.iterable.comapi.lemlist.comapi.linear.appapi.linkedin.comapi.loganalytics.azure.comapi.loganalytics.ioapi.mailcheck.coapi.mailerlite.comapi.mailjet.comapi.malcore.ioapi.medium.comapi.meethue.comapi.meraki.comapi.minimax.ioapi.minimaxi.comapi.miro.comapi.mistral.aiapi.monday.comapi.moonshot.aiapi.moonshot.cnapi.n8n.ioapi.nasa.govapi.netlify.comapi.notion.comapi.npms.ioapi.open-meteo.comapi.openai.comapi.openweathermap.orgapi.other.comapi.ouraring.comapi.peekalink.ioapi.perplexity.aiapi.phantombuster.comapi.pinecone.ioapi.pipedrive.comapi.postmarkapp.comapi.pushbullet.comapi.pushover.netapi.raindrop.ioapi.recordedfuture.comapi.search.brave.comapi.sekoia.ioapi.sendgrid.comapi.slack.comapi.smith.langchain.comapi.spotify.comapi.stripe.comapi.surveymonkey.comapi.telegram.orgapi.test.comapi.todoist.comapi.track.toggl.comapi.trello.comapi.trychroma.comapi.twilio.comapi.twitter.comapi.typeform.comapi.umbrella.comapi.uproc.ioapi.uptimerobot.comapi.venafiapi.webflow.comapi.wolframalpha.comapi.x.aiapi.xx-yy.cloud.solarwinds.comapi.zoom.usapi2.autopilothq.comapp.adalo.comapp.asana.comapp.box.comapp.clickup.comapp.daytona.ioapp.getresponse.comapp.gong.ioapp.hubspot.comapp.infisical.comapp.invoiceninja.comapp.n8n.cloudapp.nocodb.comapp.pagerduty.comapp.posthog.comapp.us1.sysdig.comappcenter.intuit.comattacker.exampleauth.atlassian.comauth.calendly.comauth.monday.comauth0.comb.comb.examplebedrockbedrock-runtimebedrock-runtime.eu-west-3.example.internalbedrock.us-east-1.amazonaws.combeta.openai.combigquery.googleapis.combitly.combrave.combuild.nvidia.comc.comcdn-rs.n8n.iocdn.jsdelivr.netcdn.simpleicons.orgcdn.tailwindcss.comchanged.iochat.googleapis.comchatgpt.comchromewebstore.google.comchromium.orgcircleci.comclaude.aicloud.google.comcloud.seatable.ioclouddocs.f5.comcloudresourcemanager.googleapis.comcn-hongkong.dashscope.aliyuncs.comcoda.iocognitiveservices.azure.comcollector.iocommentanalyzer.googleapis.comcommunity.n8n.iocompany.clearbit.comcompany.freshdesk.comconnectconnect.mailerlite.comconsole.cloud.google.comconsole.developers.google.comconsole.groq.comcontent.dropboxapi.comcontext7.comcreators.n8n.iocustom-anthropic-api.comcustom-project.firebaseio.comcustom-url.comcustom.comcustom.googleapis.comcustomer.iodashscope-intl.aliyuncs.comdashscope-us.aliyuncs.comdashscope.aliyuncs.comdata.jsdelivr.comdatatracker.ietf.orgdeepsearch.jina.aidefense.conferdeploy.netdev-123456.okta.comdev-qqkrykgkoo0p63d5.eu.auth0.comdev.drift.comdev.w3.orgdev99890.service-now.comdevdocs.drift.comdevdocs.magento.comdeveloper.1password.comdeveloper.atlassian.comdeveloper.carbonblack.comdeveloper.cisco.comdeveloper.crowdstrike.comdeveloper.helpscout.comdeveloper.mozilla.orgdeveloper.okta.comdeveloper.x.comdevelopers.generativeai.googledevelopers.google.comdevelopers.hubspot.comdevelopers.miro.comdevelopers.notion.comdevelopers.perspectiveapi.comdevelopers.virustotal.comdiscord.comdisqus.comdoc.twake.appdocs.airtop.aidocs.anthropic.comdocs.astral.shdocs.aws.amazon.comdocs.claude.comdocs.cohere.comdocs.convertapi.comdocs.currents.devdocs.databricks.comdocs.datadoghq.comdocs.dfir-iris.orgdocs.dynatrace.comdocs.fortinet.comdocs.getgrist.comdocs.github.comdocs.google.comdocs.googleapis.comdocs.imperva.comdocs.mattermost.comdocs.microsoft.comdocs.mistral.aidocs.mongodb.comdocs.n8n.iodocs.oasis-open.orgdocs.opencti.iodocs.oracle.comdocs.rapid7.comdocs.searxng.orgdocs.sekoia.iodocs.snowflake.comdocs.stripe.comdocs.sysdig.comdocs.test.comdocs.trellix.comdocs.x.aidocumentation.solarwinds.comdod-graph.microsoft.usdriftapi.comdrive.google.comdummyjson.comdynamic-templates.n8n.iodynamodb.eu-central-1.amazonaws.comeditor-baseeks-pod-identity.amazonaws.comemailembeddings-dashboard-api.jina.aien.wikipedia.orgenterprise.n8n.ioevil.comevil.exampleexample.agilecrm.comexample.atlassian.netexample.n8n.cloudexample.nonexistentexternal.comfacebook.comfeeds.bbci.co.ukfirebase.googleapis.comfirestore.googleapis.comfirst.comfoo.app.n8n.cloudformio.form.iogateway.seven.iogenerativelanguage.googleapis.comghost.orggithub.comgitlab.comgmail.comgoogle.comgoogleads.googleapis.comgraph.facebook.comgraph.microsoft.comgraph.microsoft.usgraphql.emelia.iogumroad.comhelp.adalo.comhelp.getharvest.comhelp.zscaler.comhn.algolia.comhnrss.orghostnamehttpbin.orghuggingface.coiam.amazonaws.comicalendar.orgicon.test.comid.getharvest.comidentity.bitwarden.comidentity.xero.cominsight.rapid7.comintegrate.api.nvidia.cominternal-production.app.n8n.cloudinvoicing.cojeroen.github.iojina.aijira.company.comjira.localjslib.k6.iojson-schema.orgkafka.apache.orgkf.kobotoolbox.orglambdalambda.cn-north-1.amazonaws.com.cnlambda.us-east-1.amazonaws.comlanguage.googleapis.comlearn.microsoft.comlegitimate-client.comlicense.n8n.iolinear.applinkedin.comlogin.mailchimp.comlogin.microsoftonline.comlogin.microsoftonline.uslogin.partner.microsoftonline.cnlogin.salesforce.comlogin.xero.commail.google.commalcore.readme.iomalicious-site.commalicious.commanagement.azure.commanual.bubble.iomarketplace.gohighlevel.commarketplace.leadconnectorhq.commarketplace.zoom.usmatrix-client.matrix.orgmatrix.orgmattermost.internal.n8n.iomcp.gmail.commcp.linear.appmcp.notion.commcp.slack.commedium.commicrosoft.commicrosoftgraph.chinacloudapi.cnmiro.commock-upload-url.commock.auth.servicemodels.devmoment.github.iomonitor.azure.commy-instance.app.n8n.cloudmy-mcp-endpoint.aimy-mcp-server.aimy-n8n.app.n8n.cloudmy-organization.odoo.commy-site.commy.demio.commy.instance.app.n8n.cloudmybusiness.googleapis.commybusinessaccountmanagement.googleapis.commybusinessbusinessinformation.googleapis.commycompany.my.salesforce.commydeployment.es.us-central1.gcp.cloud.es.iomydeployment.kb.us-central1.gcp.cloud.es.iomyinstance.app.n8n.cloudmyproxyn.examplen8n-community.typeform.comn8n-helpdesk.zammad.comn8n-org.myfreshworks.comn8n-preview-service.internal.n8n.cloudn8n-tunnel.myhost.comn8n.erpnext.comn8n.freshservice.comn8n.grafana.netn8n.host.comn8n.ion8n.localn8n.local.evil.comn8n.rocket.chatn8niostorageaccount.blob.core.windows.netname.mautic.netnavigated.comnew-url.comnew.comnewsapi.orgno.comnominatim.openstreetmap.orgnotify-api.line.menotify-bot.line.menumbersapi.comoauth.pipedrive.comoauth.platform.intuit.comoauth2.googleapis.comold-url.comold.comollama.aiopenrouter.aiorbit.loveoriginal.iootel.observability.acmeother-app.comother.comotx.alienvault.comoverride-url.compeople.googleapis.comph.n8n.ioplatform.kimi.aiplatform.minimax.ioplatform.openai.complugins.twake.appportal.airtop.aiportal.azure.comproxy.internalpublic-api.lonescale.compublic-api.wordpress.compublic.api.comqdrant.techqualysapi.qualys.comqualysguard.qg2.apps.qualys.comr.jina.airaindrop.ioraw.githubusercontent.comregistry.npmjs.orgrekognitionreqbin.comrest.gohighlevel.comrest.messagebird.coms.jina.ais3s3.amazonaws.comsafe.comsame.comschema-registry-domainschemas.xmlsoap.orgsdk-templates.n8n.iosearx.test.comsecond.comsecure.helpscout.netsentry.ioserpapi.comservices.leadconnectorhq.comsheets.googleapis.comshuffler.iosigned.comsignin.infusionsoft.comslack.comslides.googleapis.comslsa.devsnsspawned.comsqssqs.mycompany.devsqs.us-west-2.mycompany.devssmstage-app.n8n.cloudstaging-subscription.n8n.iostatic.linear.appstorage.azure.comstorage.googleapis.comstripe.comstssts.cn-north-1.amazonaws.com.cnsts.eu-west-1.amazonaws.comsts.us-east-1.amazonaws.comsts.us-gov-west-1.amazonaws.comsts.windows.netsubdomain.app.gong.iosubscription.n8n.iosupabase.comsupport.airtable.comsupport.google.comt.comtabtab1.comtaiga.yourdomain.comtarget.comtelegram.metelemetry.n8n.iotenant.exampletenant123.sharepoint.comtest-base-urltest-n8n-base-urltest-oauth2.atlassian.nettest-project.europe-west1-firebase.cloudfunctions.nettest-project.firebaseio.comtest-project.undefinedtest-search.search.windows.nettest-url.comtest.api.n8n.iotest.app.n8n.cloudtest.comtest.docs.n8n.iotest.endpoint.comtest.localtest.n8n.iotest.salesforce.comtodoist.comtranslation.googleapis.comtrello.comtwist.comtwitter.comupdated.comupdated.ioupload.box.comupload.googleapis.comupload.wikimedia.orgurlscan.ious-east-1.console.aws.amazon.comv2.convertapi.comvalid-url.comvisibilityvpce-0abc.sqs.not-a-region.vpce.amazonaws.comvpce-0abc123-usw2-az1.sqs.us-west-2.vpce.amazonaws.comvpce-0abc123.bedrock-runtime.us-east-1.vpce.amazonaws.comvpce-0abc123.sqs.cn-north-1.vpce.amazonaws.com.cnvpce-0abc123.sqs.not-a-region.vpce.amazonaws.comvpce-0abc123.sqs.us-gov-west-1.vpce.amazonaws.comvpce-0abc123.sqs.us-west-2.vpce.amazonaws.comvpce-abc.bedrock.us-east-1.vpce.amazonaws.comweaviate.iowebexapis.comwebflow.comwebhook-basewekan.yourdomain.comwesteurope.api.cognitive.microsoft.comwiki.jenkins.ioworkspace.app.n8n.cloudwww.api.comwww.beeminder.comwww.dropbox.comwww.elastic.cowww.eventbrite.comwww.eventbriteapi.comwww.ex.comwww.facebook.comwww.figma.comwww.filescan.iowww.formstack.comwww.google.comwww.googleapis.comwww.home-assistant.iowww.hybrid-analysis.comwww.ibm.comwww.linkedin.comwww.localeplanet.comwww.mist.comwww.mongodb.comwww.mydomain.comwww.n8n.iowww.notion.sowww.npmjs.comwww.odoo.comwww.pushbullet.comwww.qwencloud.comwww.reddit.comwww.solarwinds.comwww.strava.comwww.theverge.comwww.typescriptlang.orgwww.unpkg.comwww.virustotal.comwww.w3.orgwww.website.comwww.youtube-nocookie.comwww.youtube.comwww.zabbix.comx.exampleyes.comyour-cluster.weaviate.cloudyour-ipam-serveryour-search-service.search.windows.netyour-tenant.auth0.comyour_account.supabase.coyourdomain.comyourzulipdomain.zulipchat.comzoom.us例え.jp

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/keycloak.ts:509 repo/packages/testing/containers/services/keycloak.ts:520
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/ngrok.ts:48 repo/packages/testing/containers/services/ngrok.ts:85
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:40 repo/packages/testing/playwright/reporters/metrics-reporter.ts:75
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87 repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49 repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59 repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:242 repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:240
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/instance-seeding/seedInstance.mjs:10 repo/scripts/instance-seeding/seedInstance.mjs:228
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/nathan.mjs:232 repo/scripts/nathan.mjs:235
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/license/license.service.ts:78 repo/packages/cli/src/license/license.service.ts:71
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:172 repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:283 repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28 repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76 repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:380 repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/oauth/oauth.service.ts:1067 repo/packages/cli/src/oauth/oauth.service.ts:1096
high first-party (npm): packages/core User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/azure-blob.manager.ts:64 repo/packages/core/src/binary-data/azure-blob.manager.ts:66
high first-party (npm): packages/core User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/object-store.manager.ts:78 repo/packages/core/src/binary-data/object-store.manager.ts:80
high first-party (npm): packages/@n8n/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/cli/src/client.ts:49 repo/packages/@n8n/cli/src/client.ts:90
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:334 repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:148 repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:105 repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264 repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328 repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:41 repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:31 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:29 repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:25 repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:29 repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:208 repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:48 repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:591 repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:28 repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:172 repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:36 repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:126 repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:37 repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:23 repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:187 repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:90 repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:432 repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:958 repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1019 repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:556 repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:45 repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:55 repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:47 repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:35 repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:23 repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:32 repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:109 repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:248 repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:33 repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:137 repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:86 repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:36 repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:56 repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:51 repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:65 repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:30 repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:79 repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:111 repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:43 repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:44 repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:293 repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:33 repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53
high first-party (npm): packages/@n8n/instance-ai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:222 repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219
high first-party (npm): packages/@n8n/instance-ai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:75 repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:74
high first-party (npm): packages/@n8n/instance-ai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:94 repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:91
high first-party (npm): packages/@n8n/computer-use User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/computer-use/src/gateway-client.ts:308 repo/packages/@n8n/computer-use/src/gateway-client.ts:302
high first-party (npm): packages/frontend/editor-ui User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8 repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25
medium first-party (npm) Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45

</> First-Party Code

first-party (npm): packages/frontend/editor-ui

npm first-party
high pii_flow production #babc30d79d738900 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25 · flow /tmp/closeopen-gagie1_z/repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8 → /tmp/closeopen-gagie1_z/repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25
		const response = await fetch(POPULARITY_ENDPOINT, {
			signal: AbortSignal.timeout(5000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #7f3c5ba4410715d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useAutocompleteTelemetry.ts:93
		telemetry.track('User autocompleted code', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ce6dfbefc78b2793 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCalloutHelpers.ts:81
			telemetry.track('User clicked on RAG callout', {
				node_type: options.telemetry.nodeType ?? null,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9fa77790aa129471 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCalloutHelpers.ts:85
			telemetry.track('User inserted tutorial template', {
				template: templateId,
				source: options.telemetry.source,
				node_type: options.telemetry.nodeType ?? null,
				section: options.telemetry.section ?? null,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b80a2e71ae46fc8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:285
		telemetry.track('User tidied up canvas', {
			source,
			target,
			nodes_count: result.nodes.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a2f6e464a5995b0a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:608
			telemetry.track('User deleted workflow note', {
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5aa510c391d7e83a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:613
			telemetry.track('User deleted node', {
				node_type: node.type,
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e9014439f9a3f203 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:1230
		telemetry.track('User inserted workflow note', {
			workflow_id: workflowDocumentStore.value.workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d2b12a84dace97c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:2956
						telemetry.track('User pasted nodes', {
							workflow_id: workflowDocumentStore.value.workflowId,
							node_graph_string: nodeGraph,
						});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3f28d5b294cc422e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:2961
						telemetry.track('User duplicated nodes', {
							workflow_id: workflowDocumentStore.value.workflowId,
							node_graph_string: nodeGraph,
						});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f21bc8a7eacaba9e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:2966
						telemetry.track('User imported workflow', {
							source,
							workflow_id: workflowDocumentStore.value.workflowId,
							node_graph_string: nodeGraph,
						});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e057c966e74cb366 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:3279
		telemetry.track('User copied nodes', {
			node_types: workflowData.nodes.map((node) => node.type),
			workflow_id: workflowDocumentStore.value.workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #17272499d939e402 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:3353
		telemetry.track('User clicked chat open button', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #33f8fdb781760e97 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:3538
		telemetry.track('User inserted workflow template', {
			source: 'workflow',
			template_id: tryToParseNumber(templateId),
			wf_template_repo_session_id: templatesStore.previousSessionId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5586cab8379a5791 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCollectionOverhaul.ts:6
	const postHogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0e64f9b0f89d027d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useErrorHandler.ts:3
import { captureException } from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f17696070765e5f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useFreeAiCredits.ts:79
			telemetry.track('User claimed OpenAI credits', { source });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1f3944538074d48d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useGlobalEntityCreation.ts:449
			telemetry.track('User clicked sidebar add variable button');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9a9b130a3695134f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useGlobalEntityCreation.ts:454
			telemetry.track('User clicked sidebar add data table button');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f7933c36098f32e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useHistoryHelper.ts:90
			telemetry.track(`User hit ${type}`, { commands_length: 1, commands: [command.name] });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4438c47a2ad17795 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useHistoryHelper.ts:92
			telemetry.track(`User hit ${type}`, {
				commands_length: command.commands.length,
				commands: command.commands.map((c) => c.name),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #20e5e9eb0625a390 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useHistoryHelper.ts:102
			telemetry?.track('User hit undo in NDV', { node_type: activeNode.type });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #357577a6ffd7d23e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useNodeExecution.ts:427
			telemetry.track('User clicked execute node button', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a3a9f74d7c7bed3a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useNodeHelpers.ts:798
			telemetry.track('User set node enabled status', {
				node_type: node.type,
				is_enabled: node.disabled,
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4d9981d133e7225c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePageRedirectionHelper.ts:63
		telemetry.track('User clicked upgrade CTA', {
			source,
			isTrial: userIsTrialing,
			deploymentType,
			trialDaysLeft,
			executionsLeft,
			workflowsLeft,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d74cf77c0267ff64 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePinnedData.ts:241
		telemetry.track('Ndv data pinning success', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fb1dbc3a1b10b85d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePinnedData.ts:255
		telemetry.track('Ndv data pinning failure', {
			pinning_source: source,
			node_type: targetNode?.type,
			push_ref: rootStore.pushRef,
			data_size: stringSizeInBytes(data.value),
			view: displayMode,
			run_index: runIndex,
			error_type: errorType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #458727f914e2bbb9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePinnedData.ts:307
		telemetry.track('User unpinned ndv data', {
			node_type: targetNode?.type,
			push_ref: rootStore.pushRef,
			run_index: runIndex,
			source,
			data_size: stringSizeInBytes(data.value),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #02d99bcdce5e6bc3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePostMessageHandler.ts:176
		telemetry.track('User opened read-only execution', {
			workflow_id: data.workflowData.id,
			execution_mode: data.mode,
			execution_finished: data.finished,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c954d6106fee1887 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/executionFinished.ts:121
			telemetry.track('User executed test AI workflow', {
				status: data.status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #06fba144fe3113fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/executionFinished.ts:140
			telemetry.track('User executed tutorial template', {
				template: templateId,
				status: data.status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bc1f3be2e17ea70a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/executionFinished.ts:401
		telemetry.track('Instance FE emitted paired item error', eventData);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #91b1c939a3687cc4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/trackNodeExecution.ts:23
		telemetry.track('Manual exec errored', {
			error_title: pushData.data.error.message,
			node_type: node?.type,
			node_type_version: node?.typeVersion,
			node_id: node?.id,
			node_graph_string: JSON.stringify(
				TelemetryHelpers.generateNodesGraph(
					workflowDocumentStore.serialize(),
					workflowHelpers.getNodeTypes(),
					{
						isCloudDeployment: settingsStore.isCloudDeployment,
					},
				).nodeGraph,
			),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #558621b0f355e678 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useRunWorkflow.ts:651
		telemetry.track('User clicked execute workflow button', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7ad24274bc317c8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useToast.ts:82
			telemetry.track('Instance FE emitted error', {
				error_title: params.title,
				error_message: messageForTelemetry,
				caused_by_credential: causedByCredential(messageForTelemetry),
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5c1d89c1060028a0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useToast.ts:177
		telemetry.track('Instance FE emitted error', {
			error_title: title,
			error_description: message,
			error_message: error.message,
			caused_by_credential: causedByCredential(error.message),
			workflow_id: workflowDocumentStore.value.workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #650e73ff40c2423c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowActivate.ts:200
		telemetry.track('User set workflow active status', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #082c5b9c5a382ecb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowExtraction.ts:526
		telemetry.track('User started nodes to sub-workflow extraction', {
			node_count: nodeCount,
			success,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fd1a504dc20734e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowExtraction.ts:533
		telemetry.track('User extracted nodes to sub-workflow', {
			node_count: nodeCount,
			success,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5d3a9cb30e257574 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowInitialization.ts:352
				telemetry.track(
					`User opened workflow from onboarding template with ID ${workflowData.meta.onboardingId}`,
					{ workflow_id: id },
				);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eaaa38566e60208a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowSaving.ts:264
					telemetry.track('User attempted to save locked workflow', {
						workflowId: currentWorkflow,
						sharing_role: getWorkflowProjectRole(currentWorkflow),
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #28aa73788f1d185f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowSaving.ts:523
				telemetry.track('User saved new workflow from template', {
					template_id: tryToParseNumber(String(templateId)),
					workflow_id: workflowData.id,
					wf_template_repo_session_id: templatesStore.previousSessionId,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6a7e3797bf6f0f11 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/init.ts:234
	const postHogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #117ffa0186690605 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/sentry.test.ts:1
import type * as Sentry from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bbd0c946590a6a32 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/sentry.ts:4
import * as Sentry from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8d58dadb9e83e8ec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry.test.ts:194
			telemetry.track(event, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cbaa1184e96cea9b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry.test.ts:217
			telemetry.track(event, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb6713b810ff8dc2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:69
		this.track('Session started', { session_id: rootStore.pushRef });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3472d11819c5d4d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:115
		this.rudderStack.track(event, updatedProperties, {
			context: {
				// provide a fake IP address to instruct RudderStack to not use the user's IP address
				ip: '0.0.0.0',
			},
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8e4c1c370288abdb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:123
			usePostHog().capture(event, updatedProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #38ad736b4226e91a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:176
					this.track('Ai code generation finished', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #da5e933ad341b3bc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:190
					this.track('Ai Transform code generation finished', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ab33b7a157a3ac51 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:208
				this.track('User toggled n8n reference option', {
					node: nodeType,
					toValue: change.value,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8d6e0f61032d73fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:212
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8f47bfdb48e2f1db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:217
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ffe05485456a6980 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:225
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0e15ba3f0b9ac245 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:238
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b8262a6afc0d6f27 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.ts:256
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a1c69d71696f52a5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.ts:306
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1917393285385b15 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/favorites.store.ts:71
			telemetry.track('User toggled favorite', {
				action: 'removed',
				resource_type: resourceType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dfe89c4bb506a302 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/favorites.store.ts:79
			telemetry.track('User toggled favorite', {
				action: 'added',
				resource_type: resourceType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f4f0b2b731ab200c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/logs.store.ts:92
		telemetry.track('User toggled log view sub pane', {
			pane: 'input',
			newState: wasOpen ? 'hidden' : 'visible',
			isSubNode: isSubNodeSelected.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #28468ff988fb224c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/logs.store.ts:113
		telemetry.track('User toggled log view sub pane', {
			pane: 'output',
			newState: wasOpen ? 'hidden' : 'visible',
			isSubNode: isSubNodeSelected.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4e5f87145920017c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:119
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #da7c30e9ff4c02f8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:120
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #05c9c7bdea570ffa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:127
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f312aa3aa43d59c6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:128
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #09c9db032f5b7941 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:152
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0bad8c87fb99a744 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:153
			posthog.init(flags);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #951b8cd4c039903d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:155
			expect(posthog.getVariant('test')).toEqual(flags[TEST]);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b9ee3958b83039c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:168
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4d0deb9b0761f24f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:169
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d1006a74f6e34467 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:183
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bbf906984695fe89 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:184
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d88c043af533ba88 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:194
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #51a4fb89cef70819 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:196
			posthog.capture('Test event', { test: 'value' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7ea9a633dcd4958c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:204
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #febd26a9ba5c208f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:206
			posthog.capture('Test event', {
				test: 'value',
				$groups: {
					organization: 'n8n',
				},
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #26b074961eefa1ef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:226
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6632713a9c164dd4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:227
			posthog.init(flags);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6003a07d1faefdb5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:232
			expect(posthog.getVariant('test')).toEqual('override');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #115d00b5cb3b8a2a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:246
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #23b89606954291c2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:247
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9199b86488050cd0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:249
			expect(posthog.hasPendingFeatureFlags()).toBe(true);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #51abc19a365af221 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:253
			const waitForFlags = posthog.waitForFeatureFlags().then(() => {

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ebe11081bba82763 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:263
			expect(posthog.hasPendingFeatureFlags()).toBe(false);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1d246efc330e9273 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:264
			expect(posthog.getVariant('test')).toEqual('variant');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0b87284d002252ae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.ts:147
		telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
			name,
			variant,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8d03cb60171bc9a2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/ui.store.ts:596
		telemetry.track('User clicked to open community node update modal', {
			source,
			package_name: packageName,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #18cb2adee5d579e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/ui.store.ts:646
		telemetry.track('User toggled sidebar', {
			expanded: !sidebarMenuCollapsed.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9b160c4969edab38 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/versions.store.ts:213
								telemetry.track("User clicked on what's new notification", {
									article_id: articleId,
								});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3eaa75bde442a03a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:27
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9372946c97e7e1a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:71
			telemetry.track('User created AI templates starter collection', {
				source,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ae09762a5be97ede Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:77
			telemetry.track('User dismissed AI templates starter collection callout');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e5cdbd049f0b3d41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:81
			telemetry.track('User opened AI template workflow', {
				template,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1e3905311304a0e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:87
			telemetry.track('User executed AI template', {
				template,
				status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1bea631b150d631b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:16
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7d8db31a5777d7e2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:52
			telemetry.track('App selection page viewed');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #72ce41da0009f3c5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:56
			telemetry.track('App selection search performed', {
				search_term: searchTerm,
				result_count: resultCount,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f2a76ec2a4bbb165 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:67
			telemetry.track('App selection completed', {
				connected_count: connectedCount.value,
				connected_apps: connectedApps,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9f4bdfe828eb5b25 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/emptyStateBuilderPrompt/stores/emptyStateBuilderPrompt.store.ts:25
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #696469168791b331 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/emptyStateBuilderPrompt/stores/emptyStateBuilderPrompt.store.ts:66
			telemetry.track('User submitted empty state builder prompt', {
				prompt_length: prompt.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c8529e4a3a7f570c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/emptyStateBuilderPrompt/stores/emptyStateBuilderPrompt.store.ts:103
			telemetry.track('User imported workflow from empty state', {
				node_count: workflowData.nodes?.length ?? 0,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8f110bd024436e89 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/enhancedHitlGmail/useEnhancedHitlGmailExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1265d6025353138d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/enhancedHitlSlack/useEnhancedHitlSlackExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a41016187ece9033 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/enhancedHitlTelegram/useEnhancedHitlTelegramExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #64be6ec2409fa86b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/evaluationsWizardSidepanel/useEvaluationsWizardSidepanelExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f1da99bff3cdb8a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:12
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #caf8458c18029f0c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:29
			telemetry.track('MCP expose all workflows confirmed', getTelemetryPayload());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3980f917f619a454 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:33
			telemetry.track('MCP expose all workflows declined', getTelemetryPayload());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #88fc6060cfb3a45a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:37
			telemetry.track('MCP expose all workflows modal dismissed', getTelemetryPayload());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bf8ad465de1c2fb2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiBrowserCredentialSetup/useInstanceAiBrowserCredentialSetupExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b6fdce0c0c2613e1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiBrowserUse/useInstanceAiBrowserUseExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ba9d263d12284117 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiComputerUse/useInstanceAiComputerUseExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a65981328bbc785c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiMcpConnections/useInstanceAiMcpConnectionsExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fbabfb5c20197df7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiPersonalizedPromptSuggestions/useInstanceAiPersonalizedPromptSuggestionsExperiment.ts:9
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b97bd7cea6b4f70d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiProactiveAgent/useInstanceAiProactiveAgentExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f6c9f45af2f90cc8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiPromptSuggestionsV2/useInstanceAiPromptSuggestionsV2Experiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eca2ec63481496c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiSplitEmptyState/useInstanceAiSplitEmptyStateExperiment.ts:6
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #030cde7dde1613e2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiTemplateExamples/useInstanceAiTemplateExamplesExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #edcd757aa8d55e67 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/n8nCreditsCredentialSelection/useN8nCreditsCredentialSelectionExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b91071cba96d8248 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:68
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #050ccc85f628de8c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:99
		telemetry.track('User was recommended personalized templates', {
			templateIds,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0de0a71c03db04f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:105
		telemetry.track('User clicked on personalized template callout', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dc88d3b9f5d119a5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:111
		telemetry.track('User dismissed personalized template callout', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #18e8d0277753fb10 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:14
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c04d6558f35d5036 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:74
		telemetry.track('User clicked on personalization card');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a15aea21c5486217 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:78
		telemetry.track('User viewed personalization modal');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8354aa7e4c8c5e92 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:82
		telemetry.track('User viewed personalization tooltip');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #db1c195697878391 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:86
		telemetry.track('User dismissed personalization tooltip');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e588bdc7bb61a399 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:90
		telemetry.track('User clicked on template from modal', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dd305987f7c8028c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:96
		telemetry.track('User clicked on templates repo from modal');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3977a7ae23d68821 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:120
			telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
				name: PERSONALIZED_TEMPLATES_V3.name,
				variant,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #743d0415e2cd8522 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:27
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ef3e79187b9d7dd4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:49
			telemetry.track('User created ready to run workflows', {
				source,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #17b87818f27c0974 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:55
			telemetry.track('User dismissed ready to run workflows callout');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #27b2e85ac16a4c8c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:59
			telemetry.track('User opened ready to run workflow', {
				template,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9a1a23ed8eba32c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:65
			telemetry.track('User executed ready to run workflow', {
				template,
				status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #523d815b20c65277 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflowsV2/stores/readyToRunWorkflowsV2.store.ts:14
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eb88cbc867588032 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/resourceCenter/stores/resourceCenter.store.ts:20
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7dbce31fa28699de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/resourceCenter/stores/resourceCenter.store.ts:69
		telemetry.track('User visited resource center');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #430c89152081814b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/resourceCenter/stores/resourceCenter.store.ts:73
		telemetry.track('User clicked on resource center tile', { section, type, id });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #240286ee0f940dee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/sidebarExpanded/useSidebarExpandedExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fb659f44cc4bfad5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:28
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #71956e174abfbf08 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:72
			telemetry.track(
				'MCP onboarding entry point viewed',
				getTelemetryPayload({
					surface,
					entry_point: entryPoint,
					mcp_access_enabled: mcpAccessEnabled,
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b323eccce15872a3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:89
			telemetry.track(
				'MCP onboarding opportunity viewed',
				getTelemetryPayload({
					surface,
					entry_point: entryPoint,
					eligible: true,
					surface_available: surfaceAvailable,
					suppressed_by: suppressedBy,
					mcp_access_enabled: mcpAccessEnabled,
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e15c404983660d3f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:106
			telemetry.track(
				'MCP onboarding opened',
				getTelemetryPayload({
					surface,
					...(payload.entryPoint ? { entry_point: payload.entryPoint } : {}),
					...(payload.mcpAccessEnabled !== undefined
						? { mcp_access_enabled: payload.mcpAccessEnabled }
						: {}),
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cdca0db816702f8c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:126
			telemetry.track(
				'MCP onboarding dismissed',
				getTelemetryPayload({
					surface,
					...(payload.activeClient ? { active_client: payload.activeClient } : {}),
					...(payload.enabledDuringThisOpen !== undefined
						? { enabled_during_this_open: payload.enabledDuringThisOpen }
						: {}),
					...(payload.mcpAccessEnabled !== undefined
						? { mcp_access_enabled: payload.mcpAccessEnabled }
						: {}),
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7d4a5416aa551704 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:142
			telemetry.track('MCP onboarding enable clicked', getTelemetryPayload({ surface }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3207f60f7af0c006 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:146
			telemetry.track('MCP onboarding enabled', getTelemetryPayload({ surface }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ea7ed4d0c3055dd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:150
			telemetry.track(
				'MCP onboarding enable failed',
				getTelemetryPayload({ surface, error_type: errorType }),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f88548d6aaae06a9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:160
			telemetry.track('MCP onboarding client selected', getTelemetryPayload({ surface, client }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb8e65dec434ca95 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:168
			telemetry.track(
				'MCP onboarding setup shown',
				getTelemetryPayload({ surface, client, setup_type: setupType }),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8ade2100b974ea12 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:179
			telemetry.track(
				'MCP onboarding copied parameter',
				getTelemetryPayload({ surface, client, parameter }),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9e753b0b3d4ceb83 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:17
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d011d24ef8029aa1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:59
			telemetry.track('User clicked on node minicard', {
				tool,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bace59f856d0b36e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:65
			telemetry.track('User visited template recommendation modal tab', {
				tool,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d7d1510d24a8b8f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:71
			telemetry.track('User clicked on template recommendation tile', {
				templateId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f43cb939d1454946 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:77
			telemetry.track('User clicked on template recommendation video', {
				name,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a2196106b008f30c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:83
			telemetry.track('User clicked on template recommendation see more', {
				type,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ce8a5ba08af7ac6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/utils.ts:34
		usePostHog().getVariant(EXTRA_TEMPLATE_LINKS_EXPERIMENT.name) ===

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4c0662335c3c049 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/utils.ts:79
	useTelemetry().track('User clicked on templates', {
		role: useCloudPlanStore().currentUserCloudInfo?.role,
		active_workflow_count: useWorkflowsListStore().activeWorkflows.length,
		source,
	});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1cc786b3b0816cfb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentCreate.ts:57
		telemetry.track('User created agent', {
			agent_id: agent.id,
			source: options.telemetrySource,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7e02a981b8c1fbd1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentTelemetry.ts:30
			telemetry.track(event, props);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2917904c829965da Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:39
		telemetry.track(
			'User started adding agent tool',
			withAgent({ tool_type: toolType, source: 'manual' }),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #74c3796acd5c24d3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:47
		telemetry.track(
			'User added agent tool',
			withAgent({
				tool_type: ref.type,
				has_approval: ref.requireApproval ?? false,
				...identityProps(ref),
			}),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #382ff062562bb6b3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:59
		telemetry.track(
			'User added agent tool',
			withAgent({
				tool_type: 'mcpServer',
				has_approval: false,
				server_name: server.name,
				authentication: server.authentication,
			}),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #960a9ad76d27ce4b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:72
		telemetry.track(
			'User edited agent tool',
			withAgent({ tool_type: ref.type, ...identityProps(ref) }),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d5f97a2eb9873a80 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:80
		telemetry.track(
			'User removed agent tool',
			withAgent({ tool_type: ref.type, ...identityProps(ref) }),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1c20a8191a33909d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.test.ts:103
		posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2116a8ce526471e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:280
			telemetry.track('Assistant session started', {
				chat_session_id: currentSessionId.value,
				task: chatSessionTask.value,
				node_type: chatSessionError.value?.node.type,
				credential_type: chatSessionCredType.value?.name,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #db76c994e3ba52a3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:610
			telemetry.track('User executed node after assistant suggestion', {
				task: chatSessionTask.value,
				chat_session_id: currentSessionId.value,
				success: false,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #23f4c5c77a36e6b0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:621
			telemetry.track('User executed node after assistant suggestion', {
				task: chatSessionTask.value,
				chat_session_id: currentSessionId.value,
				success: true,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4d523f6ba0db30d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:696
		telemetry.track('User sent message in Assistant', {
			message,
			is_quick_reply: isQuickReply,
			chat_session_id: currentSessionId.value,
			message_number: usersMessages.value.length,
			task: chatSessionTask.value,
			allow_sending_parameter_values: allowSendingParameterValues.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #45580b16c8fc5ad2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:733
		telemetry.track('User opened assistant', {
			source,
			task,
			has_existing_session,
			instance_id: rootStore.instanceId,
			workflow_id: workflowId,
			canvas_status: canvasStatus,
			node_type: chatSessionError.value?.node?.type,
			error: chatSessionError.value?.error,
			chat_session_id: currentSessionId.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e067102864b4bf53 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.test.ts:172
		posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8d3751f1b0be0ed7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:272
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3c5f97c69da6168f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:510
		telemetry.track('End of response from builder', {
			user_message_id: userMessageId,
			workflow_id: routeWorkflowId.value,
			session_id: trackingSessionId.value,
			tab_visible: document.visibilityState === 'visible',
			code_builder: isCodeBuilder.value,
			mode: builderMode.value,
			...(planApproved ? { plan_approved: true } : {}),
			...getWorkflowModifications(currentStreamingMessage.value),
			...payload,
			...getTodosToTrack(),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4a2071e2e52b0ca4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:797
		telemetry.track('User submitted builder message', trackingPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #65d3cf66ca62782d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:804
			telemetry.track('ai.focusedNodes.chatSent', {
				focused_count: focusedCount,
				has_deictic_ref: hasDeicticRef,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2a391aeb043d93df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:1543
		telemetry.track('Workflow builder journey', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b11988a6aaa7e3a7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.utils.ts:41
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b61aa4e0dec17ead Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/chatPanel.store.ts:45
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #371a32914b3dc8de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/composables/useAskModeCoachmark.ts:23
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fdb1e6453b8fa00c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/composables/useReviewChanges.ts:41
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #91e97f687a9da2d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:30
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ada2804f0ade7cd4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:121
			telemetry.track('ai.focusedNodes.added', {
				source,
				node_count: nodeTypes.length,
				node_types: nodeTypes,
				...(source === 'mention' && options?.mentionQueryLength !== undefined
					? { mention_query_length: options.mentionQueryLength }
					: {}),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4178fa492daeb86e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:191
			telemetry.track('ai.focusedNodes.removed', {
				method,
				removed_count: 1,
				remaining_count: confirmedNodes.value.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9443ce425dcad8ff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:204
			telemetry.track('ai.focusedNodes.removed', {
				method: 'clear_all',
				removed_count: previousCount,
				remaining_count: 0,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #74012f6c065da666 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:258
			telemetry.track('ai.focusedNodes.removed', {
				method: 'clear_all',
				removed_count: previousCount,
				remaining_count: confirmedNodes.value.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ad970b8e79d74cf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:273
				telemetry.track('ai.focusedNodes.removed', {
					method: 'workflow_changed',
					removed_count: previousCount,
					remaining_count: 0,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #33021cc7540fd06a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:301
				telemetry.track('ai.focusedNodes.removed', {
					method: 'node_deleted',
					removed_count: deletedConfirmedCount,
					remaining_count: confirmedNodes.value.length,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4d85c2700e16988 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:632
		telemetry.track('User sent chat hub message', {
			...flattenModel(agent.model),
			is_custom: agent.model.provider === 'custom-agent',
			chat_session_id: sessionId,
			mode,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #391870d3a4f2b76b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:757
		telemetry.track('User edited chat hub message', {
			...flattenModel(agent.model),
			is_custom: agent.model.provider === 'custom-agent',
			chat_session_id: sessionId,
			chat_message_id: editId,
			mode,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4d1ffc84fcb9fd5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:832
		telemetry.track('User regenerated chat hub message', {
			...flattenModel(agent.model),
			is_custom: agent.model.provider === 'custom-agent',
			chat_session_id: sessionId,
			chat_message_id: retryId,
			mode,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #22d0da3c9c74dbf8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:1026
		telemetry.track('User created agent', { ...flattenModel(payload) });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1400cf9f45b21ec6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chatHubPanel.store.ts:21
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bd249bd9bdd535c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chatHubPanel.store.ts:42
		telemetry.track('User opened floating chat panel', { source: 'canvas' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a30e52ff06547fa4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chatHubPanel.store.ts:62
		telemetry.track('User popped out floating chat panel', { source: 'canvas' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f038ae48e4b81598 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/components/AgentEditorModal.test.ts:539
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b0f7c6d1047ec1db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/evaluation.ee/components/WizardSidepanel/useWizardPersistence.ts:196
			telemetry.track('User ran evaluation', {
				workflow_id: workflowId,
				run_id: dispatched?.testRunId ?? null,
				metric_count: wizardStore.selectedMetricKeys.length,
				custom_check_count: wizardStore.customChecks.length,
				slice_mode: wizardStore.isSliceMode,
				trigger,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #082296e45a3f95ae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/evaluation.ee/composables/useEvalCollectionsFlag.ts:19
	const postHog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #79512b2b42fb87de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/composables/useInstanceAiHandoffCapability.ts:132
		telemetry.track('Instance AI opened from editor', {
			source,
			workflow_id: workflowId,
			execution_id: executionId ?? null,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #48eb2471e24c8c69 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/composables/useInstanceAiHandoffCapability.ts:144
			telemetry.track('Instance AI opened from editor', {
				source,
				workflow_id: null,
				execution_id: null,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f3e981aadd7295a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/composables/useInstanceAiHandoffCapability.ts:171
		telemetry.track('Instance AI opened from editor', {
			source,
			workflow_id: null,
			execution_id: null,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #96414d81bca20014 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.store.ts:188
			telemetry.track('User launched Instance AI thread', {
				thread_id: result.thread.id,
				instance_id: rootStore.instanceId,
				source: launch.source,
				origin: launch.origin,
				...(typeof templateId === 'string' || typeof templateId === 'number'
					? { template_id: templateId }
					: {}),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7fde76701899b61a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:429
			telemetry.track('User viewed new builder workflow', {
				thread_id: threadId,
				instance_id: rootStore.instanceId,
				workflow_id: workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e3db7dab4742ba4b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:471
			telemetry.track('Builder generation stalled', { thread_id: threadId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #58f8f887557c0444 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:603
					telemetry.track('User finished providing input', {
						thread_id: threadId,
						input_thread_id: conf.inputThreadId ?? '',
						instance_id: rootStore.instanceId,
						type: 'approval',
						provided_inputs: [
							{
								label: conf.message,
								options: ['approve', 'deny', 'approve_always'],
								option_chosen: 'approve_auto',
							},
						],
						skipped_inputs: [],
						auto_resolved: true,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9a007f15da65db5a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:1004
		telemetry.track('User sent builder message', {
			thread_id: threadId,
			instance_id: rootStore.instanceId,
			is_first_message: isFirstMessage,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d19c5bc18a235f92 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiBrowserUse.telemetry.ts:7
			telemetry.track('Instance AI Connect Browser Use modal opened');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5e8f54bc9537259b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiBrowserUse.telemetry.ts:10
			telemetry.track('Instance AI Install Chrome Browser Extension button clicked');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4e0d2d9ba267a031 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiBrowserUse.telemetry.ts:13
			telemetry.track('Instance AI Open Browser Use Extension button clicked');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ad9aa0ba7c1b2418 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:8
			telemetry.track('Instance AI tools list opened');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #83ba8cc8f25d2ab4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:11
			telemetry.track('Instance AI mcp settings opened', { server_slug: serverSlug });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b9603f2c515f3405 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:14
			telemetry.track('Instance AI mcp first credential connection start', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cb9451fd19acafc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:19
			telemetry.track('Instance AI mcp credential dropdown opened', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #aae0f7815b75c495 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:24
			telemetry.track('Instance AI mcp existing credential selected', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a7a450dc4a4d1afe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:29
			telemetry.track('Instance AI mcp new credential connection start', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #249c7d8409668191 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:34
			telemetry.track('Instance AI mcp tool filter settings updated', {
				server_slug: serverSlug,
				inclusion_mode: inclusionMode,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df054f964991a0e3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:76
			telemetry.track('Instance AI prompt suggestions shown', createBasePayload(context));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c7a4491455220ecf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:80
			telemetry.track('Instance AI quick examples opened', {
				...createBasePayload(context),
				suggestion_id: context.suggestionId,
				position: context.position,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4a17e9245282810f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:88
			telemetry.track('Instance AI prompt suggestions cycled', {
				...context.telemetryPayload,
				suggestion_catalog_version: resolveSuggestionCatalogVersion(context),
				visible_suggestion_ids: context.visibleSuggestionIds,
				cycle_count: context.cycleCount,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bf1ceaa7010b7a1e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:97
			telemetry.track('Instance AI prompt suggestion selected', {
				...createBasePayload(context),
				suggestion_id: context.suggestionId,
				suggestion_kind: context.suggestionKind,
				position: context.position,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ff334ba8b4cb68f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:106
			telemetry.track('Instance AI prompt suggestion submitted', {
				...createBasePayload(context),
				suggestion_id: context.suggestionId,
				suggestion_kind: context.suggestionKind,
				position: context.position,
				prompt_modified: context.promptModified,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec9a261893fb353f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/useResponseFeedback.ts:116
			telemetry.track('User rated workflow generation', {
				thread_id: threadId,
				response_id: responseId,
				helpful: payload.rating === 'up',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6c746817f329c388 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/useResponseFeedback.ts:128
			telemetry.track('User submitted workflow generation feedback', {
				thread_id: threadId,
				response_id: responseId,
				feedback: payload.feedback,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8d24b474fcd1f617 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/workflowSetup/composables/useWorkflowSetupTelemetry.ts:141
		telemetry.track('Instance AI workflow setup step shown', getStepTelemetryPayload(step));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6601fe34fc5672f9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/workflowSetup/composables/useWorkflowSetupTelemetry.ts:152
		telemetry.track(
			'Instance AI workflow setup step handled',
			getStepTelemetryPayload(step, outcome),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #63d227ea9d12a645 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/workflowSetup/composables/useWorkflowSetupTelemetry.ts:198
		telemetry.track('User finished providing input', {
			...getSetupTelemetryContext(),
			provided_inputs: provided,
			skipped_inputs: skipped,
			explicitly_skipped_inputs: explicitlySkipped,
			num_tasks: deps.sections.value.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a7f0a08170586930 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/mcpAccess/composables/useMcp.ts:7
		telemetry.track('User gave MCP access to workflow', { workflow_id: workflowId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f34daca059163c23 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/mcpAccess/composables/useMcp.ts:11
		telemetry.track('User toggled MCP access', { state: enabled });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c0e33676f76cb89e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:142
			telemetry.track('User deleted data table column', {
				column_id: columnId,
				column_type: columnToDelete.cellDataType,
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #22f890e29822afa8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:181
			telemetry.track('User renamed data table column', {
				column_id: columnId,
				column_type: columnToRename.cellDataType,
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #acef7c0dc5d43481 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:212
			telemetry.track('User added data table column', {
				column_id: newColumn.id,
				column_type: newColumn.type,
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ccf1872ddaee15e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:266
			telemetry.track('User added row to data table', {
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #49110dc04ecb6b02 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:302
			telemetry.track('User edited data table content', {
				data_table_id: dataTableId,
				column_id: colDef.colId,
				column_type: colDef.cellDataType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #01f51fab4a21fe15 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:379
			telemetry.track('User deleted rows in data table', {
				data_table_id: dataTableId,
				deleted_row_count: idsToDelete.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6b6f62d6ef7969e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/credentials/composables/useCredentialOAuth.ts:339
			telemetry.track('User created credentials', {
				credential_type: credential.type,
				credential_id: credential.id,
				workflow_id: workflowsStore.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ad47394c28a99a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/credentials/composables/useCredentialOAuth.ts:372
		telemetry.track('User saved credentials', trackProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #67b3662fd6f7ecdd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/credentials/quickConnect/composables/useQuickConnect.ts:150
		telemetry.track('User clicked quick connect button', {
			source,
			credential_type: credentialTypeName,
			node_type: nodeType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6fdc44227bb358a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionDebugging.ts:154
		telemetry.track('User clicked debug execution button', {
			instance_id: useRootStore().instanceId,
			exec_status: isFullExecutionResponse(execution) ? execution.status : '',
			override_pinned_data: pinnableNodes.length === pinnings,
			all_exec_data_imported: missingNodeNames.length === 0,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #401229794f581384 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionHelpers.ts:116
		telemetry.track(
			metadata.parentExecution
				? 'User clicked parent execution button'
				: 'User clicked inspect sub-workflow',
			{
				view,
			},
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #af09072fd26674fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionPreviewDocument.ts:261
			telemetry.track('User opened read-only execution', {
				workflow_id: data.workflowData.id,
				execution_mode: data.mode,
				execution_finished: data.finished,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a17132f7c6de1098 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionRedaction.ts:35
		telemetry.track('User clicked reveal data', {
			workflow_id: workflowDocumentStore.value.workflowId,
			execution_id: workflowExecutionStateStore.value.activeExecution?.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cf6fdacebe3e3bfb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsPanelLayout.ts:72
			telemetry.track('User toggled log view', { new_state: 'attached' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a8f95a1e2df0e806 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsPanelLayout.ts:86
		telemetry.track('User toggled log view', {
			new_state: wasOpen ? 'collapsed' : 'attached',
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0f594cd33276417b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsPanelLayout.ts:92
		telemetry.track('User toggled log view', { new_state: 'floating' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f5a35656d0ead73a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsSelection.ts:66
				telemetry.track('User selected node in log view', {
					node_type: value.node.type,
					node_id: value.node.id,
					execution_id: execution.value?.id,
					workflow_id: execution.value?.workflowData.id,
					subworkflow_depth: getDepth(value),
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2954c08d7f208fbb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsSelection.ts:74
				telemetry.track('User selected canvas group in log view', {
					group_id: value.group.id,
					node_count: value.group.nodeIds.length,
					execution_id: execution.value?.id,
					workflow_id: execution.value?.workflowData.id,
					subworkflow_depth: getDepth(value),
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #96b38626128a574c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/integrations/sourceControl.ee/sourceControl.utils.ts:63
					telemetry.track('User clicked review variables');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e4ec461a3d764f02 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/integrations/sourceControl.ee/sourceControl.utils.ts:86
					telemetry.track('User clicked review credentials');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c31212dcff2015fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/components/VirtualSchema.test.ts:678
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #55ee70b352002c0b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/components/VirtualSchema.test.ts:748
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d07ac6a98fc4f921 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/components/VirtualSchema.test.ts:1101
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dfe43e6a17b94246 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/schemaPreview.store.ts:67
		telemetry.track('User executed node with schema preview', {
			node_id: id,
			node_type: type,
			node_version: typeVersion,
			node_resource: resource,
			node_operation: operation,
			schema_preview: JSON.stringify(result.result),
			output_schema: JSON.stringify(generateJsonSchema(pushEvent.data.data?.main?.[0]?.[0]?.json)),
			workflow_id: workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a563549a5a512489 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/shared/ndv.utils.ts:29
import { captureException } from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #55c282228f0a5622 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/roles/composables/useRolesListActions.ts:57
			telemetry.track('User duplicated role', {
				role_id: item.slug,
				role_name: item.displayName,
				permissions: item.scopes,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7ddfb1188f3d5201 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/settings/communityNodes/composables/useInstallNode.ts:68
			telemetry.track('user started cnr package install', {
				input_string: props.packageName,
				has_quick_connect: props.telemetry.hasQuickConnect,
				source: props.telemetry.source,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #52f5cf11b7495ba2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/settings/sso/provisioning/composables/useUserRoleProvisioningForm.ts:111
		telemetry.track('User updated provisioning settings', {
			instance_id: useRootStore().instanceId,
			authentication_method: protocol,
			assignment_method: getTelemetryAssignmentMethod(roleAssignment.value),
			role_mapping_method: getTelemetryRoleMappingMethod(mappingMethod.value),
			instance_rule_count: ruleSaveResult?.instanceRuleCount ?? 0,
			project_rule_count: ruleSaveResult?.projectRuleCount ?? 0,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #257220daf8a492dc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/setupPanel/setupPanel.store.ts:11
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b42333e64ccf18d7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/commandBar/composables/useCommandBar.ts:245
		telemetry.track('User executed command bar command', {
			command_id: item.id,
			command_section: item.section,
			view,
			parent_command_id: parentItem?.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fe534c3f6f743433 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/commandBar/composables/useExecutionCommands.ts:163
			telemetry.track('User clicked retry execution button', {
				workflow_id: workflowId.value,
				execution_id: activeExecution.value.id,
				retry_type: loadWorkflow ? 'current' : 'original',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #50af4118862520e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/commandBar/composables/useWorkflowCommands.ts:368
					telemetry.track('User exported workflow', { workflow_id: workflowData.id });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #879b4cb6e6c04443 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/editors/plugins/codemirror/resolvableHighlighter.ts:6
import { captureException } from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #635e244e1e047991 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/nodeCreator/composables/useActionsGeneration.test.ts:37
		posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3706de05c1c04e0b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/nodeCreator/nodeCreator.store.ts:342
		telemetry.track(event, {
			...properties,
			nodes_panel_session_id: nodePanelSessionId.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #28266376d9bfad5d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:36
			telemetry.track('User grouped nodes', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #119ef315d773afdb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:39
			telemetry.track('User ungrouped nodes', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6c6d9d1e3896a22f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:42
			telemetry.track('User collapsed group', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2ccf99a092b4ac4c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:45
			telemetry.track('User expanded group', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ded586a104b18397 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/experimental/experimentalNdv.store.ts:18
	const postHogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4de8fd3d8f481500 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:119
		telemetry.track('User executed ready to run AI workflow', {
			status,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9a69c760ced85934 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:125
		telemetry.track('User executed ready to run AI workflow successfully');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #05c67ac94c24f84d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:136
			telemetry.track('User claimed OpenAI credits');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dfb52e40620694d3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:153
		telemetry.track('User opened ready to run AI workflow', {
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #341af85f17139d5c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/recommendations/recommendedTemplates.store.ts:22
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b5115059bbdd1824 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/recommendations/recommendedTemplates.store.ts:49
		telemetry.track('User viewed template detail', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #116c4287080cfb0d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/recommendations/recommendedTemplates.store.ts:55
		telemetry.track('User viewed template cell', {
			tileNumber,
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #40cdcea3af7097c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:159
		telemetry.track('User closed cred setup', {
			completed: false,
			creds_filled: 0,
			creds_needed: credentialUsages.value.length,
			workflow_id: null,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ad7c2312ef70b766 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:196
			telemetry.track('User closed cred setup', {
				completed: true,
				creds_filled: numFilledCredentials.value,
				creds_needed: credentialUsages.value.length,
				workflow_id: createdWorkflow.id,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8fe98d392ad7a07f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:203
			telemetry.track('User inserted workflow template', {
				source: 'workflow',
				template_id: tryToParseNumber(templateId.value),
				wf_template_repo_session_id: templatesStore.currentSessionId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3f7518ea622a1953 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:209
			telemetry.track('User saved new workflow from template', {
				template_id: tryToParseNumber(templateId.value),
				workflow_id: createdWorkflow.id,
				wf_template_repo_session_id: templatesStore.currentSessionId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1660cf894278a657 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/utils/templateActions.ts:81
	telemetry.track('User opened cred setup', { source });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 11 low-confidence finding(s)
low env_fs production #28761be07385b862 Filesystem access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:2
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e801b0d80ac54b0d Environment-variable access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8
	process.env.NODE_POPULARITY_ENDPOINT ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb87ffd58cc2d5e8 Environment-variable access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:10
const FAIL_ON_ERROR = process.env.N8N_FAIL_ON_POPULARITY_FETCH_ERROR === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #becfcf709bef0b0b Filesystem access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:44
		const content = await fs.readFile(OUTPUT_FILE, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d293feabc9ee330c Filesystem access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:54
	await fs.writeFile(OUTPUT_FILE, JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5103b8b01c1f2d56 Environment-variable access.
repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:24
	server.urlPrefix = process.env.API_URL || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #b87dcc5409befe84 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration. Test harness — not production egress.
repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:35 · flow /tmp/closeopen-gagie1_z/repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:24 → /tmp/closeopen-gagie1_z/repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:35
	server.post('/rest/:any', async () => ({}));

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #dc208129156f8bc3 Environment-variable access.
repo/packages/frontend/editor-ui/src/__tests__/setup.ts:86
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #bbde872aab01f5ac Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/frontend/editor-ui/src/app/api/workflow-webhooks.ts:13
	return await post(N8N_API_BASE_URL, CONTACT_EMAIL_SUBMISSION_ENDPOINT, {
		instance_id: instanceId,
		user_id: `${instanceId}#${currentUser.id}`,
		email,
		agree,
		agree_updates: true,
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #019b5bef1c70737e Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/frontend/editor-ui/src/app/composables/useBugReporting.ts:31
		const url = new URL(BASE_FORUM_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #64a21db824be1a48 Filesystem access.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/__tests__/InstanceAiPreviewTabBar.test.ts:139
		const source = readFileSync(
			'src/features/ai/instanceAi/components/InstanceAiPreviewTabBar.vue',
			'utf8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/cli

npm first-party
high pii_flow production #4136dbee5775777a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/license/license.service.ts:71 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/license/license.service.ts:78 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/license/license.service.ts:71
		await this.http.request({
			url: 'https://enterprise.n8n.io/enterprise-trial',
			method: 'POST',
			body: {
				licenseType: 'enterprise',
				firstName: user.firstName,
				lastName: user.lastName,
				email: user.email,
				instanceUrl: this.urlService.getWebhookBaseUrl(),
			},
			json: true,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a6e36cf3e89695d9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:172 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174
		const sent = await thread.post(await this.toPostable(params.descriptor, input.message, params));

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #16f0716057b60f78 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:283 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277
		return await this.http.request({
			url: '/api/v4/secrets',
			method: 'GET',
			qs: {
				projectId: this.settings.projectId,
				environment: this.settings.environment,
				secretPath: this.settings.secretPath,
			},
			json: true,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ccf519a7d3200ae7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33
		const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #64bab82f97b7288d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81
		const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #45a059f5f95ee7e5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:380 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401
			const requestResponse = await this.outboundHttp
				.requests({ ssrf: 'disabled' }) // The destination URL is admin-configured, so SSRF protection is disabled.
				.request(request);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1e03824ff7d28b14 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/oauth/oauth.service.ts:1096 · flow /tmp/closeopen-gagie1_z/repo/packages/cli/src/oauth/oauth.service.ts:1067 → /tmp/closeopen-gagie1_z/repo/packages/cli/src/oauth/oauth.service.ts:1096
		const registerResult = await this.http.request({
			url: registration_endpoint,
			method: 'POST',
			body: registerPayload,
			json: true,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #c5a1c0af1cfbf2d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/concurrency/concurrency-control.service.ts:138
				this.telemetry.track('User hit concurrency limit', {
					threshold: CLOUD_TEMP_PRODUCTION_LIMIT - capacity,
					concurrencyQueue: type,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #020b924523eddeaf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:17
		expect(maskIp(input)).toBe(expected);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #e9ebbf62b7619053 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:36
		setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'GET' }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #1f09103e63c79c07 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:45
		setPostHogProxyHeaders(proxyReq, createReq({ method: 'GET' }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #ee966bb74308f278 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:54
		setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'POST', rawBody }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #769f6448eb0249c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/telemetry.controller.test.ts:122
		await controller.track(req, res, next);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d6d7773a61d3b53a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/evaluation-collection.service.ts:187
		this.telemetry.track('Eval collection created', {
			user_id: user.id,
			workflow_id: workflowId,
			collection_id: collection.id,
			evaluation_config_id: input.evaluationConfigId,
			version_count: input.versions.length,
			existing_run_count: existingRunIds.length,
			new_run_count: runsStartedIds.length,
			dataset_id: this.extractDatasetId(config),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #715117aadabb7b06 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/evaluation-collection.service.ts:264
		this.telemetry.track('Eval collection deleted', {
			user_id: user.id,
			workflow_id: workflowId,
			collection_id: collectionId,
			runs_unlinked: runsUnlinked,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6c23fcf64d92fc8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/insights/eval-insights.service.ts:143
		this.telemetry.track('Eval collection insights generated', {
			user_id: user.id,
			workflow_id: workflowId,
			collection_id: collectionId,
			model_used: response.modelUsed,
			duration_ms: Date.now() - startMs,
			status: response.status,
			regressions_found: response.insights.regressions.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b37c4b991f57b85d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runner/test-runner.service.ee.ts:741
			this.telemetry.track('User ran test', {
				user_id: user.id,
				run_id: testRun.id,
				workflow_id: workflowId,
				run_type: runType,
				via,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #818be2e21f8b6665 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runner/test-runner.service.ee.ts:1207
			this.telemetry.track('Test run finished', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4ad441cafc804e18 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runs.controller.ee.ts:107
		this.telemetry.track('User deleted a run', { run_id: testRunId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0bbed322bc5a0af6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runs.controller.ee.ts:145
		this.telemetry.track('User cancelled a test case', {
			run_id: req.params.id,
			case_id: caseId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bbacbe3a8d350912 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:224
		this.telemetry.track('Instance AI mcp connected', {
			user_id: userId,
			server_slug: serverSlug,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3c6a3113597c80b4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:234
		this.telemetry.track('Instance AI mcp disconnected', {
			user_id: userId,
			server_slug: serverSlug,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8db8f0906c2ae7cd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:253
		this.telemetry.track('Project settings updated', {
			user_id: userId,
			role,
			project_id: projectId,
			members: members?.map(({ userId: user_id, role }) => ({ user_id, role })),
			otel_project_custom_tags_count: otelProjectCustomTagsCount,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3a5f9d913c03a451 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:269
		this.telemetry.track('User deleted project', {
			user_id: userId,
			role,
			project_id: projectId,
			removal_type: removalType,
			target_project_id: targetProjectId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #73df2704ca4bb162 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:279
		this.telemetry.track('User created project', {
			user_id: userId,
			role,
			uiContext,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #12b31c0a94e40330 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:297
		this.telemetry.track('User updated source control settings', {
			branch_name: branchName,
			read_only_instance: readOnlyInstance,
			repo_type: repoType,
			connected,
			connection_type: connectionType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8265026c8e8d5851 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:312
		this.telemetry.track('User started pull via UI', {
			user_id: userId,
			workflow_updates: workflowUpdates,
			workflow_conflicts: workflowConflicts,
			cred_conflicts: credConflicts,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c8f8403e714fdcef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:324
		this.telemetry.track('User finished pull via UI', {
			user_id: userId,
			workflow_updates: workflowUpdates,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb0af04f8f49fede Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:334
		this.telemetry.track('User pulled via API', {
			workflow_updates: workflowUpdates,
			forced,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d0b89c101c569c3d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:348
		this.telemetry.track('User started push via UI', {
			user_id: userId,
			workflows_eligible: workflowsEligible,
			workflows_eligible_with_conflicts: workflowsEligibleWithConflicts,
			creds_eligible: credsEligible,
			creds_eligible_with_conflicts: credsEligibleWithConflicts,
			variables_eligible: variablesEligible,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a6133e14d505f856 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:365
		this.telemetry.track('User finished push via UI', {
			user_id: userId,
			workflows_eligible: workflowsEligible,
			workflows_pushed: workflowsPushed,
			creds_pushed: credsPushed,
			variables_pushed: variablesPushed,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5f5fba34060a72fb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:379
		this.telemetry.track('Instance attempted to refresh license', {
			success,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c0ab6a5401212856 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:389
		this.telemetry.track('User registered for license community plus', {
			user_id: userId,
			email,
			licenseKey,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f733520079d5f34e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:401
		this.telemetry.track('User created variable', {
			user_id: user.id,
			...(projectId && { project_id: projectId }),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #347699aaa7a9c77e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:408
		this.telemetry.track('User updated variable', {
			user_id: user.id,
			...(projectId && { project_id: projectId }),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f81018332dfffbac Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:415
		this.telemetry.track('User deleted variable', {
			user_id: user.id,
			...(projectId && { project_id: projectId }),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4bf91e632e0d4f99 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:432
		this.telemetry.track('User updated external secrets settings', {
			user_id: userId,
			vault_type: vaultType,
			is_valid: isValid,
			is_new: isNew,
			error_message: errorMessage,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #12dee986cb674071 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:444
		this.telemetry.track('User reloaded external secrets', {
			vault_type: vaultType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a1fa009918f57ab6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:455
		this.telemetry.track('User created external secrets connection', {
			user_id: userId,
			user_role: userRole,
			vault_type: vaultType,
			scope: projects.length === 0 ? 'global' : 'project',
			project_ids: projects.map((project) => project.id),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d1fe621b18f7f77c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:470
		this.telemetry.track('User updated external secrets connection', {
			user_id: userId,
			user_role: userRole,
			vault_type: vaultType,
			scope: projects.length === 0 ? 'global' : 'project',
			project_ids: projects.map((project) => project.id),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b7e2798b58a36604 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:485
		this.telemetry.track('User deleted external secrets connection', {
			user_id: userId,
			user_role: userRole,
			vault_type: vaultType,
			scope: projects.length === 0 ? 'global' : 'project',
			project_ids: projects.map((project) => project.id),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #26e100fb8b3b39e1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:498
		this.telemetry.track('User toggled external secrets system roles', {
			user_id: userId,
			enabled,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4dbe65acb9bf11aa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:527
		this.telemetry.track('API key created', {
			user_id: user.id,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #478ec05717ece432 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:536
		this.telemetry.track('API key deleted', {
			user_id: user.id,
			public_api: publicApi,
			is_own: isOwn,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ea1bb5cf8c7b0621 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:546
		this.telemetry.track('API key rotated', {
			user_id: user.id,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #76c91061afa2e585 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:567
		this.telemetry.track('cnr package install finished', {
			user_id: user.id,
			input_string: inputString,
			package_name: packageName,
			success,
			package_version: packageVersion,
			package_node_names: packageNodeNames,
			package_author: packageAuthor,
			package_author_email: packageAuthorEmail,
			failure_reason: failureReason,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d90b44cf62ad6a9c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:589
		this.telemetry.track('cnr package updated', {
			user_id: user.id,
			package_name: packageName,
			package_version_current: packageVersionCurrent,
			package_version_new: packageVersionNew,
			package_node_names: packageNodeNames,
			package_author: packageAuthor,
			package_author_email: packageAuthorEmail,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec59682e70c8ae39 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:608
		this.telemetry.track('cnr package deleted', {
			user_id: user.id,
			package_name: packageName,
			package_version: packageVersion,
			package_node_names: packageNodeNames,
			package_author: packageAuthor,
			package_author_email: packageAuthorEmail,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #acd8b314290e625a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:635
		this.telemetry.track('User created credentials', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			project_id: projectId,
			project_type: projectType,
			uiContext,
			is_private: isDynamic ?? false,
			uses_external_secrets: usesExternalSecrets ?? false,
			jwe_enabled: jweEnabled ?? false,
			credential_supports_managed_auth: supportsManagedAuth ?? false,
			credential_uses_managed_auth: usesManagedAuth ?? false,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2c7b0a5d952937e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:659
		this.telemetry.track('User updated cred sharing', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			user_id_sharer: userIdSharer,
			user_ids_sharees_added: userIdsShareesAdded,
			sharees_removed: shareesRemoved,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9761e4901a6eceb6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:680
		this.telemetry.track('User updated credentials', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			is_private: isDynamic ?? false,
			uses_external_secrets: usesExternalSecrets ?? false,
			jwe_enabled: jweEnabled ?? false,
			credential_supports_managed_auth: supportsManagedAuth ?? false,
			credential_uses_managed_auth: usesManagedAuth ?? false,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dbbe12b5fbbe00d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:698
		this.telemetry.track('User deleted credentials', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #06494c05296a08ed Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:711
		this.telemetry.track('User disconnected own credential connection', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5f967fef9ac660e6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:726
		this.telemetry.track('User created end-user credential', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			project_id: projectId,
			project_type: projectType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #829fb2414cc0b3c4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:741
		this.telemetry.track('User made credential end-user', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #575c5b5706f28027 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:754
		this.telemetry.track('User made credential fixed', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2b4cfd912e8db992 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:767
		this.telemetry.track('User cleared end-user credential connections', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e8ed26df7976ea99 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:780
		this.telemetry.track('User deleted end-user credential', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cb7eb20427ea14c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:795
		this.telemetry.track('User connected to end-user credential', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			credential_supports_managed_auth: supportsManagedAuth ?? false,
			credential_uses_managed_auth: usesManagedAuth ?? false,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f05ff6aa176f7e1c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:815
		this.telemetry.track('Ldap general sync finished', {
			type,
			succeeded,
			users_synced: usersSynced,
			error,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0952760eec604180 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:837
		this.telemetry.track('User updated Ldap settings', {
			user_id: userId,
			loginIdAttribute,
			firstNameAttribute,
			lastNameAttribute,
			emailAttribute,
			ldapIdAttribute,
			searchPageSize,
			searchTimeout,
			synchronizationEnabled,
			synchronizationInterval,
			loginLabel,
			loginEnabled,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c463bebc0d3246e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:854
		this.telemetry.track('Ldap login sync failed', { error });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a45d852980983d00 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:860
		this.telemetry.track('User login failed since ldap disabled', { user_ud: userId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb7272808f8953da Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:872
		this.telemetry.track('Sso user project access update', {
			user_id: userId,
			projects_removed: projectsRemoved,
			projects_added: projectsAdded,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5038325f39a20387 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:883
		this.telemetry.track('Sso user instance role update', { user_id: userId, role });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #edf0c3f51c18ad28 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:901
		this.telemetry.track('User created workflow', {
			user_id: user.id,
			workflow_id: workflow.id,
			node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
			public_api: publicApi,
			project_id: projectId,
			project_type: projectType,
			meta: JSON.stringify(workflow.meta),
			otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
			otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
			otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
			uiContext,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #20efc0b8d6fbd987 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:918
		this.telemetry.track('User archived workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cc5e422b7bf33657 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:930
		this.telemetry.track('User unarchived workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #63ea9e3945412462 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:938
		this.telemetry.track('User deleted workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6c98fe334a23f250 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:997
		this.telemetry.track('User activated workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
			source,
			private_credentials_count: privateCredentialsCount,
			private_credential_types: privateCredentialTypes,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c93c291aa235b2d8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1014
		this.telemetry.track('User deactivated workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
			deactivated_version_id: deactivatedVersionId,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6c27255a609d5e22 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1028
		this.telemetry.track('User updated workflow sharing', {
			workflow_id: workflowId,
			user_id_sharer: userIdSharer,
			user_id_list: userIdList,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #36106041575f0a2e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1036
		this.telemetry.track('User imported n8n package', {
			user_id: user.id,
			workflow_conflict_policy: options.workflowConflictPolicy,
			workflow_id_policy: options.workflowIdPolicy,
			credential_matching_mode: options.credentialMatchingMode,
			credential_missing_mode: options.credentialMissingMode,
			workflow_publishing_policy: options.workflowPublishingPolicy,
			workflows_created: counts.workflows.created,
			workflows_updated: counts.workflows.updated,
			workflows_skipped: counts.workflows.skipped,
			credentials_matched: counts.credentials.matched,
			credentials_created: counts.credentials.created,
			credentials_required: counts.credentials.requirements,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #87cf31f94ccc5b49 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1053
		this.telemetry.track('User exported n8n package', {
			user_id: user.id,
			workflow_count: counts.workflows,
			folder_count: counts.folders,
			credential_count: counts.credentials,
			data_table_count: counts.dataTables,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2b085f6c1bcaa2ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1069
		this.telemetry.track('User package export failed', {
			user_id: user.id,
			reason,
			workflow_count: workflowIds?.length ?? 0,
			folder_count: folderIds?.length ?? 0,
			project_count: projectIds?.length ?? 0,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #aa055865b5145dd0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1079
		this.telemetry.track('User package import failed', {
			user_id: user.id,
			reason,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a674085d781cf6c0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1163
		this.telemetry.track('User saved workflow', {
			user_id: user.id,
			workflow_id: workflow.id,
			node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
			notes_count_overlapping: overlappingCount,
			notes_count_non_overlapping: notesCount - overlappingCount,
			version_cli: N8N_VERSION,
			num_tags: workflow.tags?.length ?? 0,
			public_api: publicApi,
			sharing_role: userRole,
			meta: JSON.stringify(workflow.meta),
			workflow_edited_no_pos: workflowEditedNoPos,
			credential_edited: credentialEdited,
			ai_builder_assisted: aiBuilderAssisted ?? false,
			credential_resolver_id: credentialResolverId,
			identity_extractor_changed: identityExtractorChanged,
			redaction_policy: redactionPolicy,
			private_credentials_count: privateCredentialsCount,
			private_credential_types: privateCredentialTypes,
			otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
			otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
			otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c2c47bffbe3a96b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1259
					this.telemetry.track('User ran out of free AI credits');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f9e60e73fda3e226 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1387
					this.telemetry.track('Manual node exec finished', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #788d57bbc3158339 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1400
					this.telemetry.track('Manual workflow exec finished', manualExecEventProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #523604c42a6340db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1549
		this.telemetry.track('Instance started', {
			...info,
			earliest_workflow_created: firstWorkflow?.createdAt,
			otel,
			settings_managed_by_env_vars: settingsManagedByEnvVars,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #26b116448739bcaa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1632
		this.telemetry.track('Session started', { session_id: pushRef });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b6a5f7767a60dc17 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1636
		this.telemetry.track('User instance stopped');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2b6e183929ed5494 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1645
		this.telemetry.track('Owner finished instance setup', { user_id: userId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #83c8fe639dc5f1a1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1653
		this.telemetry.track('Workflow first prod success', {
			project_id: projectId,
			workflow_id: workflowId,
			user_id: userId ?? undefined,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b90412eea7d67255 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1665
		this.telemetry.track('Instance first prod failure', {
			project_id: projectId,
			workflow_id: workflowId,
			user_id: userId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ff36e1aa4897200b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1680
		this.telemetry.track('Workflow first data fetched', {
			user_id: userId,
			workflow_id: workflowId,
			node_type: nodeType,
			node_id: nodeId,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5673165469455f43 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1707
		this.telemetry.track('User changed role', {
			user_id: userId,
			target_user_id: targetUserId,
			target_user_new_role: targetUserNewRole,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b8e23bf241453b81 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1716
		this.telemetry.track('User retrieved user', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #82cebebd878bd6e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1723
		this.telemetry.track('User retrieved all users', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2fffb03aa5737ce3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1730
		this.telemetry.track('User retrieved execution', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c0e86bc29eed513d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1740
		this.telemetry.track('User retrieved all executions', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f7119f7d52f395f6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1747
		this.telemetry.track('User retrieved workflow', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a57da042bee83f11 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1757
		this.telemetry.track('User retrieved workflow version', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2e6528f29fd5296b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1767
		this.telemetry.track('User retrieved all workflows', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0baee87a73ad2bed Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1782
		this.telemetry.track('User changed personal settings', {
			user_id: user.id,
			fields_changed: fieldsChanged,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d64e4b2db57d3b44 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1796
		this.telemetry.track('User deleted user', {
			user_id: user.id,
			public_api: publicApi,
			target_user_old_status: targetUserOldStatus,
			migration_strategy: migrationStrategy,
			target_user_id: targetUserId,
			migration_user_id: migrationUserId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0116d6b8b46f52dc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1820
		this.telemetry.track('User invited new user', {
			user_id: user.id,
			target_user_id: targetUserId,
			public_api: publicApi,
			email_sent: emailSent,
			invitee_role: inviteeRole,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #543f026a4220ab34 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1847
		this.telemetry.track('User signed up', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1567d7c253f23d72 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1862
		this.telemetry.track('User responded to personalization questions', personalizationSurveyData);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fcca4b7b095d4382 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1870
		this.telemetry.track('Instance failed to send transactional email to user', {
			user_id: user.id,
			message_type: messageType,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #133615fe86fc4276 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1882
		this.telemetry.track('User sent transactional email', {
			user_id: userId,
			message_type: messageType,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9258cdd284e1221a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1981
		this.telemetry.track('User clicked invite link from email', {
			user_id: invitee.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5a2f7f1f277a4235 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1987
		this.telemetry.track('User clicked password reset link from email', {
			user_id: user.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0448854bdb9de3e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1995
		this.telemetry.track('User requested password reset while logged out', {
			user_id: user.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6b3ffc0b82953c1b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2012
		this.telemetry.track('Instance compacted workflow history', {
			workflows_processed: workflowsProcessed,
			total_versions_seen: totalVersionsSeen,
			total_versions_deleted: totalVersionsDeleted,
			window_start_iso: new Date(windowStartIso),
			window_end_iso: new Date(windowEndIso),
			error_count: errorCount,
			compaction_start_time_iso: compactionStartTime,
			compaction_duration_ms: durationMs,
			compaction_batch_delay_ms: this.globalConfig.workflowHistoryCompaction.batchDelayMs,
			compaction_batch_size: this.globalConfig.workflowHistoryCompaction.batchSize,
			compaction_trimming_optimizing_time_window_hours:
				this.globalConfig.workflowHistoryCompaction.optimizingTimeWindowHours,
			compaction_trimming_time_window_days:
				this.globalConfig.workflowHistoryCompaction.trimmingTimeWindowDays,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b9031a67fb42bca2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2038
		this.telemetry.track('User updated instance policies', {
			user_id: user.id,
			[settingName]: value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35a927d7319d28b4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2050
		this.telemetry.track('User confirmed reveal data', {
			user_id: user.id,
			execution_id: executionId,
			workflow_id: workflowId,
			redaction_policy: redactionPolicy,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4b49bd56c635b98b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2063
		this.telemetry.track('User created custom role', {
			user_id: userId,
			role_slug: roleSlug,
			scopes,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a321ac88e00ad06f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2071
		this.telemetry.track('User updated custom role', {
			user_id: userId,
			role_slug: roleSlug,
			scopes,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d7ca8babb9ba7e6d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2079
		this.telemetry.track('User deleted custom role', {
			user_id: userId,
			role_slug: roleSlug,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5d7f8b6de001d57e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2094
		this.telemetry.track('User imported workflows via server cli', {
			active_state: activeState,
			workflow_count: workflowCount,
			separate,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #955e5299642b6b12 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2108
		this.telemetry.track('User exported workflows via server cli', {
			selector,
			published,
			separate,
			backup,
			workflow_count: workflowCount,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #405946f394b517bc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/data-table/data-table-size-validator.service.ts:62
			this.telemetry.track('User hit data table storage limit', {
				total_bytes: size.totalBytes,
				max_bytes: this.globalConfig.dataTable.maxSize,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9fb1095cfdc2de4d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/browser/instance-ai-browser-session.service.ts:224
		this.telemetry.track('Instance AI Browser connected', { user_id: userId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a41b70cc61a03f09 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-credit.service.ts:108
			this.telemetry.track('Builder credits claimed', {
				instance_id: this.instanceSettings.instanceId,
				user_id: user.id,
				thread_id: threadId,
				agent_run_id: dedupeId,
				status,
				success: false,
				error_message: getErrorMessage(error),
				attempted_usage: usage,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7d03062b6b54efbe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-credit.service.ts:176
		this.telemetry.track('Builder credits claimed', {
			instance_id: this.instanceSettings.instanceId,
			user_id: user.id,
			thread_id: threadId,
			agent_run_id: dedupeId,
			status,
			success: true,
			credits_used: delta,
			credits_claimed_total: creditsClaimed,
			credits_quota: creditsQuota,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #951e4cbcc91bb379 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-credit.service.ts:194
				this.telemetry.track('User exhausted assistant quota', {
					instance_id: this.instanceSettings.instanceId,
					user_id: user.id,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b8b2d650b3376ecb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-gateway.service.ts:81
		this.telemetry.track('User connected to Computer Use', {
			user_id: userId,
			tool_groups: data.toolCategories.filter((c) => c.enabled).map((c) => c.name),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b7e9138891044958 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:289
		this.telemetry.track('instance_ai_terminal_response_decision', {
			thread_id: threadId,
			run_id: runId,
			message_group_id: messageGroupId,
			source: 'terminal_guard',
			status: decision.status,
			action: decision.action,
			reason: decision.reason,
			visibility_source: decision.visibilitySource,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f29d0b5132502c87 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:417
					this.telemetry.track('instance_ai_terminal_response_decision', {
						thread_id: threadId,
						run_id: outcome.runId,
						message_group_id: outcome.messageGroupId,
						task_id: outcome.taskId,
						source: 'terminal_outcome_replay',
						status: outcome.status,
						action: published ? 'replay_event' : 'already-emitted',
						visibility_source: 'background-outcome',
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3428f24064401913 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:452
			this.telemetry.track('instance_ai_terminal_response_decision', {
				thread_id: threadId,
				run_id: outcome.runId,
				message_group_id: outcome.messageGroupId,
				task_id: outcome.taskId,
				source: 'terminal_outcome_replay',
				status: outcome.status,
				action,
				visibility_source: 'background-outcome',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c726bfedc85010ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:531
			this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
				thread_id: task.threadId,
				run_id: task.runId,
				task_id: task.taskId,
				status: outcome.status,
				phase: 'metadata',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fe97abc96367e4a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:543
		this.telemetry.track('instance_ai_terminal_response_decision', {
			thread_id: task.threadId,
			run_id: task.runId,
			message_group_id: task.messageGroupId,
			task_id: task.taskId,
			source: 'background_outcome',
			status: outcome.status,
			action: published ? 'emit' : 'already-emitted',
			visibility_source: 'background-outcome',
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #752d7d63cb56c4ce Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:564
			this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
				thread_id: task.threadId,
				run_id: task.runId,
				task_id: task.taskId,
				status: outcome.status,
				phase: 'snapshot',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9dec28b2d5ddc9ec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:459
		this.telemetry.track('instance_ai_gateway_available', {
			nodeCount: config.nodes.length,
			credentialTypeCount: config.credentialTypes.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #04a772e941010bbf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:635
					telemetry.track('Builder published workflow', {
						thread_id: threadId,
						workflow_id: workflowId,
						executed_by: 'ai',
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #170fff9c1f93324b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:808
					telemetry.track('Builder created workflow', {
						thread_id: threadId,
						workflow_id: updated.id,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #97d9c2f5713e9fdf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:889
					telemetry.track('Builder modified workflow', {
						thread_id: threadId,
						workflow_id: workflowId,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4fea84f52b5b216 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:1197
					telemetry.track('Builder executed workflow', {
						thread_id: threadId,
						workflow_id: workflowId,
						executed_by: 'ai',
						pinned_node_count: Object.keys(runData.pinData ?? {}).length,
						exec_type: runData.executionMode,
						status,
						...(error ? { error } : {}),
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #95fb6f973d2f08a2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:1700
			this.telemetry?.track('instance_ai_workflow_verification_obligation', {
				event,
				thread_id: obligation.threadId,
				run_id: obligation.runId,
				task_id: obligation.taskId,
				planned_task_id: obligation.plannedTaskId,
				work_item_id: obligation.workItemId,
				workflow_id: obligation.workflowId,
				source: obligation.source,
				policy: obligation.policy,
				status: obligation.status,
				readiness_status: obligation.readiness?.status,
				setup_status: obligation.setupRequirement?.status,
				has_evidence: obligation.evidence?.attempted === true,
				evidence_success: obligation.evidence?.success,
				blocking_reason: obligation.blockingReason,
				...extra,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3121b1691708561b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:2093
			this.telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b5f5fe4aa3d8b496 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:2110
				this.telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b578f55699b27d77 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3386
					this.telemetry.track('Builder sent message', {
						thread_id: threadId,
						message: intermediateText,
						is_intermediate: true,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #202a37abe3599f3e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3553
				this.telemetry.track('Builder sent message', {
					thread_id: threadId,
					message: outputText,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8325f08659303c4c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3557
				this.telemetry.track('Builder satisfied user intent', {
					thread_id: threadId,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #48ea37caf501458d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:4528
					this.telemetry.track('Builder sent message', {
						thread_id: opts.threadId,
						message: intermediateText,
						is_intermediate: true,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ce76bdabbcc920b4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:4696
				this.telemetry.track('Builder sent message', {
					thread_id: opts.threadId,
					message: outputText,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #12c660453bbc62ec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:4700
				this.telemetry.track('Builder satisfied user intent', {
					thread_id: opts.threadId,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0cdaabe77998c2fb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5141
		this.telemetry.track('Builder asked for input', {
			thread_id: threadId,
			input_thread_id: inputThreadId,
			type,
			num_steps: numSteps,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1f37386b6cdae228 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5227
		this.telemetry.track('instance_ai_run_finished', {
			thread_id: threadId,
			run_id: runId,
			status: effectiveStatus,
			...(userId ? { user_id: userId } : {}),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1625e058b8cca463 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5234
			this.telemetry.track('Builder generation errored', {
				thread_id: threadId,
				run_id: runId,
				error_message: errorInfo?.errorMessage ?? reason ?? 'unknown',
				...(errorInfo?.errorSource ? { error_source: errorInfo.errorSource } : {}),
				...(userId ? { user_id: userId } : {}),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ee38004b2b9b2f04 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5518
			this.telemetry.track('Instance AI mcp tool called', {
				user_id: userId,
				server_slug: serverSlug,
				tool_name: toolName,
				success,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2897f8b0e20353e3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-sentry.ee.ts:1
import * as Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d71dce54c1dd3c47 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/mcp-server-middleware.service.ts:144
		this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #68e692dcba721c32 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/mcp.controller.ts:222
		this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #10f1dd03a9bc7d65 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/mcp.service.ts:472
					this.telemetry.track(MCP_PREVIEW_RENDER_REQUESTED_EVENT, {
						user_id: user.id,
						client_name: clientInfo?.name,
						client_version: clientInfo?.version,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #01ed6a27cf30ef11 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-column.tool.ts:74
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0e06fb24adfa1309 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-column.tool.ts:83
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #82fa460a355ec390 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-rows.tool.ts:76
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #67453f3bcb3679a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-rows.tool.ts:88
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c80dd6c4f91b6420 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/create-data-table.tool.ts:90
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #374654ef5a115a97 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/create-data-table.tool.ts:102
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #63ca7d672403167d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/delete-data-table-column.tool.ts:59
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5e13282fd85f0327 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/delete-data-table-column.tool.ts:68
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #411cc6d4b15698ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table-column.tool.ts:75
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c1f77a2d6948b757 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table-column.tool.ts:84
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bfdf92fda5172d09 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table.tool.ts:58
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c35ffe07c5886cf3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table.tool.ts:67
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #515df246bc37f461 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/search-data-tables.tool.ts:91
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0e02b2a82dfd9872 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/search-data-tables.tool.ts:104
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1536b7da34355a8f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/execute-workflow.tool.ts:147
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #82f6046e8560913c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/execute-workflow.tool.ts:181
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #853bd90a41015b4e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-execution.tool.ts:157
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6db2a21e1a490b7e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-execution.tool.ts:195
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a406e6b361e6c010 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-details.tool.ts:87
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1f4eb5936dc7da56 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-details.tool.ts:99
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cea2f05881b66914 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-history.tool.ts:102
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35c879299a515260 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-history.tool.ts:125
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5a18a1ef16805cc7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-version.tool.ts:110
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #41820865f23d37f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-version.tool.ts:140
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #67c5b0372d072cf9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-credentials.tool.ts:135
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #96436df560daf937 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-credentials.tool.ts:147
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df95351d1120b135 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-tags.tool.ts:96
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b44a5f15a8e5a9ba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-tags.tool.ts:107
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0b77c57ba391a948 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/prepare-workflow-pin-data.tool.ts:100
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4db415fbd9dda6e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/prepare-workflow-pin-data.tool.ts:109
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3c6a74b707b4c5e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/publish-workflow.tool.ts:93
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e8b739c6b56c6173 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/publish-workflow.tool.ts:115
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2671a4df6077affb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-executions.tool.ts:150
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #472db5c0c800d850 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-executions.tool.ts:165
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eb005a2511466502 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-folders.tool.ts:75
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3aa9a7043f9a8895 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-folders.tool.ts:103
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #52c2775984a4590b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-folders.tool.ts:116
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb6224decd841c58 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-projects.tool.ts:166
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3d155119ee360c6b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-projects.tool.ts:179
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2374a058dc3f6e42 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-workflows.tool.ts:130
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f064a5d5e1416917 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-workflows.tool.ts:148
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #66f0e46f3fc2fd47 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/test-workflow.tool.ts:112
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #440feedf227ab7de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/test-workflow.tool.ts:136
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ae942c20b4588f0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/unpublish-workflow.tool.ts:82
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b3a291470253934b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/unpublish-workflow.tool.ts:103
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4d85f99e2a576041 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/connection-structure-check.ts:174
	telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b3e05f3aaa453ead Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:211
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #829d0463df660a7e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:328
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #101387da0c971152 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:389
					telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #adc56c87ca1d93bd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:416
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #de474e24d8d2b9d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/delete-workflow.tool.ts:71
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #271bda6189ae4d75 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/delete-workflow.tool.ts:90
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fc98bc2ff7879d64 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/explore-node-resources.tool.ts:128
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #13549697e9aa273c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/explore-node-resources.tool.ts:141
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6cc4cfd15f61ed57 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-best-practices.tool.ts:140
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ddca3ac341ac36d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-best-practices.tool.ts:151
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c5fc96dff9105dcc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-node-types.tool.ts:68
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #044ae191246ec5ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-node-types.tool.ts:79
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e5126453bb8102c5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-sdk-reference.tool.ts:68
		telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c44729db6d44c543 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/restore-workflow-version.tool.ts:128
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #34415c602f80f326 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/restore-workflow-version.tool.ts:151
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2caf184d0359a01c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/search-workflow-nodes.tool.ts:67
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6e828d1bfbec7015 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/search-workflow-nodes.tool.ts:78
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3f89dbb2a6ad10dc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/update-workflow.tool.ts:744
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bede49cc21cb4e71 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/update-workflow.tool.ts:771
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7af72ae2d317efe7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-node.tool.ts:133
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0874af71bc9c47ed Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-node.tool.ts:148
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b33023283ced0719 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-workflow-code.tool.ts:104
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #791e976acaf98636 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-workflow-code.tool.ts:126
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #7b2ba8607db5a08d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:5
import { PostHog } from 'posthog-node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #ab5a2e274051f496 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:52
		ph.track({
			userId: 'test',
			event: 'test',
			properties: {},
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #8b32398d3b5cd5ba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:72
		ph.track({
			userId,
			event,
			properties,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #52ed405c938493d3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:89
		ph.track({
			userId: instanceId,
			event: 'Instance started',
			properties: { instance_id: instanceId },
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #76d876fa01302824 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:102
		ph.track({
			userId: '',
			event: 'Some event',
			properties: {},
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #07dcae70bd412988 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/index.ts:7
import type { PostHog, FeatureFlagEvaluations } from 'posthog-node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1b4dfce0ab655bda Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/services/ai-workflow-builder.service.ts:122
			this.telemetry.track(event, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0962ac8376dc8629 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/services/user.service.ts:173
			publicUser.featureFlags = await posthog.getFeatureFlags(publicUser);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #ef95a8811969b4ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1020
			telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #c5ba45b3d912640e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1035
			telemetry.track('Test Event', { user_id: '1234' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #57e8be871f2ee1e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1051
			telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #07ab70cca65962c4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1070
			telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #2b6de232205893e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1082
			telemetry.track(eventName, {});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #5fefe3892b62a75e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1094
			telemetry.track(eventName, {});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cc7b7e0196649a9b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:233
				this.track('Public API usage', {
					user_id: userId,
					total_calls: entry.total_calls,
					first: entry.first,
					endpoints: JSON.stringify(entry.endpoints),
					user_agents: JSON.stringify(entry.user_agents),
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #619d225117f14069 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:261
		this.track('pulse', pulsePacket);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c8bd9123a20ba6de Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:279
			this.track('Workflow execution count', {
				event_version: '2',
				workflow_id: workflowId,
				...this.executionCountsBuffer[workflowId],
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #727b131d4efd96db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:303
			this.track('Agent execution count', {
				event_version: '1',
				agent_id,
				...(user_id ? { user_id } : {}),
				...counts,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2c5935a72df909d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:337
			this.track('Agent session metrics', {
				event_version: '1',
				agent_id: bucket.agent_id,
				...(bucket.agent_type ? { agent_type: bucket.agent_type } : {}),
				...bucket.configuration,
				run_type: bucket.run_type,
				turn_status: bucket.turn_status,
				session_count: sessions.length,
				turn_count: turnCount,
				latency_ms_sum: latencyMsSum,
				cost_sum: costSum,
				tool_call_count_sum: toolCallCountSum,
				num_skills_sum: numSkillsSum,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0179661d139a2d9c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:390
				this.track('Workflow execution with end-user credentials', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3bfa1f79f2265cb3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:398
				this.track('Workflow execution errored', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9106ff38a7347505 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:597
		this.postHog?.track(payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f4bca6b9e8b1950b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:599
		return this.rudderStack.track(rudderStackPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 680 low-confidence finding(s)
low env_fs production #38015f691c37682d Environment-variable access.
repo/packages/cli/bin/n8n:7
process.env.NODE_CONFIG_DIR = process.env.NODE_CONFIG_DIR || path.join(__dirname, 'config');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #114668f60a310b0c Environment-variable access.
repo/packages/cli/bin/n8n:38
if (process.env.E2E_TESTS !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90e1e9018bac931a Environment-variable access.
repo/packages/cli/bin/n8n:48
if (process.env.NODEJS_PREFER_IPV4 === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b14a60e84f293c4d Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:1
import { mkdir, readFile, readdir, writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b296a9c5fc247def Environment-variable access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:28
		process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61727cc8b63b2a9d Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:51
				const contents = await readFile(join(dir, file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a544367e922850a6 Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:63
	const contents = await readFile(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #820af6a102190ffe Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:73
	await writeFile(outputPath, `${JSON.stringify(records, null, 2)}\n`, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #feae8cd16d510c92 Filesystem access.
repo/packages/cli/scripts/build.mjs:2
import { writeFileSync, existsSync, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2215cdf94dff0e4c Environment-variable access.
repo/packages/cli/scripts/build.mjs:15
const publicApiEnabled = process.env.N8N_PUBLIC_API_DISABLED !== 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #debd2128c4accdcb Filesystem access.
repo/packages/cli/scripts/build.mjs:110
	writeFileSync(path.resolve(ROOT_DIR, 'dist/timezones.json'), JSON.stringify({ data }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c142a027983d685 Filesystem access.
repo/packages/cli/scripts/bundle-agent-library.mjs:16
import { writeFileSync, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1fc860f874e2831 Filesystem access.
repo/packages/cli/scripts/bundle-agent-library.mjs:71
	writeFileSync(OUTPUT_FILE, bundle, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f20b38edb0a48f69 Filesystem access.
repo/packages/cli/src/__tests__/external-hooks.test.ts:21
	const { mkdtempSync, writeFileSync } = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1308e838d6a23921 Filesystem access.
repo/packages/cli/src/__tests__/external-hooks.test.ts:28
	writeFileSync(
		p,
		'module.exports = { workflow: { create: [(...args) => globalThis.__extHookFn(...args)] } };',
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1413fac586d15e1 Filesystem access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:7
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #01a772f252d742ac Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:50
	const originalNodePath = process.env.NODE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9ffc72875da8786 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:59
			delete process.env.NODE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9d9b87dfd48d1c3 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:61
			process.env.NODE_PATH = originalNodePath;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d5c789cfa6ca753 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:67
		process.env.NODE_PATH = existingPath;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3223f1294b0f5f6d Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:71
		process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03253546239a1629 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:75
		expect(process.env.NODE_PATH).toContain(existingPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5bd209d8d5215ac Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:76
		expect(process.env.NODE_PATH?.endsWith(existingPath)).toBe(true);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06cdd54692254311 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:80
		delete process.env.NODE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d69a9967c8acfbf Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:83
		process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3fcc354eb4b36ca6 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:87
		expect(process.env.NODE_PATH).toBe(modulePaths.join(delimiter));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7fc0fa8bab92a8e8 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:88
		expect(process.env.NODE_PATH).not.toContain('undefined');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f299a2b2a77a42c5 Filesystem access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:219
			writeFileSync(join(schemaDir, 'get.json'), JSON.stringify({ type: 'object' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5126cd63a191e277 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:279
			process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b0f07b8520462f1 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:299
			delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fab306b8db2bc5d9 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:304
			delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #197a20f2e3f9e203 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:339
			process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #809d755f91e7be5e Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:258
		delete process.env.ENABLE_OBSERVABILITY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #968a103e16f98003 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:262
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dcd762eabf0b3f15 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:266
		process.env.ENABLE_OBSERVABILITY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fa44c6711dea385 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:270
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c60b3c3e31e6742b Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:274
		process.env.ENABLE_OBSERVABILITY = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #994f6af2086b7096 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:278
		expect(process.env.ENABLE_OBSERVABILITY).toBe('false');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06c686429d2357a3 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:282
		delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2aa435b14e7400f7 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:286
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fff60e57ab9e50d7 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:290
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #981a4405b7bc961e Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:294
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48a06e949f8482e3 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:298
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0b4a52a9abd614c Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:302
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('false');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea8857e157321962 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:306
		delete process.env.ENABLE_OBSERVABILITY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34c51818de47986a Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:307
		delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee9f9d7dd5a55dfb Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:311
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0ab1bcc441e75a2 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:312
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91844db86160de35 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:316
		process.env.ENABLE_OBSERVABILITY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65da0dcf8472615b Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:317
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7865da5f5530837e Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:321
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cdbd984087c67d1 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:322
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #453cf13b28e9b3c3 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:326
		process.env.ENABLE_OBSERVABILITY = 'custom-value';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1e0fbb75dfc2b5bb Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:327
		delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #952c50567e5c6c55 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:331
		expect(process.env.ENABLE_OBSERVABILITY).toBe('custom-value');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #984b98c4af245de5 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:332
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f683f63d5d7c8f5 Filesystem access.
repo/packages/cli/src/abstract-server.ts:8
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #075830fa357c11a1 Filesystem access.
repo/packages/cli/src/abstract-server.ts:181
					key: await readFile(this.sslKey, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #709e6f1c81f17551 Filesystem access.
repo/packages/cli/src/abstract-server.ts:182
					cert: await readFile(this.sslCert, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c392ca1fb15567ee Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:212
				originalPreviewMode = process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #23f453d32f4bfd92 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:221
					delete process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1c7d04ca10e078f Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:223
					process.env.N8N_PREVIEW_MODE = originalPreviewMode;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #993ce8626cb7b0d7 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:228
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #20bdb67f297b8435 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:246
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a9bc65148e656ad2 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:264
				process.env.N8N_PREVIEW_MODE = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4770b072954271c1 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:282
				delete process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #269cdef66d44dfb6 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:300
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe652d884c9cad90 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:321
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7c8e89e1f543cb4 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:485
				const originalPreviewMode = process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75e4a8b4fa2010ca Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:486
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #00f584564622f3c6 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:507
					delete process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #307f71e2d4055de3 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:509
					process.env.N8N_PREVIEW_MODE = originalPreviewMode;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55aadc7203a5ddd4 Environment-variable access.
repo/packages/cli/src/auth/auth.service.ts:160
			const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5506a0c9d3762725 Filesystem access.
repo/packages/cli/src/binary-data/__tests__/database.manager.integration.test.ts:294
		await writeFile(tempFilePath, buffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6ebd63f43560964 Filesystem access.
repo/packages/cli/src/binary-data/__tests__/database.manager.integration.test.ts:324
		await writeFile(tempFilePath, oversizedBuffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #695563ae659018d2 Filesystem access.
repo/packages/cli/src/binary-data/database.manager.ts:135
		const buffer = await readFile(sourcePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f5887c604412e7f Filesystem access.
repo/packages/cli/src/blob-storage/__tests__/fs-byte-store.integration.test.ts:58
		const onDisk = await fs.readFile(join(storagePath, 'a/b/c/blob.json'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da872d955f6d6bab Filesystem access.
repo/packages/cli/src/blob-storage/fs-byte-store.ts:30
			await fs.writeFile(tempPath, body);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0d509468f15af08 Filesystem access.
repo/packages/cli/src/blob-storage/fs-byte-store.ts:44
			return await fs.readFile(readPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0b84ce9b87b557d Environment-variable access.
repo/packages/cli/src/commands/base-command.ts:170
		if (process.env.EXECUTIONS_PROCESS === 'own') process.exit(-1);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46b8f1c9620b828c Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:5
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd640bc9dceb7e92 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:246
				const contents = fs.readFileSync(flags.ids, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c42f0c983959d086 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:270
				const contents = fs.readFileSync(flags.skipList, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86dbe86bf80f58a3 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:337
			fs.writeFileSync(flags.output, this.formatJsonOutput(results));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83b47b979d79f855 Environment-variable access.
repo/packages/cli/src/commands/execute-batch.ts:534
		const output = process.env.GITHUB_OUTPUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7cdd934f76023b6 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:811
								const contents = fs.readFileSync(fileName, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17d9ce6b9c3c2084 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:854
							fs.writeFileSync(fileName, serializedData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da676ef8aaa873f0 Filesystem access.
repo/packages/cli/src/commands/export/credentials.ts:5
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #019230a1a9d2b436 Filesystem access.
repo/packages/cli/src/commands/export/credentials.ts:148
				fs.writeFileSync(filename, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63472f18deca95b8 Filesystem access.
repo/packages/cli/src/commands/export/credentials.ts:154
				fs.writeFileSync(flags.output, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa2e181279f6c038 Filesystem access.
repo/packages/cli/src/commands/export/nodes.ts:3
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0714bdb56e9a3246 Filesystem access.
repo/packages/cli/src/commands/export/nodes.ts:4
import { mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fe2dc8be0e02295 Filesystem access.
repo/packages/cli/src/commands/export/workflow.ts:5
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1843dbe6129e511d Filesystem access.
repo/packages/cli/src/commands/export/workflow.ts:158
				fs.writeFileSync(filename, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fff7f186fd3edff4 Filesystem access.
repo/packages/cli/src/commands/export/workflow.ts:164
				fs.writeFileSync(flags.output, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9864fe5bd2fc0bd Filesystem access.
repo/packages/cli/src/commands/import/credentials.ts:15
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16eada72e323909b Filesystem access.
repo/packages/cli/src/commands/import/credentials.ts:248
				jsonParse<Partial<CredentialsEntity>>(fs.readFileSync(file, { encoding: 'utf8' })),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bde4e866dc74a395 Filesystem access.
repo/packages/cli/src/commands/import/credentials.ts:252
				fs.readFileSync(inputPath, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd602880b006d047 Filesystem access.
repo/packages/cli/src/commands/import/workflow.ts:13
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #762ccaae21c665d2 Filesystem access.
repo/packages/cli/src/commands/import/workflow.ts:253
				fs.readFileSync(path, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f5c486193724a30 Filesystem access.
repo/packages/cli/src/commands/import/workflow.ts:269
			const workflow = jsonParse<IWorkflowToImport>(fs.readFileSync(file, { encoding: 'utf8' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20bc617f7bffa1fb Filesystem access.
repo/packages/cli/src/commands/start.ts:14
import { createReadStream, createWriteStream, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92c3e35c4ec113ba Filesystem access.
repo/packages/cli/src/commands/start.ts:15
import { mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6275ad8c183a15cc Environment-variable access.
repo/packages/cli/src/commands/start.ts:136
			environment: process.env.ENVIRONMENT || 'development',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc1bec10115ea014 Environment-variable access.
repo/packages/cli/src/commands/start.ts:137
			serverName: process.env.DEPLOYMENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed317c4d27c342d5 Environment-variable access.
repo/packages/cli/src/commands/start.ts:208
			if (process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #561ce93577afd3b8 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:51
	const originalEvalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b72a986d5ebc080 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:53
		process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #622c9638c9719133 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:56
		if (originalEvalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c257bb16b6c789a Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:57
		else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEvalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #604f90bceb5e1530 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:221
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b91c891efbcfd63 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:226
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6b1b24de5362fe7 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:297
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb53f2173f28222b Filesystem access.
repo/packages/cli/src/config/index.ts:5
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #937c4a0cd142901a Environment-variable access.
repo/packages/cli/src/config/index.ts:17
	process.env.EXTERNAL_FRONTEND_HOOKS_URLS = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a102928eea9912da Environment-variable access.
repo/packages/cli/src/config/index.ts:18
	process.env.N8N_PERSONALIZATION_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cdf1a285fadc42b9 Environment-variable access.
repo/packages/cli/src/config/index.ts:19
	process.env.N8N_AI_ENABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74b623ca93aace42 Environment-variable access.
repo/packages/cli/src/config/index.ts:23
	process.env.SKIP_STATISTICS_EVENTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b853d582355229a7 Environment-variable access.
repo/packages/cli/src/config/index.ts:25
	process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25586fe5d1f4f87c Filesystem access.
repo/packages/cli/src/config/index.ts:47
					value = readFileSync(fileName, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beacb20225ef16af Filesystem access.
repo/packages/cli/src/constants.ts:2
import { readFileSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2798e501738da157 Filesystem access.
repo/packages/cli/src/constants.ts:28
const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69ee1b954b3d26ac Filesystem access.
repo/packages/cli/src/constants.ts:30
	readFileSync(aiAssistantPackageJsonPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a25280efaffe5b1 Filesystem access.
repo/packages/cli/src/constants.ts:33
	readFileSync(workflowSdkPackageJsonPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #823e886acbcd66d4 Environment-variable access.
repo/packages/cli/src/constants/workflow-reviews.ts:6
	return process.env[WORKFLOW_REVIEWS_ENV_FEATURE_FLAG] === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e61b63fd05f9a384 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:38
	const originalWorkflowReviewsFlag = process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b5e8dbb69bd559a Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:43
		delete process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c4442179066ae978 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:49
			delete process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e39ff941f0a248a7 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:51
			process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS = originalWorkflowReviewsFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fa3c7df9ec995f3 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:96
			process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da84139b854f24c5 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:154
			process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1fcc72b44e153c1 Filesystem access.
repo/packages/cli/src/controllers/__tests__/translation.controller.test.ts:15
	const { mkdtempSync, writeFileSync } = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #81a8b0e2d3a112c7 Filesystem access.
repo/packages/cli/src/controllers/__tests__/translation.controller.test.ts:22
	writeFileSync(p, JSON.stringify({ translation: 'string' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b601403169ec33f3 Filesystem access.
repo/packages/cli/src/controllers/instance-ai-examples.controller.ts:101
		const raw = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbaf0b0a5e00f468 Filesystem access.
repo/packages/cli/src/controllers/third-party-licenses.controller.ts:3
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd2f8c766d2410fd Filesystem access.
repo/packages/cli/src/controllers/third-party-licenses.controller.ts:19
			const content = await readFile(licenseFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22f4b3a929505b88 Filesystem access.
repo/packages/cli/src/controllers/translation.controller.ts:5
import { access } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e8bd0aabedf3f5e Filesystem access.
repo/packages/cli/src/crash-journal.ts:3
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5186b10a3a669b6 Filesystem access.
repo/packages/cli/src/crash-journal.ts:4
import { mkdir, utimes, open, rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #185dbe5e37614236 Environment-variable access.
repo/packages/cli/src/databases/repositories/__tests__/workflow-statistics.integration.test.ts:10
const runOnSqlite = (process.env.DB_TYPE ?? 'sqlite') === 'sqlite';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff8f3da59a3331ae Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:31
		const originalEnv = process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b70c2dbf76cc516e Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:35
				process.env[envVar] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #db52aaa320046c0b Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:37
				delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3ec4a973586040e8 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:53
				process.env[envVar] = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #856ebd296c6a6874 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:55
				delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #326218a09743a876 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:85
					process.env[envVar] = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f3694b8d2ae34bf Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:108
					process.env[envVar] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ab6deab3fc481494 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:124
					process.env[envVar] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8bf1daada144eb2a Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:140
					process.env[envVar] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #319c8db3edc8e6ba Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:147
					process.env[envVar] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0ad55e1ba093bb3 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:156
					delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9efe1203e07a2c15 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:176
			delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b45d494ef217b7cc Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:187
			process.env[envVar] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c784b421b8b57d6e Environment-variable access.
repo/packages/cli/src/deprecation/deprecation.service.ts:129
			const envValue = process.env[d.envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f53f6c07b63459e7 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:28
	const originalEnv = process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac165a83cb35f86e Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:31
		if (originalEnv === undefined) delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6dc4a7a23f9c0f67 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:32
		else process.env[ENV_VAR] = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c511cd532d58398f Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:41
			process.env[ENV_VAR] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a418fa1861565f96 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:52
			process.env[ENV_VAR] = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66c40b8c71b3d78c Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:66
			delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d23df179cb1b2bfa Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:96
			delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #238a30d19e22992b Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:135
	const originalEnv = process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #733605a76c911473 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:138
		if (originalEnv === undefined) delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f24fc65eaa33a4f0 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:139
		else process.env[ENV_VAR] = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5097cfed49bbf77d Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:143
		process.env[ENV_VAR] = '3';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #353644d6d0830f63 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:148
		delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #94c6d35ed363eee8 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:153
		delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee40ff338290a0e1 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:158
		delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bbe8800299c464f Environment-variable access.
repo/packages/cli/src/evaluation.ee/evaluation-concurrency.helper.ts:68
	if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d1d2c0099767002 Environment-variable access.
repo/packages/cli/src/evaluation.ee/evaluation-concurrency.helper.ts:87
	if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) return 'env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c51776bf93c97b26 Filesystem access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:12
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0912f896d31e6346 Filesystem access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:54
	readFileSync(path.join(__dirname, './mock-data/workflow.under-test.json'), { encoding: 'utf-8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72c3edeb105f9779 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:550
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6db9a9729d2c5be Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:621
			delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c55c6e858cf70717 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2340
			const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5016955ad411faf Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2341
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '5';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d5d807fb1b191595 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2349
				if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75528f9ddb10ad4e Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2350
				else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6b8b72d4004c43b9 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2379
			const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7d027125eccce8d Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2380
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #96e5a7f85fc1ebf9 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2392
				if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #863fc34b843f4a59 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2393
				else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #beaf8a8005f7ef80 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2462
			const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6246eed65a20d2f8 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2463
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0fee713b32d67cee Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2480
				if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #910484a6840dc190 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2481
				else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c25555bcf9d60a7 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/test-runner.service.ee.ts:404
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76a46c3d94457703 Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/__tests__/message-event-bus-log-writer.test.ts:43
		writeFileSync(path, lines.join('\n') + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2a59e8650e5f98c Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/message-event-bus-log-writer-worker.ts:1
import { appendFileSync, existsSync, rmSync, renameSync, openSync, closeSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38a40de40fbb438f Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/message-event-bus-log-writer-worker.ts:2
import { stat } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48f03a127722051f Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/message-event-bus-log-writer.ts:5
import { createReadStream, existsSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc021461a2a4a2fa Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus/__tests__/message-event-bus.test.ts:112
		writeFileSync(stalePath, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f041dc35639cd8a Environment-variable access.
repo/packages/cli/src/execution-lifecycle/__tests__/execution-lifecycle-hooks.test.ts:1481
				process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a44ce1625433c32e Environment-variable access.
repo/packages/cli/src/execution-lifecycle/__tests__/execution-lifecycle-hooks.test.ts:1485
				delete process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #36dc2f134d75cba0 Environment-variable access.
repo/packages/cli/src/execution-lifecycle/__tests__/execution-lifecycle-hooks.test.ts:1502
				delete process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a693dc438cf3baf Environment-variable access.
repo/packages/cli/src/execution-lifecycle/execution-lifecycle-hooks.ts:708
				process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES === 'true' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8013f2c9cded1e1 Filesystem access.
repo/packages/cli/src/load-nodes-and-credentials.ts:7
import fsPromises from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #652bff5f35c487cd Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:79
		process.env.NODE_PATH = [module.paths.join(delimiter), process.env.NODE_PATH]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15499a9388b22815 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:92
		if (process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2be4ff3755d183e3 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:307
		if (process.env[CUSTOM_EXTENSION_ENV] !== undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09e6d4eb6349dc09 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:308
			const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17abf76e91779b5f Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:392
		return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b00abd519562120 Filesystem access.
repo/packages/cli/src/metrics/prometheus/pss-metrics.service.ts:29
					const content = readFileSync('/proc/self/smaps_rollup', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #373a71b1af54718a Filesystem access.
repo/packages/cli/src/metrics/prometheus/pss-metrics.service.ts:43
			readFileSync('/proc/self/smaps_rollup', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06989d8c289f2489 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:174
		await writeFile(textFilePath, 'hello world');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17fbe139c32ea03c Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:175
		await writeFile(pdfFilePath, '%PDF-1.4');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ce8b3339e77a506 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:252
		await writeFile(firstPath, 'hello');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b92c83d5e60315f9 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:253
		await writeFile(secondPath, 'world');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14046ca2051c46f3 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:287
		await writeFile(filePath, 'hello');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #537f295c768ccd74 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:331
		await writeFile(tempFilePath, 'x');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad604aaf19db0b54 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:512
		await writeFile(tempFilePath, 'hello world');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #217baa9ee02a9b86 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-secure-runtime.test.ts:2
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3fadd7da04746862 Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:25
	for (const key of ENV_KEYS) delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d5d154cec27e27d Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:116
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #16e4f768dc1fb34f Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:226
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24e00c4b71111036 Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:246
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9072c284a01d586f Environment-variable access.
repo/packages/cli/src/modules/agents/builder/agents-builder-settings.service.ts:40
	const key = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #963034d15dbe3945 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-contract.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #02619723d582370b Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-contract.test.ts:16
	readFileSync(join(__dirname, 'fixtures/slack/basic.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c83137427f30be8b Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-contract.test.ts:19
	readFileSync(join(__dirname, 'fixtures/telegram/basic.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da82dd686d0bbec2 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-recorder.test.ts:1
import { mkdtemp, rm, writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #fe54648ad7d67dd2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-recorder.test.ts:76
			await fetch('https://api.telegram.org/bot123456:secret/sendMessage', {
				method: 'POST',
				headers: requestHeaders,
				body: '{}',
			});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #aab213c1ded112b7 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-recorder.test.ts:136
		await writeFile(filePath, 'x', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bff08634ad842c03 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/linear/recorded-integration.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #00761d53306de89e Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/linear/recorded-integration.test.ts:13
	readFileSync(join(__dirname, '../../../__tests__/fixtures/linear/recorded-session.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4754b52f8b6b6b49 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/slack/recorded-integration.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #950d2a02a1327505 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/slack/recorded-integration.test.ts:12
	readFileSync(join(__dirname, '../../../__tests__/fixtures/slack/recorded-session.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12c02b15116a5ae6 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/telegram/recorded-integration.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d2dc33615b428eb Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/telegram/recorded-integration.test.ts:25
	readFileSync(join(__dirname, '../../../__tests__/fixtures/telegram/basic.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0e491556648bdc3d Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/telegram/recorded-integration.test.ts:28
	readFileSync(
		join(__dirname, '../../../__tests__/fixtures/telegram/recorded-session.json'),
		'utf8',
	),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a925b76e7348b651 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:1
import { mkdir, readFile, readdir, rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acdbd0deb9406538 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:161
	const ref = process.env.N8N_AGENT_INTEGRATION_RECORDING_REF ?? 'local';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd21819685db5060 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:247
			options.enabled ?? process.env.N8N_AGENT_INTEGRATION_RECORDING_ENABLED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #054d5fc811a7b568 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:250
				process.env.N8N_AGENT_INTEGRATION_RECORDING_SESSION_ID ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40262786ebedc5d0 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:255
			process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42a3c4f259f78f59 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:385
					const contents = await readFile(join(this.recordingDir, file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #327d51e57b4d83ac Filesystem access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:398
		const contents = await readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5be7808af1b777b Filesystem access.
repo/packages/cli/src/modules/agents/runtime/agent-secure-runtime.ts:4
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93427618cd974844 Filesystem access.
repo/packages/cli/src/modules/agents/runtime/agent-secure-runtime.ts:139
			this.libraryBundle = readFileSync(LIBRARY_BUNDLE_PATH, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f31271a09f04ceae Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/dotenv-upgrade.rule.test.ts:33
			delete process.env.DOTENV_CONFIG_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #db6fd7921685d34d Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/oauth-callback-auth.rule.test.ts:18
			delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da88aaaddc24c1f4 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/oauth-callback-auth.rule.test.ts:30
				process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ffcd9111555677e8 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:49
			const originalValue = process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2ed2b1d4f05d2557 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:51
				process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e15af80b5a0a0763 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:67
					delete process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e04c2888e8a54ee Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:69
					process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = originalValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4675d4e978874a2 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/queue-worker-max-stalled-count.rule.test.ts:12
			delete process.env.QUEUE_WORKER_MAX_STALLED_COUNT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a234d7790bdfa943 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/queue-worker-max-stalled-count.rule.test.ts:21
			process.env.QUEUE_WORKER_MAX_STALLED_COUNT = '10';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0892840293902e46 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:15
		originalEnvValue = process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc2f3e75932318e0 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:17
		delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e823270f70920c5 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:22
			delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9e6560e161b00600 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:24
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = originalEnvValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #818e331765113a65 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:43
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5001996a7d746c3b Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:53
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb4d7e6c46bf1c83 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/disabled-nodes.rule.ts:56
		if (process.env.NODES_EXCLUDE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1c87d20709d41a5 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/oauth-callback-auth.rule.ts:30
		if (process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45239b589d5a9299 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/process-env-access.rule.ts:34
		if (process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7011eb4fc83a1479 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/queue-worker-max-stalled-count.rule.ts:36
		if (!process.env.QUEUE_WORKER_MAX_STALLED_COUNT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82ecf09b60bfbd9d Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/settings-file-permissions.rule.ts:42
		if (process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca97522a780a0b98 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:9
		delete process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ab73751dffb86d88 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:10
		delete process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b919911e8988163 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:28
			process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dcbb4e42a49cdfcb Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:38
			process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ceee802752caba5 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:48
			process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8ac97b19f7a2deb Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:49
			process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4e61b7eb9e7ddf6d Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/offload-manual-executions.rule.test.ts:13
		delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #981a7f8d0e6e335b Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/offload-manual-executions.rule.test.ts:33
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6fcfa026a22ea7b Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/offload-manual-executions.rule.test.ts:53
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ae689e66ab841a84 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/task-runner-task-timeout.rule.test.ts:9
		delete process.env.N8N_RUNNERS_TASK_TIMEOUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f76ab0d5e940fd6 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/task-runner-task-timeout.rule.test.ts:28
			process.env.N8N_RUNNERS_TASK_TIMEOUT = '300';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78603fc32077d086 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/unverified-packages.rule.test.ts:13
		delete process.env.N8N_UNVERIFIED_PACKAGES_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #708bed09a5b6fa86 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/unverified-packages.rule.test.ts:33
			process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #02254584e4ced79b Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/unverified-packages.rule.test.ts:41
			process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0901a66eaf48f8b1 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/compression-node-limits.rule.ts:28
		if (process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec472dcac3613763 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/compression-node-limits.rule.ts:37
		if (process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aea2392704fad4ea Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/offload-manual-executions.rule.ts:31
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS !== 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87e939483d079423 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/task-runner-task-timeout.rule.ts:26
		if (process.env.N8N_RUNNERS_TASK_TIMEOUT !== undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76353c8d6277b4a5 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/unverified-packages.rule.ts:31
			process.env.N8N_UNVERIFIED_PACKAGES_ENABLED === undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4292f49db978bc3 Filesystem access.
repo/packages/cli/src/modules/chat-hub/chat-hub-agent.service.ts:12
import { readFile, unlink } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131fdac049803683 Filesystem access.
repo/packages/cli/src/modules/chat-hub/chat-hub-agent.service.ts:449
			const buffer = file.buffer ?? (await readFile(file.path));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f82a1bdf3e6a70cb Environment-variable access.
repo/packages/cli/src/modules/chat-hub/chat-hub-workflow.service.ts:101
		if (process.env.N8N_SKIP_CHAT_WORKFLOW_CLEANUP !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8745555a8bf04613 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:29
		delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f28424092163742e Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:52
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7593c40ad82d43ec Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:64
			process.env.ENVIRONMENT = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a17bb46c1f3e079f Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:70
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a34f0abf2fa97a81 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:22
		process.env.N8N_DISABLED_MODULES = 'community-packages';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35e55391f0256b76 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:28
		process.env.N8N_DISABLED_MODULES = 'insights,community-packages,mcp';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc537cf5b37b59d1 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:34
		process.env.N8N_DISABLED_MODULES = 'insights,mcp';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #45f1369bbe255ea9 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:40
		process.env.N8N_COMMUNITY_PACKAGES_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cab83dc2a6b1414 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1100
			const originalEnv = process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #16418a74fc6e36ca Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1108
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c228acafb38d795 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1124
					delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a56482eeb6ef377c Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1126
					process.env.ENVIRONMENT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9df9c3d7074aa70 Environment-variable access.
repo/packages/cli/src/modules/community-packages/community-node-types.service.ts:128
		const environment = process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #487a79facc94f2b4 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:269
			await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b650422c198c143 Environment-variable access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:298
			const environment = process.env.ENVIRONMENT === 'staging' ? 'staging' : 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21da2137d53aeb36 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:649
			const packageJsonContent = await readFile(packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b4e32e5996e8dc1 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:662
			await writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ce4039b993423c8 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:704
		const existingContent = await readFile(this.packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b1ed878e648cff9 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:707
		await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bda30035982ab750 Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/csv-parser.service.test.ts:3
import { mkdtempSync, writeFileSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8b0d2552707f9608 Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/csv-parser.service.test.ts:31
		writeFileSync(join(tempDir, filename), content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc718022d872933b Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/data-table-file-cleanup.service.test.ts:2
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bba72fc0735f9493 Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/multer-upload-middleware.test.ts:5
import * as fsPromises from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09ee87a9b20f8935 Filesystem access.
repo/packages/cli/src/modules/data-table/csv-parser.service.ts:5
import { createReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eb20bf957d3d854 Filesystem access.
repo/packages/cli/src/modules/data-table/data-table-file-cleanup.service.ts:4
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b14f8967260d63cd Filesystem access.
repo/packages/cli/src/modules/data-table/multer-upload-middleware.ts:6
import { mkdir, readdir, stat, unlink } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1fb07a5583baa58 Environment-variable access.
repo/packages/cli/src/modules/dynamic-credentials.ee/__tests__/dynamic-credentials-cors.integration.test.ts:18
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ddc19d64b17cf664 Environment-variable access.
repo/packages/cli/src/modules/dynamic-credentials.ee/__tests__/dynamic-credentials-rate-limit.integration.test.ts:27
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6ed123d5bcfe839 Environment-variable access.
repo/packages/cli/src/modules/dynamic-credentials.ee/dynamic-credentials.module.ts:14
	return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5828086e50eae3a Environment-variable access.
repo/packages/cli/src/modules/encryption-key-manager/encryption-key-manager.module.ts:7
	return process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e94b05b8df6800af Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:75
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7839f7d8e7327f4 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:82
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fdd4324189d00fbb Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:103
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8acfc713c32c425a Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:131
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c137c00d0859fb57 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:149
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3fe4689f7367042b Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:223
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56324d89d32587f4 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3194
		const original = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e003debe569f062d Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3195
		process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #940f0021e4db8597 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3225
			if (original === undefined) delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee1e11c873a7317a Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3226
			else process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = original;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0d95a1dd6e3de83 Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:14
		writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df2dcd01fc4968ba Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:15
		writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b61a0500d2336eb5 Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:54
		writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51124f6935005680 Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:55
		writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b9800d70f8d8c2d Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:291
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13897a230b5b5b84 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:301
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dfe73df3a78d24a4 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:314
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0427f3e60c46b14c Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:326
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6ee20893588f6d1 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:338
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8898fa3af7a7782f Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:350
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7075193b9f3d219f Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:365
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa49f3346b5c7c39 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:379
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a2954c122498d90 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:397
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #165a8bfb0bd8d501 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:44
	savedApiKey = process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #177619460dab1cd1 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:45
	delete process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce2fb1cb34de9b62 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:50
		process.env.CONTEXT7_API_KEY = savedApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5735bc78082efccd Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:52
		delete process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0ae52f9e6daa9b2 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:225
		process.env.CONTEXT7_API_KEY = 'test-api-key-123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0574d314c265f01 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:241
		delete process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #166db3a1436eb674 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:8
	const original = process.env.N8N_INSTANCE_AI_EVAL_TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d96ee28b73bf9748 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:11
		if (original === undefined) delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91b10bf56fd68776 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:12
		else process.env.N8N_INSTANCE_AI_EVAL_TIMING = original;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #88905547ea5ac034 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:17
			delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59b838a5f33de15f Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:33
			process.env.N8N_INSTANCE_AI_EVAL_TIMING = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9322f1af3d04de3b Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28
		const apiKey = process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ec221fdf2a70711 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76
		const apiKey = process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a070203d510f71b8 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/eval-timings.ts:23
	readonly enabled = process.env.N8N_INSTANCE_AI_EVAL_TIMING === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba9c41f31d232f76 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/eval-timings.ts:56
			process.env.N8N_INSTANCE_AI_EVAL_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58dc47191d0b1417 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/eval-timings.ts:57
			process.env.N8N_INSTANCE_AI_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87557b619aa9bd48 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai-model.service.ts:124
		const hasHttpProxy = Boolean(process.env.HTTPS_PROXY || process.env.HTTP_PROXY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #def0cdee9a179b49 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai-test.controller.ts:117
		if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28fe8981a056fef1 Filesystem access.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:221
		const promise = readFile(filePath, 'utf-8').then((json) =>

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eddc8a99541aadb Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:1173
					process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b86e3a12344781a2 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai.module.ts:29
		if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1634e208f54feedf Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3129
			if (!tracing && process.env.E2E_TESTS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #968fdc7cb159c432 Filesystem access.
repo/packages/cli/src/modules/instance-ai/node-definition-resolver.ts:375
${readFileSync(variant.filePath, 'utf-8')}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df20779095e4fd6c Filesystem access.
repo/packages/cli/src/modules/instance-ai/node-definition-resolver.ts:382
		const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85dbe637432468fe Environment-variable access.
repo/packages/cli/src/modules/instance-ai/trace-replay-state.ts:154
		if (process.env.E2E_TESTS !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #232a2c51820db339 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/__tests__/mcp-registry-test.controller.test.ts:66
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6d0d30cb1823143 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/__tests__/mcp-registry-test.controller.test.ts:72
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14528cdea6c675f6 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/mcp-registry-test.controller.ts:39
		if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4dad826b58c39edc Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/mcp-registry.module.ts:16
		if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6b1c9c4ec46253f Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:19
	const originalEnv = process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abb56b95f3bdcea1 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:20
	const originalDevUrl = process.env.N8N_MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e61ea5b848b64ee4 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:24
		delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c4d87c9b3354169 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:25
		delete process.env.N8N_MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0d0732784d96b7ed Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:31
			process.env.ENVIRONMENT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84fb01faa0a0d588 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:33
			delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7bfc854ca2061fbd Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:36
			process.env.N8N_MCP_SERVERS_DEV_URL = originalDevUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd0c5774f7a1ef84 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:38
			delete process.env.N8N_MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60ee81237a75176c Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:56
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e718208a08f1c2e1 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:69
			process.env.ENVIRONMENT = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86d71d512d2d892f Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:82
			process.env.ENVIRONMENT = 'dev';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1b9b75caaaf5336d Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:95
			process.env.ENVIRONMENT = 'dev';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ed2e534cd81b26a Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:96
			process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0707fc769d4c0f4c Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:109
			process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcc78a0d94ee5479 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/mcp-registry-api.client.ts:68
		switch (process.env.ENVIRONMENT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f8165d2a8429ec Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/mcp-registry-api.client.ts:70
				return process.env.N8N_MCP_SERVERS_DEV_URL || MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3ed76cc55e43dfe9 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:11
		delete process.env.N8N_MCP_SERVER_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59bfad0f42d0db59 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:12
		delete process.env.N8N_MCP_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cac09efa723f67c2 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:22
		process.env.N8N_MCP_SERVER_RATE_LIMIT = '500';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #97528bc17457629d Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:30
		process.env.N8N_MCP_SERVER_RATE_LIMIT = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c984b6ecf84c740 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:40
			process.env.N8N_MCP_SERVER_RATE_LIMIT = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #26b343e630280e9d Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:54
			process.env.N8N_MCP_BASE_URL = 'https://n8n-mcp.example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc4c6a03145e9f74 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:60
			process.env.N8N_MCP_BASE_URL = 'https://example.com/n8n/?foo=1#bar';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ceeb8fa9e8623bc7 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:68
				process.env.N8N_MCP_BASE_URL = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39e6a7c6f443a96e Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:453
			const originalEnv = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #05d3ed486b9f6349 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:454
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48dd56c6e8bc6efb Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:461
				process.env.NODE_ENV = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e989a073ca4e66f8 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:466
			const originalEnv = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41bbd4defeb53da8 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:467
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7244e6e69de85972 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:479
				process.env.NODE_ENV = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #edbebb698ec70e7f Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:484
			const originalEnv = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82cde67716e63922 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:485
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #46928796a209c8f1 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:494
				process.env.NODE_ENV = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8dc0ac91d326fb68 Environment-variable access.
repo/packages/cli/src/modules/mcp/dto/update-allowed-redirect-uris.dto.ts:22
		const requiresHttps = process.env.NODE_ENV !== 'development' && !isLocalhost(hostname);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57b5f7bb0c98e7d3 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:145
	writer.writeFile('manifest.json', JSON.stringify(manifest));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d4bd4563103f358 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:148
		writer.writeFile(`workflows/wf-${idx}/workflow.json`, JSON.stringify(wf));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d4a4f0cf32f89ff Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:230
	writer.writeFile('manifest.json', JSON.stringify(manifest));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #150974ff35ce4f88 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:233
		writer.writeFile(`${target}/workflow.json`, JSON.stringify(workflow));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9d9c0f687f4acab Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:237
		writer.writeFile(`${target}/folder.json`, JSON.stringify(folder));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4cef57db37179d79 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:241
		writer.writeFile(`${target}/project.json`, JSON.stringify(project));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14f7a9032b43d024 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1016
		writer.writeFile(
			'manifest.json',
			JSON.stringify({
				packageFormatVersion: '99',
				exportedAt: new Date().toISOString(),
				sourceN8nVersion: '1.0.0',
				sourceId: 'bad-manifest',
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec6947586b83b5b2 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1081
		writer.writeFile(
			'manifest.json',
			JSON.stringify({
				packageFormatVersion: '99',
				exportedAt: new Date().toISOString(),
				sourceN8nVersion: '1.0.0',
				sourceId: 'integration-test-source',
				workflows: [{ id: 'wf-x', name: 'X', target: 'workflows/wf-x' }],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b96b8fb6a2deadc0 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1092
		writer.writeFile(
			'workflows/wf-x/workflow.json',
			JSON.stringify(serializedWorkflow({ id: 'wf-x', name: 'X' })),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8183fcb5ea08113f Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1108
		writer.writeFile(
			'manifest.json',
			JSON.stringify({
				packageFormatVersion: FORMAT_VERSION,
				exportedAt: new Date().toISOString(),
				sourceN8nVersion: '1.0.0',
				sourceId: 'integration-test-source',
				workflows: [{ id: 'wf-missing', name: 'Missing', target: 'workflows/nowhere-to-be-found' }],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57997286cd350021 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/engine/n8n-package-parser.ts:162
			content = await reader.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1684ede7c1df2575 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/credential/credential.exporter.ts:74
				request.writer.writeFile(
					`${target}/credential.json`,
					JSON.stringify(this.credentialSerializer.serialize(credential), null, '\t'),
				);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83b254faf4f8180d Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/data-table/data-table.exporter.ts:70
			request.writer.writeFile(
				`${target}/data-table.json`,
				JSON.stringify(this.dataTableSerializer.serialize(dataTable), null, '\t'),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2897e14643f8762 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/folder/folder.exporter.ts:168
		writer.writeFile(`${target}/folder.json`, JSON.stringify(serialized, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fca19c1b36854d83 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/project/project.exporter.ts:91
		writer.writeFile(`${target}/project.json`, JSON.stringify(serialized, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68e5e7f4bcf6681d Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/workflow/workflow.exporter.ts:68
			request.writer.writeFile(`${target}/workflow.json`, JSON.stringify(serialized, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86055b42f080a9e4 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:38
				writer.writeFile('manifest.json', JSON.stringify(manifest));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a6268a0ced41b7d1 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:40
				writer.writeFile('workflows/my-workflow-abc/workflow.json', workflowJson);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e380e4c9d183e0aa Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:46
			await expect(reader.readFile('workflows/my-workflow-abc/workflow.json')).resolves.toEqual(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7bbd3078026be2a9 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:53
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54e7b269c29fa99c Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:55
				writer.writeFile('workflows/a/workflow.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6350679686a4472f Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:57
				writer.writeFile('workflows/b/workflow.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cbc06f27d6c802b0 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:83
				writer.writeFile('manifest.json', '{not-json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8f351a3ce08833f Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:208
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #196573f66791b8ee Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:209
				writer.writeFile('oversized.bin', 'x'.repeat(500));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4144db10c6c816f6 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:224
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d276c1a017b3f32 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:225
				writer.writeFile('oversized.bin', 'x'.repeat(500));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2cd32b33cf11b39 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:239
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #043b8b0bb2253346 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:241
					writer.writeFile(`workflows/wf-${i}/workflow.json`, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #02db206f7b68ccbc Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:49
		writer.writeFile('workflows/wf-abc/workflow.json', '{"id":"abc"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ce22d11fc161515 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:50
		writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #200aaad82f3ad664 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:62
			writer.writeFile('manifest.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e789e2107efdcf4e Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:64
			writer.writeFile('workflows/x/workflow.json', '{"id":"x"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5bbdd6f85ee43ac8 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:83
		writer.writeFile('manifest.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ebe89e1b24045999 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:84
		writer.writeFile('./workflows/wf/workflow.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd23a75cf7e0ef07 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/n8n-packages.service.ts:146
		writer.writeFile('manifest.json', JSON.stringify(manifest, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #431bb7589ba1b47d Environment-variable access.
repo/packages/cli/src/modules/oauth-jwe/oauth-jwe.module.ts:9
	return process.env.N8N_ENV_FEAT_OAUTH2_JWE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd80773454093964 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:11
		delete process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5598ca129385194f Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:12
		delete process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #667e1752c94aa0ca Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:13
		delete process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f81c29a4b013ed1e Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:14
		delete process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e204738009b02df8 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:15
		delete process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27016f2898d4534e Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:29
		process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT = '100';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65dfae3358c281a9 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:30
		process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT = '200';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e4fafeed8c97b6ad Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:31
		process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '300';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14f755b86affc50e Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:32
		process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT = '400';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2ba470aa9da9daa6 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:33
		process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT = '500';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e91eaad0eb88481b Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:45
		process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #09652d190428aead Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:55
			process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #10e27ec88f4dc407 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:237
				resource: new URL('https://n8n.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #09c460fc25e6a07a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:474
				resource: new URL('https://attacker.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f7dce1caa5039838 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:509
				resource: new URL('https://n8n.example.com/mcp-server/http/'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #e113fae629b9089f Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:769
				new URL('https://n8n.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #1b4b8b44f45ee9da Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:827
					new URL('https://attacker.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #9d1f3d8f9578a531 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:857
				new URL('https://n8n.example.com/mcp-server/http/'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #5fcf7701c8b7f99d Environment-variable access.
repo/packages/cli/src/modules/oauth-server/oauth-session.service.ts:38
			secure: process.env.NODE_ENV === 'production',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0cfafa0c622ae8fd Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:21
			if (key.startsWith('N8N_OTEL_')) delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e2c0b4bdd0558b4a Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:81
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #108c9844b5cd21a3 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:100
			process.env.N8N_OTEL_ENABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37a97bd885d81072 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:101
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4fa064442dc0132d Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:172
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6fc5fecc6cab14c8 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:203
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d60c8c1634aad876 Filesystem access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:7
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b927eac770ac5b49 Filesystem access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:27
		readFileSync(path.join(BASE_DIR, 'nodes-base/dist/known/nodes.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac095ef7f304aac9 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:86
		saved[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d7e74bbda3d7c9df Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:87
		process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d3b541a791e8a14 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:95
			delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c68f536de92058bf Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:97
			process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7deaf23b964c5170 Environment-variable access.
repo/packages/cli/src/modules/otel/otel-settings.service.ts:95
		return process.env[OTEL_ENV_VARS[key]] !== undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c944bfbda255f838 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:11
		delete process.env.N8N_QUICK_CONNECT_OPTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18391cc0df99cdac Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:29
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8b769685f735d0a9 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:49
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #07391b74fb66f151 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:72
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ece2c09b5f8192f2 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:93
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd5fb166827f9ddf Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:101
		process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4197f229a8ce1234 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:127
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a652e93f5295fda Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:249
		process.env.N8N_QUICK_CONNECT_OPTIONS = config;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f68ef557358647e4 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:15
		delete process.env.N8N_QUICK_CONNECT_OPTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #edb64d82e9a61922 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:32
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b36ade20bca75744 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:55
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b34cd37c3bebbbee Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:83
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c94d6c007af2543 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:105
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #def05c93b340ff0c Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:140
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3a0a04213d19f5e Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:107
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #728b42ff1fed6fd0 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:129
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #466c72044cbb94b4 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:141
			process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9c5374df1d2bcf5 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:165
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f694da42139b1dd Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:177
		delete process.env.N8N_QUICK_CONNECT_OPTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8537fe111c9d500b Environment-variable access.
repo/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts:14
		delete process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #452f14e756ffa8a9 Environment-variable access.
repo/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts:23
			process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d28240de2707430a Environment-variable access.
repo/packages/cli/src/modules/runtime-credentials/runtime-credentials.module.ts:8
	return process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e317c7daa46e5a3f Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:395
				delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #008f0763bcb9838c Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:396
				delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7b40c3467535993 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:397
				delete process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3ef1ed69f3286dd Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:398
				delete process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c46ee162069ea2c Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:399
				delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b3ffc5b98df9e65 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:400
				delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c2c22e974cb56ce Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:401
				delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c24737f373700864 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:402
				delete process.env.all_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f74ad192ba24de06 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:415
				process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6300b05f334952de Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:439
				process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35809904b0224ec3 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:483
				process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0a8624c7897a3075 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:484
				process.env.NO_PROXY = 'github.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #280fb1305e26c0fc Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-helper.ee.test.ts:3
import { accessSync, constants as fsConstants } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b31e1f77f25e7681 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:4
import { readFile, writeFile, access, mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e3c4aa2f37ed4e77 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:99
			const fileContent = await readFile(tempFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #15c27dd4850102c3 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:131
			const fileContent = await readFile(tempFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fbad6681f23706c Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:165
			const fileContent = await readFile(tempFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3bd55ff0e38b1b18 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:205
			const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7886ac9a9e817b62 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:266
			const fileContent = await readFile(tempFilePath2, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5d95ac28e9410f4 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:437
			await writeFile(knownHostsPath, 'github.com ssh-rsa AAAA...\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b62c216f84d4eaa Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:146
					return await fsWriteFile(fileName, JSON.stringify(sanitizedWorkflow, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91ccc46f33c43c52 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:238
			await fsWriteFile(fileName, JSON.stringify(sanitizedVariables, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21458a23aa70709c Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:359
				await fsWriteFile(filePath, JSON.stringify(exportableDataTable, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00583f37b5789c7c Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:429
			await fsWriteFile(
				fileName,
				JSON.stringify(
					{
						folders: newFolders,
					},
					null,
					2,
				),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccc10e83dc5ed68c Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:462
				await fsWriteFile(fileName, JSON.stringify({ tags: [], mappings: [] }, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da0f5e31ce61ca67 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:492
			await fsWriteFile(
				fileName,
				JSON.stringify(
					{
						// overwrite all tags
						tags: tags.map((tag) => ({ id: tag.id, name: tag.name })),
						mappings: mappingsToKeep.concat(mappingsOfAllowedWorkflows),
					},
					null,
					2,
				),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caf8275bf1827367 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:580
					return await fsWriteFile(filePath, JSON.stringify(stub, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e8c687238f691dd Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:640
					return await fsWriteFile(fileName, JSON.stringify(sanitizedProject, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed07567684c17cdc Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:6
import { accessSync, constants as fsConstants, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e11abccfb88abcdc Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:191
			await fsReadFile(file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68ef6fb4d2d9258f Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:214
		return jsonParse<ExportedFolders>(await fsReadFile(file, { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdfedd3fa81fde35 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:229
		return jsonParse<ExportableDataTable[]>(await fsReadFile(file, { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #169f72756e9d7518 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:316
					await fsReadFile(file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #727173a6aab7e431 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:426
				await fsReadFile(variablesFile[0], { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cb60e260a498df4 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:456
				const fileContent = await fsReadFile(file, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d7f7a57381d9ac4 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:556
			}>(await fsReadFile(foldersFile[0], { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc863c1d610799d5 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:607
				await fsReadFile(tagsFile[0], { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb6d539d8837ba95 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:653
				const fileContent = await fsReadFile(file, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d054fdb0303079ba Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:875
			const fileContent = await fsReadFile(file, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5f640f293b4dc95 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:979
					await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80a1509f6252a831 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1051
				await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2348a301d4837895 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1149
			}>(await fsReadFile(candidate.file, { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82a7ff802043f23e Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1265
				await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ee67956bdc1aa04 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1305
					await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ac9921d0116f2f3 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1590
					await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #deb43e8050f884f1 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:6
import { rm as fsRm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79e9d34a8b8f5b79 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:152
			await writeFile(tempFilePath, normalizedKey, { mode: 0o600 });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f1f3dac58865c17 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:170
			return await readFile(this.sshKeyName + '.pub', { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #660f7bfc36c7066b Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control.service.ee.ts:10
import { writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c273fc48aef8b36c Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control.service.ee.ts:244
					writeFileSync(path.join(this.gitFolder, '/README.md'), SOURCE_CONTROL_README);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #8a031cfa8e1c4c3b Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.controller.ee.test.ts:244
			const mockAuthUrl = new URL('https://provider.com/auth?client_id=123');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #2869cd44bf6bf250 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.controller.ee.test.ts:301
			const mockAuthUrl = new URL(
				'https://provider.com/auth?client_id=123&redirect_uri=http://localhost:5678/callback',
			);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #7746cf09443c9a34 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:374
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #5d9e75b001a320df Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:399
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #484f82945bf2b845 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:430
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f6ba60911de036b3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:451
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #1e3ad716281de36e Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:473
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #03cd152c15fc0831 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:495
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #0f9c593d71673591 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:520
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #42692943ef09bbae Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:551
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #12c6cf60e3b46c4f Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:589
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #60e2684cc13e27da Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:629
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #994d851839952318 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:664
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #3a2603a9415205be Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:686
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #81f88bf8984c6360 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:700
		const discoveryUrl = new URL('https://example.com/.well-known/openid-configuration');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #ac147db96f7c74d2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:795
				new URL('https://issuer.example.com/.well-known/openid-configuration'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #4ee59eafabd3fda1 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/oidc.service.ee.ts:63
	discoveryEndpoint: new URL('http://n8n.io/not-set'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #205ed209c622d55b Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:200
	const originalEnv = process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5cf8a3085ffe62f Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:250
			process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3a0d33712e3621c Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:252
			delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b769ab623cdd5c7 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:265
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fb8e77a437c1206 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:267
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d63e556e056790be Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:274
			process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c694276e491d7f67 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:849
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6b1535c270f09656 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:860
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76606e0983e1c451 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:873
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca514762bd065d70 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:897
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c78e7cee7bbd815 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:927
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9173953315e224ec Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:955
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0dc4f873a0cf523f Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:993
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5869cd8b5a5858e Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1014
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d84e00f0e8c1b37d Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1055
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ffa073afb6881b28 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1110
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #468ba7f00ee01625 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1196
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f82aa8e486d5e18 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1222
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fab1356427c4db40 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1246
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eddfc293543236bf Environment-variable access.
repo/packages/cli/src/modules/sso-saml/saml.service.ee.ts:113
		return process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7ce4cbcb3fdaf2f Environment-variable access.
repo/packages/cli/src/modules/token-exchange/token-exchange.module.ts:7
	return process.env.N8N_ENV_FEAT_TOKEN_EXCHANGE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d760b86c30b0b7e Filesystem access.
repo/packages/cli/src/node-catalog/node-catalog.service.ts:9
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c1e773e31fa8f45 Filesystem access.
repo/packages/cli/src/node-types.ts:3
import type { Dirent } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #350b288024998028 Filesystem access.
repo/packages/cli/src/node-types.ts:4
import { readdir, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c17154476d9031e Filesystem access.
repo/packages/cli/src/node-types.ts:53
				const translation = await readFile(translationPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d6ad3fae14a3aa0c Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:173
			delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9305d7ec4d3ec747 Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:178
			process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4f2f49c504cd553e Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:183
			process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4af7ecba86920dc5 Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:188
			process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'TRUE';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8978604d73e857b1 Environment-variable access.
repo/packages/cli/src/oauth/oauth.service.ts:87
	const value = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK?.toLowerCase() ?? 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8900a467835e40ca Filesystem access.
repo/packages/cli/src/public-api/index.ts:7
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a36582f78fdbcaa Filesystem access.
repo/packages/cli/src/public-api/index.ts:90
			const spec = await fs.readFile(openApiSpecPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2fe275fecdc0331 Filesystem access.
repo/packages/cli/src/public-api/index.ts:102
			const swaggerThemeCss = await fs.readFile(swaggerThemePath, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69b3b49ea28bbf88 Environment-variable access.
repo/packages/cli/src/public-api/index.ts:236
						operationHandlers: process.env.VITEST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b126e6474ea1a27e Filesystem access.
repo/packages/cli/src/public-api/v1/__tests__/scope-parity.test.ts:81
		const spec = yaml.parse(fs.readFileSync(OPENAPI_SPEC_PATH, 'utf8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fbb7553adaa7c427 Filesystem access.
repo/packages/cli/src/public-api/v1/handlers/data-tables/__tests__/data-table-column-name.openapi.test.ts:2
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1e4996789815d5b0 Filesystem access.
repo/packages/cli/src/public-api/v1/handlers/data-tables/__tests__/data-table-column-name.openapi.test.ts:22
		const doc = columnNameYmlSchema.parse(parse(fs.readFileSync(ymlPath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66db4aca30938de9 Filesystem access.
repo/packages/cli/src/server.ts:9
import { access as fsAccess } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4e12be5a69f76b3 Environment-variable access.
repo/packages/cli/src/server.ts:117
		if (inDevelopment && process.env.N8N_DEV_RELOAD === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfd885738c8629da Environment-variable access.
repo/packages/cli/src/server.ts:389
			const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2bbd95669c170c1b Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:827
		writeFileSync(
			join(packageDir, 'package.json'),
			JSON.stringify({
				name: 'n8n-nodes-base',
				version: '1.0.0',
				n8n: { nodes: [], credentials: [] },
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58fc477e3dbde6c4 Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:835
		writeFileSync(
			join(packageDir, 'dist', 'known', 'nodes.json'),
			JSON.stringify({
				httpRequest: {
					className: 'HttpRequest',
					sourcePath: 'dist/nodes/HttpRequest/HttpRequest.node.js',
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33bbe553cf4e4f08 Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:844
		writeFileSync(join(packageDir, 'dist', 'known', 'credentials.json'), JSON.stringify({}));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #885c9663f3d92faf Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:845
		writeFileSync(
			join(packageDir, 'dist', 'types', 'nodes.json'),
			JSON.stringify([nodeTypeDescription]),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8708b55afb8f3122 Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:849
		writeFileSync(join(packageDir, 'dist', 'types', 'credentials.json'), JSON.stringify([]));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76568eb6991f2ac1 Filesystem access.
repo/packages/cli/src/services/__tests__/export.service.test.ts:3
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a3365b7c17583902 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:370
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a020cd66043ba570 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:387
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '7';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #670ff8cd2c326a10 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:408
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb8c25e7af4d2c10 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:536
			process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e26571ace2072271 Filesystem access.
repo/packages/cli/src/services/__tests__/import.service.test.ts:5
import { readdir, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4414adcaef3ffdd5 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:8
		delete process.env.WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #876ea75f062cb508 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:13
			process.env.WEBHOOK_URL = undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32af3b7d805172c6 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:23
			process.env.WEBHOOK_URL = 'https://example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #097f72c31a06565b Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:34
			process.env.WEBHOOK_URL = undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #04773fe89be61759 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:44
			process.env.WEBHOOK_URL = '"https://example.com/"';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #52a95ad339b9d2ad Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:57
			process.env.WEBHOOK_URL = 'https://old.example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6da3192378089c94 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:65
			process.env.WEBHOOK_URL = 'https://old.example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f4cdeb083d2b7e13 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:92
			process.env.WEBHOOK_URL = undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82c70d3e00649c63 Filesystem access.
repo/packages/cli/src/services/ai-workflow-builder.service.ts:10
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8fc825b21349d21 Filesystem access.
repo/packages/cli/src/services/export.service.ts:6
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a47488d259fc079 Filesystem access.
repo/packages/cli/src/services/export.service.ts:252
				const keyFileContent = await readFile(keyFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cb516dce7820686 Filesystem access.
repo/packages/cli/src/services/frontend.service.ts:7
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b65add63897352ff Filesystem access.
repo/packages/cli/src/services/frontend.service.ts:8
import { mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1453391889c9bd9c Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:170
		const previewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08260061cf942555 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:198
		const previewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc1a9ba30d3300bd Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:228
			nodeEnv: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #135160e64a5d4408 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:336
				builtIn: process.env.NODE_FUNCTION_ALLOW_BUILTIN?.split(',') ?? undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8309bb256fb70bc5 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:337
				external: process.env.NODE_FUNCTION_ALLOW_EXTERNAL?.split(',') ?? undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be1e3965ef02f7bf Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:569
				!!this.globalConfig.aiAssistant.baseUrl || !!process.env.N8N_AI_ANTHROPIC_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2f7159b824bd476 Filesystem access.
repo/packages/cli/src/services/import.service.ts:17
import { readdir, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fe918074084c84d Filesystem access.
repo/packages/cli/src/services/import.service.ts:470
		const content = await readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5aca7328a4518f72 Filesystem access.
repo/packages/cli/src/services/import.service.ts:525
				const keyFileContent = await readFile(keyFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #126667636428bb3a Filesystem access.
repo/packages/cli/src/services/import.service.ts:1002
			await readFile(migrationsFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b544965e3b9eb9c9 Filesystem access.
repo/packages/cli/src/services/import.service.ts:1010
		const migrationsFileContent = await readFile(migrationsFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #61c3f27215273f16 Filesystem access.
repo/packages/cli/src/services/ownership-transfer/__tests__/ownership-transfer.manifest.test.ts:27
		.filter((file) => readFileSync(file, 'utf8').includes('@Entity('));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #43c5f2728853f284 Filesystem access.
repo/packages/cli/src/services/ownership-transfer/__tests__/ownership-transfer.manifest.test.ts:107
				return !new RegExp(`\\bclass ${entry.name}\\b`).test(readFileSync(filePath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a40e58fbeaa164bc Environment-variable access.
repo/packages/cli/src/services/url.service.ts:18
			this.globalConfig.webhookUrl || this.trimQuotes(process.env.WEBHOOK_URL) || this.baseUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be59415b18a9b4b6 Environment-variable access.
repo/packages/cli/src/task-runners/__tests__/task-runner-process-py.test.ts:54
			process.env[envVar] = 'custom value';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #04326f0d7b834903 Environment-variable access.
repo/packages/cli/src/task-runners/__tests__/task-runner-process.test.ts:91
			process.env[envVar] = 'custom value';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #610aed9dcaaf4dd3 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:58
			PATH: process.env.PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11731df47f4a21e8 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:59
			HOME: process.env.HOME ?? process.env.USERPROFILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cefd2828cb8f7d85 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:60
			NODE_PATH: process.env.NODE_PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b11a1b80166ac7f Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:63
			GENERIC_TIMEZONE: process.env.GENERIC_TIMEZONE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1839defafe679e7 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:64
			NODE_FUNCTION_ALLOW_BUILTIN: process.env.NODE_FUNCTION_ALLOW_BUILTIN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03028a47bb4870e2 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:65
			NODE_FUNCTION_ALLOW_EXTERNAL: process.env.NODE_FUNCTION_ALLOW_EXTERNAL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #967df7919cb034b0 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:68
			N8N_SENTRY_DSN: process.env.N8N_SENTRY_DSN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1786b02c6c87061d Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:69
			N8N_VERSION: process.env.N8N_VERSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03c6c321b13177c2 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:70
			ENVIRONMENT: process.env.ENVIRONMENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2c6c1bbd5c59b22 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:71
			DEPLOYMENT_NAME: process.env.DEPLOYMENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d8907dbfbc767d6 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:80
			N8N_RUNNERS_INSECURE_MODE: process.env.N8N_RUNNERS_INSECURE_MODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb1dd4ae40bc3760 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:83
			N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT: process.env.N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43a0923baf4ad066 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:84
			N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN: process.env.N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35cb40bed2247e62 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:42
				PATH: process.env.PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72630d5b5343c482 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:43
				HOME: process.env.HOME ?? process.env.USERPROFILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e90f9f28de17f99b Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:54
				N8N_RUNNERS_STDLIB_ALLOW: process.env.N8N_RUNNERS_STDLIB_ALLOW,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b824205ac116b2a2 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:55
				N8N_RUNNERS_EXTERNAL_ALLOW: process.env.N8N_RUNNERS_EXTERNAL_ALLOW,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fec71a8ac80ea6d0 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:56
				N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS: process.env.N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cf6258e0c029991 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:57
				N8N_RUNNERS_BUILTINS_DENY: process.env.N8N_RUNNERS_BUILTINS_DENY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2ff16d1f9132b5e Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:58
				N8N_BLOCK_RUNNER_ENV_ACCESS: process.env.N8N_BLOCK_RUNNER_ENV_ACCESS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #563f2edff4224b48 Filesystem access.
repo/packages/cli/src/user-management/email/__tests__/node-mailer.test.ts:3
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ffa780a2ca1a57f6 Filesystem access.
repo/packages/cli/src/user-management/email/__tests__/node-mailer.test.ts:23
		const includedContent = await readFile(pathJoin(templatesDir, match[1]), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e1fded765eeaaa6b Filesystem access.
repo/packages/cli/src/user-management/email/__tests__/node-mailer.test.ts:35
	const rawMarkup = await readFile(pathJoin(templatesDir, `${templateName}.mjml`), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59f93acb6ee88637 Filesystem access.
repo/packages/cli/src/user-management/email/user-management-mailer.ts:7
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd611426f44e58d0 Filesystem access.
repo/packages/cli/src/user-management/email/user-management-mailer.ts:8
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ceae12e072b16717 Filesystem access.
repo/packages/cli/src/user-management/email/user-management-mailer.ts:337
			const markup = await readFile(templatePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619bd8a54341456f Environment-variable access.
repo/packages/cli/src/utils.ts:132
	if (process.env.ENABLE_OBSERVABILITY === undefined || process.env.ENABLE_OBSERVABILITY === '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30c024b50a5bdfb2 Environment-variable access.
repo/packages/cli/src/utils.ts:133
		process.env.ENABLE_OBSERVABILITY = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab4cc2e48cb729eb Environment-variable access.
repo/packages/cli/src/utils.ts:136
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3982e42edc9c970c Environment-variable access.
repo/packages/cli/src/utils.ts:137
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fca4a1a6ffa4fe95 Environment-variable access.
repo/packages/cli/src/utils.ts:139
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0749b00c4651c16b Environment-variable access.
repo/packages/cli/src/utils/ai-proxy-fetch.ts:13
export const AI_REQUEST_TIMEOUT_MS = resolveTimeoutMs(process.env.N8N_AI_TIMEOUT_MAX);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9df2ba6c25f0ac38 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:3
import { createWriteStream, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f7be654c8c54850 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:4
import type { FileHandle } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8002faa8110b8950 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:5
import { open, readFile, readdir, mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fba62295f1332547 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:221
			const fileContent = await readFile(fullPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #89e0c47a7700f362 Environment-variable access.
repo/packages/cli/src/utils/health-endpoint.util.ts:24
	const isHealthEndpointCustomized = process.env.N8N_ENDPOINT_HEALTH !== undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13be13a14cba434c Environment-variable access.
repo/packages/cli/src/workflow-runner.ts:272
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d2301cc9918f7511 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:746
			originalOffloadManualExecutionsToWorkers = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1149d797596d9814 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:747
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fcf9b871e4a4cd8b Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:773
				delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5edcab33ee281841 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:775
				process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = originalOffloadManualExecutionsToWorkers;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d3be3d689895914 Environment-variable access.
repo/packages/cli/src/workflows/workflow-execution.service.ts:242
				process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba05f9276bd3a38a Filesystem access.
repo/packages/cli/vitest.tsc-entity-transform.ts:72
			const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acc8249e0223092f Filesystem access.
repo/packages/cli/vitest.tsc-entity-transform.ts:90
				const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nodes-base

npm first-party
high pii_flow production #4688a221312164b1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77
		const secureXToken = (await http.request({
			url: `https://visibility.${region}.cisco.com/iroh/oauth2/token`,
			method: 'POST',
			auth: {
				username: clientId,
				password: clientSecret,
			},
			body: new URLSearchParams({
				grant_type: 'client_credentials',
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
				Accept: 'application/json',
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ca17e0e5bfbb32ae User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95
		const secureEndpointToken = (await http.request({
			url: `https://api.${region}.cisco.com/v3/access_tokens`,
			method: 'POST',
			body: new URLSearchParams({
				grant_type: 'client_credentials',
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
				Accept: 'application/json',
				Authorization: `Bearer ${secureXToken.access_token}`,
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1baae52a59175a8d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:334 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366
		const { access_token } = (await http.request({
			url: 'https://oauth2.googleapis.com/token',
			method: 'POST',
			body: new URLSearchParams({
				grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
				assertion: signature,
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1fc1c8ed4d433311 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:148 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140
	const response = await http.request({
		url: tokenUrl,
		method: 'POST',
		body: body.toString(),
		headers: {
			'Content-Type': 'application/x-www-form-urlencoded',
		},
		json: true,
		timeout: TOKEN_REQUEST_TIMEOUT,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d46d12f769b33170 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:105 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121
		const response = (await http.request({
			url: `${authUrl}/services/oauth2/token`,
			method: 'POST',
			body: new URLSearchParams({
				grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
				assertion: signature,
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token?: string; instance_url?: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e1619deb44d82980 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283
		const response = await fetch(fullUri, {
			method: 'GET',
			headers,
			signal: AbortSignal.timeout(2000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5ae1ad536a9454c6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349
		const credentialsResponse = await fetch(`https://sts.${region}.${getAwsDomain(region)}`, {
			method: 'POST',
			headers,
			body: body.toString(),
			signal: AbortSignal.timeout(2000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7ff8c6b6d2b518f7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:41 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45
			return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #21b8f9b4f1ddbb80 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:24 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #86682bc23fc8c5b9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:31 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ed636abf616d8485 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #44cbaa45c552818c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6ad079288dfe8af2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6a8efc3d11190272 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d193ae6dde980474 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:29 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #242c7a9b3f5cd11b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:25 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ea1bcdde650fc953 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:29 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d1f178bb40d5c6e7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:208 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217
					const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #156eaac30e7bedea User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:48 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3c572c756706f8f8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:591 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600
					responseData = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e5acb94f7102afb9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:25 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #cb1e7fb4be4df857 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:25 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a5aa3617aec46beb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:26 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d8b139d673091983 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:28 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #694aee38f66c93e9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:172 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253
					response = await this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e7b2e55732996992 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:36 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3dd707f1d8a77788 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:126 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135
		await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9817a4b9969fe1e9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:37 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64
		const response = await this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6244898fda232795 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:23 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #15d0d72b4d845ad9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:187 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223
					const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c667fd4e72885872 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:90 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126
	return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #953d25df7c2d5476 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:432 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535
					response = await this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #50986e1e4bc65825 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:958 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014
				const request = this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b69805a59ad0b212 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1019 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078
					const request = this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #dad5da5217ef3940 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:556 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766
						const request = this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7bdd4f6cf92014d3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:45 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46
			return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #61b0d6c031eafc9c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:55 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56
				return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #62de02128ac11c60 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:47 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48
				return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #69ebdcaa207d7ecf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:35 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41
		const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #789a800067e73ca2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:23 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #bf0f4a4991732d1b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:32 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b7f34cd1f738a0a7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:26 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b0db5aeea1b0ce21 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:109 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122
	return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d828b84632b54c70 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:26 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37
		const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e315cbaa2aa06c38 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:24 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8b16758875aca3da User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:24 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #696822b9f42f79bc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:248 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266
					const result = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e51e6ea319bdc151 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:33 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #cf25009c6f51a09d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:137 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2169111ce7efaf18 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:25 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e4d8aa1e9fe4aeb2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:86 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b6d332b5b9319cb1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:24 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #948e04311df8b019 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:36 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58
		return await this.helpers?.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0df6c9a08c4d24b2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:56 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62
	ctx.base = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5a62cd04690723be User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:51 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fb040d79ea61e820 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:65 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #39596b80f94c1849 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:30 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #cfc5a0de699d305b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:79 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85
	return await (this.helpers.request(options) as Promise<{ jwt: string }>);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #442db72c65c9384d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:111 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9c65e05cea778fb4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:26 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #126fab39f2985dd2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:43 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #17c62a2690b4837a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:24 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #52ada70c1a4adb86 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:25 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33
		const responseData = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0851b3d79c467146 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:44 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #45fa314b4f038411 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:293 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b5f84ff87407234d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53 · flow /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:33 → /tmp/closeopen-gagie1_z/repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 42 low-confidence finding(s)
low env_fs production #9ea5e7cf37de9e17 Environment-variable access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-sdk.ts:44
const getEnv = (key: string): string | undefined => process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46a92a6ae898e95f Filesystem access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:4
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #389cdcfcff28c5b1 Environment-variable access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:28
export const envGetter = (key: string): string | undefined => process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #0cb01d2fc36d4e02 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:121
			const tokenResponse = await fetch(`${baseUrl}/api/token`, {
				method: 'PUT',
				headers: {
					'X-aws-ec2-metadata-token-ttl-seconds': '21600',
					'User-Agent': 'n8n-aws-credential',
				},
				signal: AbortSignal.timeout(2000),
			});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #130065d5bd2f7099 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:138
		const roleResponse = await fetch(`${baseUrl}/meta-data/iam/security-credentials/`, {
			method: 'GET',
			headers,
			signal: AbortSignal.timeout(2000),
		});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #60e695273446111c Filesystem access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264
				authToken = (await readFile(authTokenFile, 'utf-8')).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13e63b15a6117c85 Filesystem access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328
		const token = (await readFile(webIdentityTokenFile, 'utf8')).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #0cf42f590606b588 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:619
		const url = new URL('https://vpce-0abc123.bedrock-runtime.us-east-1.vpce.amazonaws.com/model');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ea6c5c3823791fcd Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:624
		const url = new URL('https://vpce-0abc123.sqs.us-west-2.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #53d0684f54617348 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:629
		const url = new URL('https://vpce-0abc123-usw2-az1.sqs.us-west-2.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #96992068df30ea73 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:634
		const url = new URL('https://vpce-0abc.sqs.not-a-region.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #3436fc4a0b4feac0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:639
		const url = new URL('https://vpce-0abc123.sqs.us-gov-west-1.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #da59e875a499ce95 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:644
		const url = new URL('https://vpce-0abc123.sqs.cn-north-1.vpce.amazonaws.com.cn/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c72d7e8eb04d8182 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:649
		const url = new URL('https://lambda.us-east-1.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #63c1f3af4834c59d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:654
		const url = new URL('https://lambda.cn-north-1.amazonaws.com.cn/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #1d513c6d12177197 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:659
		const url = new URL('https://iam.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #d5e0e53ce4fe3b2c Environment-variable access.
repo/packages/nodes-base/credentials/common/aws/utils.ts:627
	if (process.env.N8N_AWS_LEGACY_SIGNER === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e15cb180caa8f894 Filesystem access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a32559506ad9276 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:8
	if (process.env.N8N_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #472dbe14ec3cf47b Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:9
		return process.env.N8N_VERSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3f41b9c23bdddf0 Filesystem access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:15
		const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e9e2194e1340f91 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:25
export const BASE_URL = process.env.AIRTOP_BASE_URL ?? 'https://api.airtop.ai/api/v1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1a37b6db605c755 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:26
export const BASE_URL_V2 = process.env.AIRTOP_BASE_URL_V2 ?? 'https://api.airtop.ai/api/v2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d639934cc8369c2f Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:28
	process.env.AIRTOP_HOOKS_BASE_URL ?? 'https://api.airtop.ai/api/hooks';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e163cc32f5efad2f Filesystem access.
repo/packages/nodes-base/nodes/EditImage/EditImage.node.ts:1
import { writeFile as fsWriteFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23969044244c6c68 Filesystem access.
repo/packages/nodes-base/nodes/EditImage/EditImage.node.ts:1140
						await fsWriteFile(path, binaryDataBuffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dceca23c7f98c36 Filesystem access.
repo/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts:1
import { readFile as fsReadFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bb04b25895cf219 Filesystem access.
repo/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts:1
import { readFile as fsReadFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10095f13953cb229 Filesystem access.
repo/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts:48
		const workflowJson = await fsReadFile(resolvedPath, { encoding: 'utf8' }).catch(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #207879e41a07f838 Filesystem access.
repo/packages/nodes-base/nodes/Form/utils/utils.ts:3
import { rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f3893d1714445ac Filesystem access.
repo/packages/nodes-base/nodes/Ftp/Ftp.node.ts:3
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f96c9a830a6cfef6 Filesystem access.
repo/packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:62
	const alasqlSource = await readFile(alasqlBundlePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adf206d8efd5873a Filesystem access.
repo/packages/nodes-base/nodes/SpreadsheetFile/v1/SpreadsheetFileV1.node.ts:83
						workbook = xlsxReadFile(binaryPath, xlsxOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5216cef14078c791 Filesystem access.
repo/packages/nodes-base/nodes/Ssh/Ssh.node.ts:2
import { writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5bce33020873fc8 Filesystem access.
repo/packages/nodes-base/nodes/Ssh/Ssh.node.ts:448
								await writeFile(binaryFile.path, uploadData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12a1551bc149a2c0 Filesystem access.
repo/packages/nodes-base/nodes/Webhook/Webhook.node.ts:2
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7812cff4e027c060 Filesystem access.
repo/packages/nodes-base/nodes/Webhook/Webhook.node.ts:3
import { stat } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49085547516d4cb2 Filesystem access.
repo/packages/nodes-base/nodes/Webhook/utils.ts:3
import { rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e61007c27ea30d8 Filesystem access.
repo/packages/nodes-base/scripts/copy-nodes-json.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #255926c2403869d7 Filesystem access.
repo/packages/nodes-base/scripts/validate-schema-versions.js:11
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56ba978d9f6a4821 Filesystem access.
repo/packages/nodes-base/scripts/validate-schema-versions.js:66
	const content = fs.readFileSync(nodeFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #757bd0caaa1bc9fb Environment-variable access.
repo/packages/nodes-base/vite.config.ts:7
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/core

npm first-party
high pii_flow production #c4520c33430bc558 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/azure-blob.manager.ts:66 · flow /tmp/closeopen-gagie1_z/repo/packages/core/src/binary-data/azure-blob.manager.ts:64 → /tmp/closeopen-gagie1_z/repo/packages/core/src/binary-data/azure-blob.manager.ts:66
		await this.azureBlobService.put(targetFileId, sourceFile, metadata);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #447833c37b56c833 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/object-store.manager.ts:80 · flow /tmp/closeopen-gagie1_z/repo/packages/core/src/binary-data/object-store.manager.ts:78 → /tmp/closeopen-gagie1_z/repo/packages/core/src/binary-data/object-store.manager.ts:80
		await this.objectStoreService.put(targetFileId, sourceFile, metadata);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry test-only #337f1be96c4f36ab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/errors/__tests__/error-reporter.test.ts:3
import type { ErrorEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #adf4248793bda92c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/errors/error-reporter.ts:6
import type { ErrorEvent, EventHint } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #11e6c86b668cc5f2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/errors/error-reporter.ts:7
import type { NodeOptions } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #2a2f40fe613fb1be Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/sentry-tracing.test.ts:1
import type { StartSpanOptions } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #1bdb5ace8e8e87c4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/sentry-tracing.test.ts:2
import type Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #71c450e180f58b50 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/span-sampling.test.ts:1
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #a8890d47e063c8e2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/tracing.test.ts:1
import type { StartSpanOptions } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c17b0b4823a62c86 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/sentry-tracing.ts:2
import type Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f5e3f7d418da92ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/span-sampling.ts:1
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #096cd618f0675a0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/tracing.ts:2
import type {
	StartSpanOptions as SentryStartSpanOptions,
	SpanContextData as SentrySpanContextData,
	SpanAttributes as SentrySpanAttributes,
} from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5b3a2a118793695f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/tracing.ts:7
import type Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 113 low-confidence finding(s)
low env_fs production #cd770d62aa482cc2 Filesystem access.
repo/packages/core/bin/common.js:13
	await writeFile(filePath, payload, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a262f06285a0f767 Filesystem access.
repo/packages/core/bin/generate-node-defs:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86335ee209c4a33a Filesystem access.
repo/packages/core/bin/generate-node-defs:15
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f88dfb3a61afaef Filesystem access.
repo/packages/core/bin/generate-translations:3
const {
	existsSync,
	promises: { writeFile },
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61165243d6c33b2a Filesystem access.
repo/packages/core/bin/generate-translations:6
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97a853027122c9ed Filesystem access.
repo/packages/core/nodes-testing/node-test-harness.ts:64
		return JSON.parse(readFileSync(filePath, 'utf-8')) as IWorkflowBase &

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #af0980a8394a5049 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:47
		process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'filesystem';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d6760888bfe36ab3 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:55
		process.env.N8N_STORAGE_PATH = '/custom/storage/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12a44983a1f20d4e Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:63
		process.env.N8N_STORAGE_PATH = '/path/one';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d1ce77656d4fffe Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:64
		process.env.N8N_BINARY_DATA_STORAGE_PATH = '/path/two';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8f7e56af79c65c2 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:70
		process.env.N8N_STORAGE_PATH = '/same/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92929fef3b3fd857 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:71
		process.env.N8N_BINARY_DATA_STORAGE_PATH = '/same/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14ad5760c3651ec7 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:79
		process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'invalid-mode';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #761d2a3f5fdda8a2 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:106
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #08f9a4747b2e839d Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:131
			process.env.N8N_STORAGE_PATH = '/custom/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a6be2e276f0f07b6 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:139
			process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71f8be6c7178d11f Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:155
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #725da5e93905536d Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:165
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6069557521156658 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:175
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0df2811328b03581 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:40
		process.env.N8N_DEFAULT_BINARY_DATA_MODE = 's3';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #885d9313b4d7c8e1 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:41
		process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/storage/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c6a7f6d781e7743 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:42
		process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'super-secret';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7415e3cca4bd0f17 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:59
		process.env.N8N_DEFAULT_BINARY_DATA_MODE = 'invalid-mode';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4bb99f83e85a18bc Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:71
			process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '1024';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8061ce7d71256d9d Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:85
			process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = 'not-a-number';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ccc2d340ee466c9d Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:96
			process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '2048';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d5027c5070120d3 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:118
			delete process.env.N8N_BINARY_DATA_SIGNING_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99d80bdfa7367c8a Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:122
			process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'env-pinned-secret';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50acb77bb096a65a Filesystem access.
repo/packages/core/src/binary-data/azure-blob.manager.ts:64
		const sourceFile = await fs.readFile(sourcePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e51c30107f80b48 Environment-variable access.
repo/packages/core/src/binary-data/binary-data.config.ts:81
		if (process.env.N8N_BINARY_DATA_SIGNING_SECRET) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0907f4bebf83b018 Filesystem access.
repo/packages/core/src/binary-data/binary-data.service.ts:77
			binaryData.data = await readFile(filePath, { encoding: BINARY_ENCODING });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #969c0cf1419a375d Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:37
		await fs.writeFile(filePath, bufferOrStream);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5029a2513afa986 Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:67
		return await fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85dbf4bf99f516b4 Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:73
		return await jsonParse(await fs.readFile(filePath, { encoding: 'utf-8' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87793fbf6535743c Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:199
		await fs.writeFile(filePath, JSON.stringify(metadata), { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81b27cf8d4ad3633 Filesystem access.
repo/packages/core/src/binary-data/object-store.manager.ts:78
		const sourceFile = await fs.readFile(sourcePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2825b15ac2a9a7b1 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:233
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a5ed3305452a518 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:234
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b21ab1c86e8ec416 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:243
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7022bd78e2c9ec81 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:268
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5dccdb0950e4c8ce Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:269
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #088db91c1814d166 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:274
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aef865e218871bc3 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:300
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c272fa4b904be092 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:301
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a1a81f6759631f1 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:306
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #43f140cab7aa3566 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:326
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #45f326aacdcfe4ef Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:327
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f155faff8d758c85 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:334
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #567124b6d4701aec Environment-variable access.
repo/packages/core/src/encryption/cipher.ts:38
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a63f7e583c3dd9f5 Environment-variable access.
repo/packages/core/src/encryption/cipher.ts:58
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc2b76800f752a32 Environment-variable access.
repo/packages/core/src/execution-engine/__tests__/ssh-clients-manager.test.ts:251
		process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = '5';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9773327eeee9dd8d Environment-variable access.
repo/packages/core/src/execution-engine/__tests__/ssh-clients-manager.test.ts:264
			process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c22aeb592702a507 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/execute-context.ts:222
		if (process.env.CODE_ENABLE_STDOUT === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d5dc636fccaeb01 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/supply-data-context.ts:431
		if (process.env.CODE_ENABLE_STDOUT === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ca5e4f27059e054 Filesystem access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/binary-helper-functions.test.ts:3
import { mkdtempSync, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c4f86e5276227e48 Filesystem access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/binary-helper-functions.test.ts:128
			readFileSync(
				`${temporaryDir}/${setBinaryDataBufferResponse.id?.replace('filesystem-v2:', '')}`,
			),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4fba7bc0e12b870 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:61
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4426fc392c59835a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:99
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3350a165df1a594a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:117
		process.env[CONFIG_FILES] = '/path/to/config1,/path/to/config2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5bf81c487c09cbd4 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:123
		process.env[CUSTOM_EXTENSION_ENV] = '/path/to/extensions1;/path/to/extensions2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #050e37755743f536 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:129
		process.env[BINARY_DATA_STORAGE_PATH] = '/path/to/binary/storage';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c5cda0cf977fe47 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:135
		process.env[UM_EMAIL_TEMPLATES_INVITE] = '/path/to/invite/templates';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b978bcb4493618c8 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:136
		process.env[UM_EMAIL_TEMPLATES_PWRESET] = '/path/to/pwreset/templates';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8050e9827d3903b Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:147
		const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #69ea1cacf5a01d0b Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:150
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c1a2c494b579dbf Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:157
		const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #881fd306780872d0 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:160
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c9bfa30388eccd0b Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:167
		const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be5e85e46fbc7c7a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:170
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ecf1c68f24a91e7a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:389
			process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5443c8e1a8e1c61d Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:122
	const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d7d86b2b996fd9c Filesystem access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:423
				await fileHandle.writeFile(content, { encoding: 'binary' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #251738ad80f1be08 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:458
	if (process.env[CONFIG_FILES]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd3adf991e36ba0a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:459
		restrictedPaths.push(...process.env[CONFIG_FILES].split(','));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eeb392cb7de4b5f7 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:462
	if (process.env[CUSTOM_EXTENSION_ENV]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a92756af36e5b9e Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:463
		const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f432ccd2750c89d Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:467
	if (process.env[BINARY_DATA_STORAGE_PATH]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #806a070bb0eb5877 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:468
		restrictedPaths.push(process.env[BINARY_DATA_STORAGE_PATH]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce7d858e53b58249 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:471
	if (process.env[UM_EMAIL_TEMPLATES_INVITE]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #782cf011c1fc97e9 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:472
		restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_INVITE]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b535f1acfca148fd Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:475
	if (process.env[UM_EMAIL_TEMPLATES_PWRESET]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc36c284908d4ef6 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:476
		restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_PWRESET]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6141c5ea6e98563c Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:91
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #452eda8a6ddaedd7 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:101
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa4fe9930a147be1 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:137
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a3e7a0c454a6bb01 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:155
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42e92d820e3344ac Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:247
				process.env.N8N_INSTANCE_ID = 'env-pinned-id';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb2476d75d15a97e Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:302
				process.env.N8N_HMAC_SIGNATURE_SECRET = 'env-pinned-hmac';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11ea34ba766cce48 Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:101
			process.env.N8N_INSTANCE_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dc715f8032670fd Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:110
			process.env.N8N_HMAC_SIGNATURE_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45f18777b6620417 Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:232
			const cgroupV1 = readFileSync('/proc/self/cgroup', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5c2e7288ea8c303 Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:241
			const cgroupV2 = readFileSync('/proc/self/mountinfo', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abed5e0dbaaeb876 Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:263
			const content = readFileSync(this.settingsFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b14ec3b8e1adc63 Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:315
		const hmacSignatureSecretFromEnv = process.env.N8N_HMAC_SIGNATURE_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dfdcb4381890ede Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:324
		writeFileSync(this.settingsFile, JSON.stringify(this.settings, null, '\t'), {
			mode: this.enforceSettingsFilePermissions.enforce ? 0o600 : undefined,
			encoding: 'utf-8',
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef92d9169e154a08 Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:335
		const isEnvVarSet = !!process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc24e73b4891920e Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:40
		fs.writeFileSync(file, nodeSource(version));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #733c475196d84be4 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:75
		fs.writeFileSync(nodeFile, nodeSource(2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #841ec34922a480e7 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:99
		fs.writeFileSync(nodeFile, nodeSource(2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #248ce999cb722fe5 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:116
		fs.writeFileSync(nodeFile, nodeSource(2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ecbc3452a25abb7 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/output-schema-resolver.test.ts:13
		writeFileSync(filePath, typeof content === 'string' ? content : JSON.stringify(content));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2f3c5d83c2df921 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/output-schema-resolver.test.ts:123
			writeFileSync(path.join(nodeDir, '__schema__', 'v1.0.0-beta', 'playlist', 'get.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44b22efabbaa9f25 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/output-schema-resolver.test.ts:194
			writeFileSync(path.join(nodeDir, 'output.leak.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8cc9005f47261bd Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/output-schema-resolver.test.ts:219
			writeFileSync(path.join(nodeDir, 'secret.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9708d16aa0174ea Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/scan-directory-for-packages.fs.test.ts:30
		writeFileSync(path.join(dir, 'package.json'), JSON.stringify({ name, version: '1.0.0' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b52e184543725d03 Filesystem access.
repo/packages/core/src/nodes-loader/output-schema-resolver.ts:164
		const parsed: unknown = JSON.parse(readFileSync(filePath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0cbe2dab804c3d2 Filesystem access.
repo/packages/core/src/nodes-loader/package-directory-loader.ts:96
		const fileString = readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85c1bc8ab5e587b7 Filesystem access.
repo/packages/core/src/nodes-loader/package-directory-loader.ts:102
		const fileString = await readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #094d039845fb19a7 Environment-variable access.
repo/packages/core/src/storage.config.ts:41
		const storagePath = process.env.N8N_STORAGE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52269c9f384d5296 Environment-variable access.
repo/packages/core/src/storage.config.ts:42
		const binaryDataStoragePath = process.env.N8N_BINARY_DATA_STORAGE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a701c020c11e854a Environment-variable access.
repo/packages/core/src/storage.config.ts:70
		if (process.env.N8N_STORAGE_PATH) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9def038744994bd5 Environment-variable access.
repo/packages/core/src/storage.config.ts:71
		if (process.env.N8N_BINARY_DATA_STORAGE_PATH) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e925a5feabe2967 Environment-variable access.
repo/packages/core/src/storage.config.ts:78
		const shouldMigrate = process.env.N8N_MIGRATE_FS_STORAGE_PATH === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm)

npm first-party
high pii_flow production #9b9b8eecd58200eb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45 · flow /tmp/closeopen-gagie1_z/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 → /tmp/closeopen-gagie1_z/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
	await fetch(`${TELEMETRY_HOST}/v1/track`, {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json',
			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
		},
		body: payload,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a0845925b052bc1a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/keycloak.ts:520 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/containers/services/keycloak.ts:509 → /tmp/closeopen-gagie1_z/repo/packages/testing/containers/services/keycloak.ts:520
			const { headers, body } = await undiciRequest(formAction, {
				method: 'POST',
				headers: loginHeaders,
				body: loginBody.toString(),
				dispatcher: agent,
			});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0278bbeabe2f4ebf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/ngrok.ts:85 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/containers/services/ngrok.ts:48 → /tmp/closeopen-gagie1_z/repo/packages/testing/containers/services/ngrok.ts:85
			const response = await fetch(`http://${host}:${hostPort}/api/tunnels`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #81fa47e7f8ecd63c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:75 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/reporters/metrics-reporter.ts:40 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/reporters/metrics-reporter.ts:75
					const response = await fetch(webhookUrl, {
						method: 'POST',
						headers: {
							'Content-Type': 'application/json',
							Authorization: `Basic ${auth}`,
						},
						body: JSON.stringify(payload),
						signal: AbortSignal.timeout(30000),
					});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1724f6620d3bbdfb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146
			res = await fetch(url, { headers });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #29543c220b85de58 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46
	const res = await fetch(`http://localhost:${VM_PORT}/api/v1/import`, {
		method: 'POST',
		headers: { 'Content-Type': 'application/json' },
		body: readFileSync(metricsFile),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f80b612c8db6faef User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56
	const res = await fetch(`http://localhost:${VL_PORT}/insert/jsonline`, {
		method: 'POST',
		headers: { 'Content-Type': 'application/json' },
		body: readFileSync(logsFile),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #82d47c076dba8dbc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:240 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:242 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:240
		return await this.api.request.post(`${params.basePath ?? DEFAULT_ENDPOINT_BASE_PATH}/revoke`, {
			form: {
				token: params.token,
				client_id: params.clientId,
				...(params.tokenTypeHint && { token_type_hint: params.tokenTypeHint }),
			},
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #63db18180e346183 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/instance-seeding/seedInstance.mjs:228 · flow /tmp/closeopen-gagie1_z/repo/scripts/instance-seeding/seedInstance.mjs:10 → /tmp/closeopen-gagie1_z/repo/scripts/instance-seeding/seedInstance.mjs:228
	const res = await fetch(`${BASE}/api/v1${path}`, {
		method,
		headers: HEADERS,
		body: body !== undefined ? JSON.stringify(body) : undefined,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8c1ffbb62255f5f7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/nathan.mjs:235 · flow /tmp/closeopen-gagie1_z/repo/scripts/nathan.mjs:232 → /tmp/closeopen-gagie1_z/repo/scripts/nathan.mjs:235
	res = await fetch(WEBHOOK, {
		method: 'POST',
		headers: { 'content-type': 'application/json' },
		body: JSON.stringify({
			token,
			text,
			command: '/nathan',
			response_url: tunnel.url + CALLBACK_PATH,
			user_id: user,
			user_name: user,
			channel_id: process.env.NATHAN_SLACK_CHANNEL || DEFAULT_SLACK_CHANNEL,
			trigger_id: String(Date.now()),
		}),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #f04ee0f525f19325 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45 · flow /tmp/closeopen-gagie1_z/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 → /tmp/closeopen-gagie1_z/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
	await fetch(`${TELEMETRY_HOST}/v1/track`, {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json',
			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
		},
		body: payload,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 587 low-confidence finding(s)
low egress production #ca43c94e1229acd9 Hardcoded external endpoint. Review what data is sent to this destination.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
	await fetch(`${TELEMETRY_HOST}/v1/track`, {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json',
			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
		},
		body: payload,
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #5fd7b4e0ed25e3a5 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:338
		writeFileSync(join(repoDir, 'shared.ts'), 'shared\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83fd59b8c1ee19c6 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:345
		writeFileSync(join(repoDir, 'pr-only.ts'), 'pr\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #766961c8ea7de36f Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:351
		writeFileSync(join(repoDir, 'shared.ts'), 'shared\ndrift-from-master\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc6f813173ac2e2e Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:386
		writeFileSync(join(repoDir, 'shared.ts'), 'shared\npr-edit\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4602d80b63fa0407 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:405
	const originalStep = process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #642c00c9becb4dde Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:417
		writeFileSync(join(builderDir, 'shared.ts'), 'shared\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #661da18278600b28 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:424
		writeFileSync(join(builderDir, 'pr-only.ts'), 'pr\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8a8d9f7c201977e Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:432
			writeFileSync(join(builderDir, 'shared.ts'), `shared\ndrift ${i}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9ca2bec043c3626 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:445
		process.env.CI_FILTER_DEEPEN_STEP = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6758820908cb52e8 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:451
		if (originalStep === undefined) delete process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99c040e1b77235b6 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:452
		else process.env.CI_FILTER_DEEPEN_STEP = originalStep;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76b8864da500605e Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:472
	const originalStep = process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #621250bde8dfe0c3 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:473
	const originalMax = process.env.CI_FILTER_MAX_DEEPEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #16b1edba501c7921 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:484
		writeFileSync(join(builderDir, 'shared.ts'), 'shared\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bdc512990b4c7c25 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:490
		writeFileSync(join(builderDir, 'pr-only.ts'), 'pr\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c92dc2933f24380 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:497
			writeFileSync(join(builderDir, 'shared.ts'), `shared\ndrift ${i}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #47ad5c442ea29653 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:510
		process.env.CI_FILTER_DEEPEN_STEP = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e44c4dbf5833dd0e Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:511
		process.env.CI_FILTER_MAX_DEEPEN = '2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9908ec9f560b167 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:517
		if (originalStep === undefined) delete process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1dfba86c956cfacb Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:518
		else process.env.CI_FILTER_DEEPEN_STEP = originalStep;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d2ab175a75d93295 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:519
		if (originalMax === undefined) delete process.env.CI_FILTER_MAX_DEEPEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ab6df669c0e4eb24 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:520
		else process.env.CI_FILTER_MAX_DEEPEN = originalMax;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc9a97f991dbb754 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:552
		writeFileSync(join(repoDir, 'main.ts'), 'main\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be42d92d2ba26465 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:560
		writeFileSync(join(repoDir, 'feature.ts'), 'feature\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0258212fad378da7 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:582
		const originalEnv = process.env.INPUT_JOB_RESULTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e667df4a436407a5 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:586
		process.env.INPUT_JOB_RESULTS = JSON.stringify(jobResults);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1e400df4d57edabb Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:594
			process.env.INPUT_JOB_RESULTS = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a37489c44ece4687 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:147
	let step = Number(process.env.CI_FILTER_DEEPEN_STEP) || 200;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76b76fb9b5b6a45c Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:148
	const maxDeepen = Number(process.env.CI_FILTER_MAX_DEEPEN) || 20_000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d6c216e4bdb12731 Filesystem access.
repo/.github/actions/ci-filter/ci-filter.mjs:195
		const content = readFileSync(shallowPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #824ec5e7613024c0 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:245
	const outputFile = process.env.GITHUB_OUTPUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c8959fede574b2a Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:265
	maxCount = Number(process.env.CI_FILTER_MAX_CHANGED_FILES) || 1000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71fe725513f54888 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:279
	const filtersInput = process.env.INPUT_FILTERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3bd432ed2f7efb8 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:280
	const baseRef = process.env.INPUT_BASE_REF;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c78dfb317597eb7c Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:318
	const raw = process.env.INPUT_JOB_RESULTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4f57d707efe74b96 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:348
	const mode = process.env.INPUT_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bdf4a7cca1869688 Filesystem access.
repo/.github/scripts/bump-versions.mjs:3
import { writeFile, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0baa29dc73a7b3e0 Environment-variable access.
repo/.github/scripts/bump-versions.mjs:175
	const releaseType = /** @type { import('semver').ReleaseType | "experimental" } */ (
		process.env.RELEASE_TYPE
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f50752a1f8257d3a Filesystem access.
repo/.github/scripts/bump-versions.mjs:224
	const rootPkgJson = JSON.parse(await readFile(resolve(rootDir, 'package.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e361ec1022e00896 Filesystem access.
repo/.github/scripts/bump-versions.mjs:235
		await readFile(resolve(rootDir, 'pnpm-workspace.yaml'), 'utf-8').catch(() => ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #401f5de0c9e5fcd3 Filesystem access.
repo/.github/scripts/bump-versions.mjs:252
		const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #234b3d1fbb95e263 Filesystem access.
repo/.github/scripts/bump-versions.mjs:271
		const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #207c41875eb1b87e Filesystem access.
repo/.github/scripts/bump-versions.mjs:285
		await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c978e86444a6252 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:25
	const prNumber = process.env.PR_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a657c9c941dab594 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:26
	const headSha = process.env.HEAD_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b76f43af79df6d21 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:27
	const baseSha = process.env.BASE_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5405d79ff710131 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:28
	const isMergeGroup = process.env.IS_MERGE_GROUP === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #43e8d9c2eb3b50e7 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:90
		const url = `${process.env.CLA_API}?checkContributor=${encodeURIComponent(login)}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #c4368cf483e0fd08 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/cla/check-signatures.mjs:92 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/cla/check-signatures.mjs:90 → /tmp/closeopen-gagie1_z/repo/.github/scripts/cla/check-signatures.mjs:92
			const res = await fetch(url);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #02eb1d39c06f0950 Environment-variable access.
repo/.github/scripts/cla/manage-label.mjs:23
	const issue_number = Number(process.env.PR_NUMBER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1c4e4feeac2d17a Environment-variable access.
repo/.github/scripts/cla/manage-label.mjs:24
	const allSigned = process.env.ALL_SIGNED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ff51ed5485399bf Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:24
	const allSigned = process.env.ALL_SIGNED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6161088a9eaabecf Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:25
	const unsigned = (process.env.UNSIGNED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #11a8ebef940da841 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:26
	const errored = (process.env.ERRORED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d71fc2a7b1deb608 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:27
	const unlinked = JSON.parse(process.env.UNLINKED || '[]');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a73c674d691c565b Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:52
	const prNumber = process.env.PR_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5dba5bbde3013c2b Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:55
		: process.env.CLA_SIGN_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #085bce544f59706e Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:60
		sha: /** @type {string} */ (process.env.HEAD_SHA),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad77fd2894c729f1 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:62
		context: /** @type {string} */ (process.env.STATUS_CONTEXT),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c542fd03cb293aff Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:19
	const issue_number = Number(process.env.PR_NUMBER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #93cf34841a899f3f Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:20
	const allSigned = process.env.ALL_SIGNED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #197524d22ecdce55 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:21
	const unsigned = (process.env.UNSIGNED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8b1e3bdec58eff4 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:22
	const errored = (process.env.ERRORED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7a78561d2dfd383 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:23
	const unlinked = JSON.parse(process.env.UNLINKED || '[]');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03042c844ab564f5 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:24
	const MARKER = /** @type {string} */ (process.env.COMMENT_MARKER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5d3eff2a9a46c5b1 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:54
Like many open source projects, we ask that you sign our [Contributor License Agreement](${process.env.CLA_SIGN_URL}) before we can accept your contribution.`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f72d3fa6c9c89a67 Environment-variable access.
repo/.github/scripts/claude-task/prepare-claude-prompt.mjs:17
const task = process.env.INPUT_TASK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35a86f53d87b6677 Environment-variable access.
repo/.github/scripts/claude-task/prepare-claude-prompt.mjs:18
const useRaw = process.env.USE_RAW_PROMPT === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d3d5e45106e46d5 Environment-variable access.
repo/.github/scripts/claude-task/prepare-claude-prompt.mjs:19
const envFile = process.env.GITHUB_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72dd5d94f934f0e8 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:18
const resumeUrl = process.env.RESUME_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #26ac081c12aba2d9 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:19
const executionFile = process.env.EXECUTION_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4e1cb7fb2eb0c33 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:20
const claudeOutcome = process.env.CLAUDE_OUTCOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #575f1ce98db5b3f8 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:21
const sessionId = process.env.CLAUDE_SESSION_ID ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2de3240c114e75ea Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:22
const branchName = process.env.BRANCH_NAME ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32af03d8fcb51e63 Filesystem access.
repo/.github/scripts/claude-task/resume-callback.mjs:34
		const execution = JSON.parse(readFileSync(executionFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #b031d34cfcf6b946 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/claude-task/resume-callback.mjs:45 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/claude-task/resume-callback.mjs:18 → /tmp/closeopen-gagie1_z/repo/.github/scripts/claude-task/resume-callback.mjs:45
	const response = await fetch(resumeUrl, {
		method: 'POST',
		headers: { 'Content-Type': 'application/json' },
		body: payload,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #3db950304d0fc0b3 Environment-variable access.
repo/.github/scripts/cleanup-ghcr-images.mjs:18
const ORG = process.env.GHCR_ORG || 'n8n-io';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9bdcbf9919ee124c Environment-variable access.
repo/.github/scripts/cleanup-ghcr-images.mjs:19
const REPO = process.env.GHCR_REPO || 'n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9cb72e88c4de1b5 Filesystem access.
repo/.github/scripts/cleanup-release-branch.mjs:85
	const rawEventData = await fs.readFile(eventPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1e2d13f4941a4477 Environment-variable access.
repo/.github/scripts/compute-backport-targets.mjs:70
	const pullRequestEnv = process.env.PULL_REQUEST_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afb85f1f97245f36 Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:72
		process.env.GITHUB_EVENT_PATH = './fixtures/mock-github-event.json';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #52ecf0d8c3cb3415 Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:81
		process.env.PULL_REQUEST_ID = '123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #340fc9fdfc477795 Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:91
		process.env.PULL_REQUEST_ID = '#123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #386611b1562eebe7 Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:96
		process.env.PULL_REQUEST_ID = '123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #366c360182ec75be Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:101
		process.env.PULL_REQUEST_ID = 'abc-123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cff178f985a204ff Environment-variable access.
repo/.github/scripts/create-github-release.mjs:29
	const ADDITIONAL_TAGS = process.env.ADDITIONAL_TAGS ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #40b4ce03ce87a4f3 Environment-variable access.
repo/.github/scripts/determine-release-candidate-branch-for-track.mjs:34
	const force = process.env.FORCE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86f5161e8ca1e4c8 Filesystem access.
repo/.github/scripts/determine-version-info.mjs:139
	const packageJson = JSON.parse(readFileSync('./package.json', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #226bc2107ee9edd7 Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:7
		this.githubOutput = process.env.GITHUB_OUTPUT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6e8ccceb91cda9b Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:147
			event: getArg('event') || process.env.GITHUB_EVENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92627f72e7f1fa98 Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:148
			pr: getArg('pr') || process.env.GITHUB_PR_NUMBER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5d78e89b5ff6d4e Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:149
			branch: getArg('branch') || process.env.GITHUB_REF_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8a2d3f64139fae5 Environment-variable access.
repo/.github/scripts/docker/docker-tags.mjs:7
		this.githubOwner = process.env.GITHUB_REPOSITORY_OWNER || 'n8n-io';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41c9652efac5fdb6 Environment-variable access.
repo/.github/scripts/docker/docker-tags.mjs:8
		this.dockerUsername = process.env.DOCKER_USERNAME || 'n8nio';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #020ad1d37b36e003 Environment-variable access.
repo/.github/scripts/docker/docker-tags.mjs:9
		this.githubOutput = process.env.GITHUB_OUTPUT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1dc2fad271aa8a65 Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:18
const githubOutput = process.env.GITHUB_OUTPUT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31652e2e0c7052ad Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:38
const n8nTag = process.env.N8N_TAG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c863d0917004b16d Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:39
const runnersTag = process.env.RUNNERS_TAG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71259a6e8f2bc5bb Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:40
const distrolessTag = process.env.DISTROLESS_TAG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37a93c8949959dd6 Filesystem access.
repo/.github/scripts/ensure-provenance-fields.mjs:1
import { writeFile, readFile, copyFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb2bab492cd11cb0 Filesystem access.
repo/.github/scripts/ensure-provenance-fields.mjs:25
		...JSON.parse(await readFile(packageFile, 'utf-8')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a216ae99c61064f Filesystem access.
repo/.github/scripts/ensure-provenance-fields.mjs:49
	await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e799792f8f64fb4d Filesystem access.
repo/.github/scripts/github-helpers.mjs:172
	return JSON.parse(fs.readFileSync(eventPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34601b719064075d Environment-variable access.
repo/.github/scripts/github-helpers.mjs:214
	const v = process.env[variableName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9ca7b8be4bb05b3 Environment-variable access.
repo/.github/scripts/github-helpers.mjs:253
	const path = process.env.GITHUB_OUTPUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff0bb452dcea44ab Environment-variable access.
repo/.github/scripts/github-helpers.test.mjs:24
		process.env.GITHUB_TOKEN = 'token';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1f4ef57bc3a5e2b Environment-variable access.
repo/.github/scripts/github-helpers.test.mjs:25
		process.env.GITHUB_REPOSITORY = 'n8n-io/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8e98b2b04e6180cb Filesystem access.
repo/.github/scripts/owners.mjs:50
	const content = readFileSync(path, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58c5cfab52426da8 Filesystem access.
repo/.github/scripts/owners.mjs:127
		readFileSync(path, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #144d6ff69d15ff65 Environment-variable access.
repo/.github/scripts/plan-release.mjs:13
const stable = process.env['STABLE_VERSION'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7927874436e5d19 Environment-variable access.
repo/.github/scripts/plan-release.mjs:14
const beta = process.env['BETA_VERSION'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb2abadbf4bbc885 Environment-variable access.
repo/.github/scripts/plan-release.mjs:15
const v1 = process.env['V1_VERSION'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5df7ed3c1afce62 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:42
const webhookUrl = process.env.QA_METRICS_COMMENT_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1bb00efefb888c24 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:48
const repo = process.env.GITHUB_REPOSITORY ?? 'n8n-io/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6efed31341a516f Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:49
const sha = process.env.GITHUB_SHA?.slice(0, 8) ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4530dddb11cbf93e Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:55
const user = process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb7baa268f706c61 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:56
const pass = process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #1937f547b47ceef6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:65 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:42 → /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:65
	res = await fetch(webhookUrl, {
		method: 'POST',
		headers,
		body: JSON.stringify({
			pr_number: pr,
			github_repo: repo,
			git_sha: sha,
			baseline_days: baselineDays,
			metric_names: metrics,
		}),
		signal: AbortSignal.timeout(60_000),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #893e26acc08b0ce5 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:104
const token = process.env.GITHUB_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #4b71cba49adc89bf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:117 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:48 → /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:117
const comments = await fetch(
	`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments?per_page=100`,
	{ headers: ghHeaders },
).then((r) => r.json());

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow test-only Excluded from app score #0e47bf0e5f1c85f6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:127 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:42 → /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:127
	await fetch(
		`https://api.github.com/repos/${owner}/${repoName}/issues/comments/${existing.id}`,
		{ method: 'PATCH', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
	);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow test-only Excluded from app score #2075e072e87d115a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:133 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:42 → /tmp/closeopen-gagie1_z/repo/.github/scripts/post-qa-metrics-comment.mjs:133
	const created = await fetch(
		`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments`,
		{ method: 'POST', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
	).then((r) => r.json());

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #fb2df4caf22689b8 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:141
	const match = (process.env.GITHUB_REF ?? '').match(/refs\/pull\/(\d+)/);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b5432b8a455ae86a Environment-variable access.
repo/.github/scripts/promote-backport-labels-on-minor.mjs:27
	const dryRun = process.env.DRY_RUN === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f0268faf26e52f4 Filesystem access.
repo/.github/scripts/send-build-stats.mjs:36
const summary = JSON.parse(readFileSync(join(runsDir, files.at(-1)), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d612091c62f7bce Filesystem access.
repo/.github/scripts/send-docker-stats.mjs:42
	? JSON.parse(readFileSync(buildManifestPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24d396e68ee49a19 Filesystem access.
repo/.github/scripts/send-docker-stats.mjs:46
	? JSON.parse(readFileSync(dockerManifestPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9950d91e9931c1b Environment-variable access.
repo/.github/scripts/send-metrics.mjs:28
	const ref = process.env.GITHUB_REF || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc1a64f6565f3455 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:30
	const runId = process.env.GITHUB_RUN_ID || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8c68158ea6f1dd3 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:36
			sha: process.env.GITHUB_SHA?.slice(0, 8) || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b1000bcbc2c1bf1 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:37
			branch: process.env.GITHUB_HEAD_REF || process.env.GITHUB_REF_NAME || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7040f7a1b0f206e4 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:43
				runId && process.env.GITHUB_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a85762cc5db1eccf Environment-variable access.
repo/.github/scripts/send-metrics.mjs:44
					? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b842c79f56fc75a5 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:46
			job: process.env.GITHUB_JOB || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df2e4357045ec8d4 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:47
			workflow: process.env.GITHUB_WORKFLOW || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e663bf41d75fc989 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:48
			attempt: process.env.GITHUB_RUN_ATTEMPT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92e31c5d1fb2f359 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:49
				? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5338cece21cb7aa9 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:53
			provider: !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2516e3a5c96b15dd Environment-variable access.
repo/.github/scripts/send-metrics.mjs:55
				: process.env.RUNNER_ENVIRONMENT === 'github-hosted'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b14281923b2efda Environment-variable access.
repo/.github/scripts/send-metrics.mjs:65
	const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8976ad22cc41ab56 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:66
	const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a794d530d4041f03 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:67
	const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #6edfcfc56f120976 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/send-metrics.mjs:87 · flow /tmp/closeopen-gagie1_z/repo/.github/scripts/send-metrics.mjs:65 → /tmp/closeopen-gagie1_z/repo/.github/scripts/send-metrics.mjs:87
		const response = await fetch(webhookUrl, {
			method: 'POST',
			headers: {
				'Content-Type': 'application/json',
				Authorization: `Basic ${basicAuth}`,
			},
			body: JSON.stringify(payload),
			signal: AbortSignal.timeout(5_000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #39b80ab73a81f08a Environment-variable access.
repo/.github/scripts/set-latest-for-monorepo-packages.mjs:27
	const token = process.env.NPM_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b41d8f3c9cc8659e Filesystem access.
repo/.github/scripts/slack/build-trivy-blocks.mjs:28
	const report = JSON.parse(readFileSync(results, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d33d6d9b88407a1 Filesystem access.
repo/.github/scripts/slack/build-trivy-blocks.test.mjs:18
	writeFileSync(path, JSON.stringify(report));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #58902831a34360f3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/.github/scripts/slack/notify.mjs:31
	const res = await fetch('https://slack.com/api/chat.postMessage', {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json; charset=utf-8',
			Authorization: `Bearer ${token}`,
		},
		body: JSON.stringify(payload),
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #c9bbb9609e767f0a Environment-variable access.
repo/.github/scripts/slack/notify.mjs:78
	const token = process.env.SLACK_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e707629e533d67d9 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:162
	if (process.env.GH_TOKEN) return process.env.GH_TOKEN.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d5ecae63080e10c5 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:163
	if (process.env.GITHUB_TOKEN) return process.env.GITHUB_TOKEN.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c4648f3dd2200a5 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:172
	if (process.env.GITHUB_REPOSITORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f0861eb1621f246 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:173
		const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d74c99047348de92 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:193
	if (process.env.DRY_RUN === 'false' || process.env.DRY_RUN === '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df24446a26479eed Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:196
	if (process.env.DRY_RUN === 'true' || process.env.DRY_RUN === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99d97a21dd0f7faf Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:210
	const raw = [...(values.exclude ?? []), process.env.EXCLUDE_BRANCHES ?? ''];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #820b31e79be1e235 Hardcoded external endpoint. Review what data is sent to this destination.
repo/.github/scripts/stale/clean-stale-branches.mjs:228
	const res = await fetch(`${API}/graphql`, {
		method: 'POST',
		headers: { ...ctx.headers, 'Content-Type': 'application/json' },
		body: JSON.stringify({ query, variables }),
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #8eb28bf345edef3b Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:398
	const staleDays = Number(values.days ?? process.env.STALE_DAYS ?? 100);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32f10f43fecf9c9b Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:400
		throw new Error(`Invalid --days value: ${values.days ?? process.env.STALE_DAYS}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65eb81a28b5f5342 Environment-variable access.
repo/.github/scripts/sync-conflict-owners.mjs:112
	const repo = process.env.GITHUB_REPOSITORY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84fa3213b3754f0e Environment-variable access.
repo/.github/scripts/sync-conflict-owners.mjs:113
	const token = process.env.GH_TOKEN || process.env.GITHUB_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c55c8fa33e1abc2 Filesystem access.
repo/.github/scripts/trim-fe-packageJson.js:1
const { writeFileSync } = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5f0af68608aadeb Filesystem access.
repo/.github/scripts/trim-fe-packageJson.js:13
	writeFileSync(filePath, JSON.stringify(packageJson, null, 2) + '\n', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f656a16dddf51c2b Filesystem access.
repo/.github/scripts/update-changelog.mjs:4
import { createReadStream, createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddc5a8d8b32c3f9a Environment-variable access.
repo/packages/testing/code-health/src/cli.ts:27
		changedFiles: parseChangedFiles(process.env.CODE_HEALTH_CHANGED_FILES),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #858825d68722d52b Environment-variable access.
repo/packages/testing/code-health/src/cli.ts:28
		addedFiles: parseChangedFiles(process.env.CODE_HEALTH_ADDED_FILES),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0867b0565fc1f731 Filesystem access.
repo/packages/testing/code-health/src/rules/catalog-violations.rule.test.ts:16
	fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2d7aa3760932e4e Filesystem access.
repo/packages/testing/code-health/src/rules/migration-timestamp.rule.test.ts:25
	fs.writeFileSync(fullPath, 'export {};\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68e2ba72229d10cf Filesystem access.
repo/packages/testing/code-health/src/rules/stale-overrides.rule.test.ts:17
	fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae233f0d614aec6e Filesystem access.
repo/packages/testing/code-health/src/rules/subpath-purity.rule.test.ts:16
		writeFileSync(abs, source, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bf209ad94e8951f Filesystem access.
repo/packages/testing/code-health/src/rules/workflow-pr-target-safety.rule.test.ts:16
	fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd09ee90c7f0208a Filesystem access.
repo/packages/testing/code-health/src/utils/node-modules-deps-scanner.ts:34
			pkg = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as OnDiskPackageJson;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc549d97b5d5469d Filesystem access.
repo/packages/testing/code-health/src/utils/overrides-parser.ts:21
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e74acc14d2bb48c8 Filesystem access.
repo/packages/testing/code-health/src/utils/package-json-scanner.ts:28
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #651b8b4c63752203 Filesystem access.
repo/packages/testing/code-health/src/utils/pnpm-lock-parser.ts:31
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af2cd63b892e0dd3 Filesystem access.
repo/packages/testing/code-health/src/utils/workflow-scanner.ts:35
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #871a84b8e290926e Filesystem access.
repo/packages/testing/code-health/src/utils/workspace-parser.ts:17
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3711065879c4fb0f Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:170
	if (process.env.N8N_LICENSE_TENANT_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f05e4c688e61f04 Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:171
		extraEnvs.push({ name: 'N8N_LICENSE_TENANT_ID', value: process.env.N8N_LICENSE_TENANT_ID });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b07780cc54dc46d8 Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:173
	if (process.env.N8N_LICENSE_ACTIVATION_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f6fb16ff0b96cdc Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:176
			value: process.env.N8N_LICENSE_ACTIVATION_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #263f06af7d989419 Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:179
	if (process.env.N8N_LICENSE_CERT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c25367db717c4e5 Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:180
		extraEnvs.push({ name: 'N8N_LICENSE_CERT', value: process.env.N8N_LICENSE_CERT });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #89898f0e4ffad735 Filesystem access.
repo/packages/testing/containers/helm-stack.ts:331
	writeFileSync(kubeConfigPath, namedKubeconfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f1f8c144f28662e Filesystem access.
repo/packages/testing/containers/helm-stack.ts:349
		writeFileSync(defaultKubeconfig, merged);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c982b306c4f453e Filesystem access.
repo/packages/testing/containers/helm-start-stack.ts:124
		writeFileSync(values['url-file'], stack.baseUrl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19fdbb0375884fa6 Filesystem access.
repo/packages/testing/containers/helm-start-stack.ts:129
		writeFileSync(values['kubeconfig-file'], stack.kubeConfigPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0577434d8d0864ff Environment-variable access.
repo/packages/testing/containers/helpers/utils.ts:12
	const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1d718888197ccf9 Environment-variable access.
repo/packages/testing/containers/network-stabilization.ts:18
	if (!process.env.CI || os.platform() !== 'linux') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a64940cb37f5a6c Environment-variable access.
repo/packages/testing/containers/pull-test-images.ts:111
	if (failures.length > 0 && process.env.STRICT_IMAGE_PULL === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #459f5ce17eecf8ce Filesystem access.
repo/packages/testing/containers/service-stack.ts:83
	writeFileSync(devEnvFilePath(), lines.join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe59c1f394723e6e Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:48
	N8N_ENCRYPTION_KEY: process.env.N8N_ENCRYPTION_KEY ?? 'test-encryption-key',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4fa603ca8812bf9 Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:55
	N8N_LICENSE_TENANT_ID: process.env.N8N_LICENSE_TENANT_ID ?? '1001',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b55cc67f8714c9d Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:56
	N8N_LICENSE_ACTIVATION_KEY: process.env.N8N_LICENSE_ACTIVATION_KEY ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c908e2fcbd08ad07 Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:57
	N8N_LICENSE_CERT: process.env.N8N_LICENSE_CERT ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8dbb3eb0098d9a7 Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:119
			if (!process.env.N8N_LICENSE_ACTIVATION_KEY && !process.env.N8N_LICENSE_CERT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fade9eea6a81a170 Environment-variable access.
repo/packages/testing/containers/services/ngrok.ts:48
		const authToken = process.env.NGROK_AUTHTOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0795a1ede9a254b4 Filesystem access.
repo/packages/testing/containers/services/proxy.ts:2
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3703a84578c62978 Filesystem access.
repo/packages/testing/containers/services/proxy.ts:205
					const fileContent = await fs.readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1663ee374a279731 Filesystem access.
repo/packages/testing/containers/services/proxy.ts:488
				await fs.writeFile(filePath, JSON.stringify(processedExpectation, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b7bf8b33dc47ea7 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:62
	const ref = process.env.GITHUB_REF ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #542a1e0dd4f30992 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:66
		sha: process.env.GITHUB_SHA?.slice(0, 8) ?? 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf533b77c438d553 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:67
		branch: process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME ?? 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06cf9da1affa913e Environment-variable access.
repo/packages/testing/containers/telemetry.ts:74
		runId: process.env.GITHUB_RUN_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #480c76464d63c983 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:75
		job: process.env.GITHUB_JOB,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f351a4854dc48c9 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:76
		workflow: process.env.GITHUB_WORKFLOW,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e116fff2e4ad136 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:77
		attempt: process.env.GITHUB_RUN_ATTEMPT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcf047bc46a941b0 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:78
			? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d153f353ad88fbd5 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:85
	if (!process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb13b9894f185b4e Environment-variable access.
repo/packages/testing/containers/telemetry.ts:89
	if (process.env.RUNNER_ENVIRONMENT === 'github-hosted') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4219a10fd0cec65e Environment-variable access.
repo/packages/testing/containers/telemetry.ts:182
		const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d72508901b7216b Environment-variable access.
repo/packages/testing/containers/telemetry.ts:183
		const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f3638b7ec5c96cb Environment-variable access.
repo/packages/testing/containers/telemetry.ts:211
		const repo = process.env.GITHUB_REPOSITORY ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bfa4bd4092e353a Environment-variable access.
repo/packages/testing/containers/telemetry.ts:283
		const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51d3a63bac57c7d3 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:284
		const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc3db5ae19d00da3 Environment-variable access.
repo/packages/testing/containers/test-containers.ts:84
	let value = process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c7c46b91c1167aa Environment-variable access.
repo/packages/testing/containers/test-containers.ts:87
		value = process.env.N8N_DOCKER_IMAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e8bed62d880558c Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:92
			fs.writeFileSync(
				path.join(tempDir, 'tsconfig.json'),
				JSON.stringify({
					compilerOptions: {
						target: 'ES2020',
						module: 'ESNext',
						moduleResolution: 'node',
						strict: true,
					},
					include: ['**/*.ts'],
				}),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6213488bc2908c36 Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:106
			fs.writeFileSync(
				path.join(tempDir, 'janitor.config.js'),
				`module.exports = {
					rootDir: '${tempDir}',
					patterns: {
						pages: ['pages/**/*.ts'],
						components: [],
						flows: [],
						tests: ['tests/**/*.spec.ts'],
						services: [],
						fixtures: [],
						helpers: [],
						factories: [],
						testData: [],
					},
					excludeFromPages: [],
					facade: { file: 'pages/AppPage.ts', className: 'AppPage', excludeTypes: [] },
					fixtureObjectName: 'app',
					apiFixtureName: 'api',
					rawApiPatterns: [],
					flowLayerName: 'Composable',
					architectureLayers: [],
					rules: {},
				};`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d658844e417e33bb Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:142
			fs.writeFileSync(path.join(tempDir, 'pages', 'CleanPage.ts'), 'export class CleanPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a99c5e6a3cb6fbc0 Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:165
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'VerbosePage.ts'),
				'export class VerbosePage {}',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca3247b922ff39cd Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:186
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'BaselinePage.ts'),
				'export class BaselinePage {}',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6579e99092ad3f19 Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:451
	const attempt = Number(process.env.GITHUB_RUN_ATTEMPT ?? '1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78e50132e407f31a Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:460
		firstNonEmpty(options.url, process.env.JANITOR_FILTER_SHARD_URL) ?? DEFAULT_FILTER_SHARD_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bce5c6cdc652d5a Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:461
	const runId = process.env.GITHUB_RUN_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #789bd944cc3c8f7e Filesystem access.
repo/packages/testing/janitor/src/cli.ts:546
		const includeRaw = fs.readFileSync(options.includeSpecsFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64db0f0671bc7a46 Filesystem access.
repo/packages/testing/janitor/src/cli.ts:568
				const raw = JSON.parse(fs.readFileSync(metricsPath, 'utf-8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c66e2799c9dc52a4 Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:610
	const env = process.env.CHANGED_FILES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d426f089146b02c8 Filesystem access.
repo/packages/testing/janitor/src/cli.ts:670
	const inputs = files.map((f) => ({ text: fs.readFileSync(f, 'utf8'), spec: f }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612002f69116a358 Filesystem access.
repo/packages/testing/janitor/src/cli.ts:672
	fs.writeFileSync(options.outLcov, result.lcov);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab011af7b9e3606e Filesystem access.
repo/packages/testing/janitor/src/cli.ts:674
	fs.writeFileSync(options.outMap, JSON.stringify(encodeImpactMap(result.impactMap)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da901364b1c30a55 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:25
	writeFileSync(
		join(root, 'pnpm-workspace.yaml'),
		`packages:\n${opts.patterns.map((p) => `  - '${p}'`).join('\n')}\n`,
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7e2beaa156dda91 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:29
	writeFileSync(join(root, 'package.json'), JSON.stringify({ name: 'monorepo-root' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d41622c05aab1ea Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:38
		writeFileSync(join(pkgDir, 'package.json'), JSON.stringify(pkg));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e792d54ade2fc558 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:42
		writeFileSync(
			join(root, 'turbo.json'),
			JSON.stringify({
				tasks: Object.fromEntries(opts.turboTasks.map((t) => [t.taskId, { inputs: t.inputs }])),
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79ed774a2c0d4cdd Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.ts:18
		return JSON.parse(readFileSync(path, 'utf-8')) as T;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #643ba7f20db0a459 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.ts:42
		(parseYaml(readFileSync(wsFile, 'utf-8')) as { packages?: string[] } | null)?.packages ?? [];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60c864f4dc6d939a Filesystem access.
repo/packages/testing/janitor/src/core/ast-diff-analyzer.ts:81
		const currentContent = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d52857fbf8d5939 Filesystem access.
repo/packages/testing/janitor/src/core/baseline.test.ts:42
			fs.writeFileSync(path.join(tempDir, '.janitor-baseline.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eab84c348f85ff2f Filesystem access.
repo/packages/testing/janitor/src/core/impact-analyzer.ts:315
				const content = fs.readFileSync(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #054ff81d9ca1ae1f Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:24
		fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79adaa836837f9f5 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:49
		fs.writeFileSync(
			path.join(tempDir, 'tsconfig.json'),
			JSON.stringify({
				compilerOptions: {
					target: 'ES2020',
					module: 'ESNext',
					moduleResolution: 'node',
					strict: true,
				},
				include: ['**/*.ts'],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #109d073e16114739 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:203
			fs.writeFileSync(
				path.join(tempDir, 'workflows', 'simple-webhook.json'),
				JSON.stringify({ name: 'Simple Webhook' }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74184b1652d65dbe Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:207
			fs.writeFileSync(
				path.join(tempDir, 'workflows', 'complex-flow.json'),
				JSON.stringify({ name: 'Complex Flow' }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f2aeccda3d3a755 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:346
			fs.writeFileSync(
				path.join(tempDir, 'workflows', 'test-workflow.json'),
				JSON.stringify({ name: 'Test' }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea364a9c1afb703a Filesystem access.
repo/packages/testing/janitor/src/core/method-usage-analyzer.ts:114
			const content = fs.readFileSync(testFilePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc32eba47b62124e Filesystem access.
repo/packages/testing/janitor/src/core/project-loader.test.ts:24
		fs.writeFileSync(path.join(tempDir, 'tsconfig.json'), JSON.stringify(tsconfig, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58681f32a5301316 Filesystem access.
repo/packages/testing/janitor/src/core/project-loader.test.ts:52
			fs.writeFileSync(path.join(pagesDir, 'TestPage.ts'), 'export class TestPage { foo() {} }');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acba628befb0e923 Filesystem access.
repo/packages/testing/janitor/src/core/project-loader.test.ts:65
			fs.writeFileSync(
				path.join(tempDir, 'TestClass.ts'),
				`export class TestClass {
					publicMethod() { return 1; }
					private privateMethod() { return 2; }
				}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db971dbafd911b98 Filesystem access.
repo/packages/testing/janitor/src/core/read-lockfile-importers.ts:25
		doc = parse(readFileSync(lockPath, 'utf8')) as typeof doc;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aba8eb2d0cbba158 Filesystem access.
repo/packages/testing/janitor/src/core/read-manifest-diffs.ts:17
		return existsSync(abs) ? readFileSync(abs, 'utf8') : '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ab3ab71c2d7c54d Filesystem access.
repo/packages/testing/janitor/src/core/scope-analyzer.test.ts:12
	writeFileSync(join(pkgDir, 'package.json'), JSON.stringify({ name: 'some-pkg' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50db01c7ceef38e3 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:28
		fs.writeFileSync(path.join(tempDir, 'pages', '.gitkeep'), '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a77ca5d182b7a40 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:29
		fs.writeFileSync(path.join(tempDir, 'tests', '.gitkeep'), '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #450ecd80a38eff13 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:32
		fs.writeFileSync(
			path.join(tempDir, 'tsconfig.json'),
			JSON.stringify({
				compilerOptions: {
					target: 'ES2020',
					module: 'ESNext',
					moduleResolution: 'node',
					strict: true,
					skipLibCheck: true,
					noEmit: true,
				},
				include: ['**/*.ts'],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05c1e22804057a68 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:48
		fs.writeFileSync(
			path.join(tempDir, 'package.json'),
			JSON.stringify({
				name: 'tcr-test',
				scripts: {
					typecheck: 'tsc --noEmit',
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06508d0fcb5f0f57 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:97
			fs.writeFileSync(path.join(tempDir, 'pages', 'NewPage.ts'), 'export class NewPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21e295e07732a4c8 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:108
			fs.writeFileSync(path.join(tempDir, 'pages', 'TestPage.ts'), 'export class TestPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94b1554ce33df3ec Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:112
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'TestPage.ts'),
				'export class TestPage { modified() {} }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fc0e12afd13397e Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:136
			fs.writeFileSync(
				path.join(newDir, 'new-feature.spec.ts'),
				'import { test } from "@playwright/test"; test("new feature", () => {});',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #570a1153eaccfe9b Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:158
			fs.writeFileSync(
				path.join(newDir, 'staged-feature.spec.ts'),
				'export const test = { name: "staged feature test" };\n',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e31de286bb28e193 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:167
			fs.writeFileSync(
				path.join(tempDir, 'package.json'),
				JSON.stringify({ name: 'tcr-test', scripts: { typecheck: 'node -e ""' } }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c63672a1d0aeeec5 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:188
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'ToDelete.ts'),
				'export class ToDelete { method() {} }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc0de6cb1e5bd2a5 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:205
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'OldName.ts'),
				'export class OldName { method() {} }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dcb7c40af316520 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:225
			fs.writeFileSync(
				path.join(tempDir, 'MethodClass.ts'),
				`export class MethodClass {
	existing() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #409c306aba6188a8 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:234
			fs.writeFileSync(
				path.join(tempDir, 'MethodClass.ts'),
				`export class MethodClass {
	existing() {}
	newMethod() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #205e405043b6bcc5 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:254
			fs.writeFileSync(
				path.join(tempDir, 'RemoveClass.ts'),
				`export class RemoveClass {
	keepMe() {}
	removeMe() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cd4c61dadc0ed07 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:264
			fs.writeFileSync(
				path.join(tempDir, 'RemoveClass.ts'),
				`export class RemoveClass {
	keepMe() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17064ca1fa99ccf8 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:283
			fs.writeFileSync(
				path.join(tempDir, 'ModifyClass.ts'),
				`export class ModifyClass {
	myMethod() { return 1; }
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd3d4019857c855c Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:292
			fs.writeFileSync(
				path.join(tempDir, 'ModifyClass.ts'),
				`export class ModifyClass {
	myMethod() { return 2; }
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0ff54c616404def Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:313
			fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), 'export class LargePage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b427429351a6809 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:318
			fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), largeContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #814c71de925cc02a Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:330
			fs.writeFileSync(path.join(tempDir, 'pages', 'SmallPage.ts'), 'export class SmallPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a67fb3d769d2237c Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:334
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'SmallPage.ts'),
				'export class SmallPage { x = 1; }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87d11e9c2f6e080a Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:387
			fs.writeFileSync(path.join(tempDir, 'pages', 'OtherPage.ts'), 'export class OtherPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a68448e07d417646 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:400
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'PageA.ts'),
				`import { PageB } from './PageB';
				export class PageA {}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa9a384fae239716 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:405
			fs.writeFileSync(path.join(tempDir, 'pages', 'PageB.ts'), 'export class PageB {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8c897e72730108f Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:437
			fs.writeFileSync(path.join(tempDir, 'pages', 'DryRunPage.ts'), 'export class DryRunPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2811a94a76b903c Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:452
			fs.writeFileSync(path.join(tempDir, 'pages', 'ResultPage.ts'), 'export class ResultPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43fd1e96056a2e37 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:483
			fs.writeFileSync(
				path.join(tempDir, 'tests', 'example.spec.ts'),
				'import { test } from "@playwright/test"; test("example", () => {});',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bbde58c608299aa Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:569
			fs.writeFileSync(path.join(tempDir, 'pages', 'FailPage.ts'), 'export class FailPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4e51791b6444cc0 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:574
			fs.writeFileSync(headFile, 'corrupted');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fcde2d0d1417a9b0 Environment-variable access.
repo/packages/testing/janitor/vitest.config.ts:9
	process.env.CI === 'true' ? { pool: 'forks' as const, maxWorkers: '50%' } : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18d876098c24b002 Filesystem access.
repo/packages/testing/performance/scripts/check-regression.mjs:13
import { readFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21f7f2ba6259fbdf Filesystem access.
repo/packages/testing/performance/scripts/check-regression.mjs:34
const baseline = JSON.parse(readFileSync(BASELINE_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a94299cc682d0647 Filesystem access.
repo/packages/testing/performance/scripts/check-regression.mjs:35
const current = JSON.parse(readFileSync(CURRENT_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fda52539f301e263 Filesystem access.
repo/packages/testing/performance/scripts/extract-expressions.mjs:12
import { readFileSync, writeFileSync, readdirSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cebc0fb8bc3720f4 Filesystem access.
repo/packages/testing/performance/scripts/extract-expressions.mjs:81
		const wf = JSON.parse(readFileSync(join(inputDir, file), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e1d40a7fb8ecd04 Filesystem access.
repo/packages/testing/performance/scripts/extract-expressions.mjs:166
writeFileSync(outputPath, JSON.stringify(fixture, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #533404f26c0eade9 Filesystem access.
repo/packages/testing/performance/scripts/save-baseline.mjs:9
import { readFileSync, writeFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0c8cce63043327c Filesystem access.
repo/packages/testing/performance/scripts/save-baseline.mjs:39
const results = JSON.parse(readFileSync(resultsPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9fba57bc417ede1 Filesystem access.
repo/packages/testing/performance/scripts/save-baseline.mjs:69
writeFileSync(baselinePath, JSON.stringify(results, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87640978c8f2cd99 Environment-variable access.
repo/packages/testing/performance/vitest.config.ts:5
	plugins: [process.env.CODSPEED ? codspeedPlugin() : null].filter(Boolean),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #635c27e8a782b61d Environment-variable access.
repo/packages/testing/playwright/coverage-options.ts:13
export const COVERAGE_ENABLED = process.env.COVERAGE_ENABLED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef61a583de1d97ba Environment-variable access.
repo/packages/testing/playwright/currents.config.ts:4
	recordKey: process.env.CURRENTS_RECORD_KEY ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ffce386f9f3ea9f6 Environment-variable access.
repo/packages/testing/playwright/currents.config.ts:5
	projectId: process.env.CURRENTS_PROJECT_ID ?? 'nHHLA5',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74a62f8da9ae45cf Filesystem access.
repo/packages/testing/playwright/fixtures/backend-v8-coverage.ts:84
					writeFileSync(
						join(specDir, `raw-${slugify(testInfo.testId)}.json`),
						JSON.stringify({ result }),
					);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7431df19133a1e65 Filesystem access.
repo/packages/testing/playwright/fixtures/backend-v8-coverage.ts:88
					writeFileSync(join(specDir, '.spec'), spec);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c304586f84afedb Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:64
	const raw = process.env.N8N_TEST_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40e4dc36c33649cd Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:124
				...(process.env.N8N_COVERAGE_DIR ? { coverageHostDir: process.env.N8N_COVERAGE_DIR } : {}),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39d49d0b6ebacee0 Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:144
			if (process.env.N8N_CONTAINERS_KEEPALIVE === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5aa396a72a3735f4 Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:156
			const envBaseURL = process.env.N8N_BASE_URL ?? n8nContainer?.baseUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c861720bf4c78229 Environment-variable access.
repo/packages/testing/playwright/fixtures/langsmith.ts:20
			const client = process.env.LANGSMITH_API_KEY ? new Client() : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2d71cf3dda63fc0 Environment-variable access.
repo/packages/testing/playwright/fixtures/langsmith.ts:46
				project_name: process.env.LANGSMITH_PROJECT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8426e239e4aa801 Environment-variable access.
repo/packages/testing/playwright/fixtures/observability.ts:31
	if (process.env.CONTAINER_TELEMETRY_VERBOSE === '1') return true;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #2d40c0eb8c8f7a7d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/testing/playwright/fixtures/quarantine.ts:12
		const res = await fetch(QUARANTINE_WEBHOOK_URL, { signal: controller.signal });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #7e83563a5491e84e Environment-variable access.
repo/packages/testing/playwright/fixtures/quarantine.ts:69
			if (process.env.CURRENTS_RECORD_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0376f4555e5c6f2 Environment-variable access.
repo/packages/testing/playwright/fixtures/quarantine.ts:80
			if (process.env.CURRENTS_RECORD_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ca4cb510041b852 Filesystem access.
repo/packages/testing/playwright/fixtures/v8-coverage.ts:86
			writeFileSync(join(specDir, '.spec'), spec);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7196192927bc2fc4 Environment-variable access.
repo/packages/testing/playwright/global-setup.ts:16
	const resetE2eDb = process.env.RESET_E2E_DB;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #142466121dab1a27 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:30
const ALLOW_CONTAINER_ONLY = process.env.PLAYWRIGHT_ALLOW_CONTAINER_ONLY === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9da171db83aa77aa Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:176
				N8N_INSTANCE_AI_MODEL: process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-4o-mini',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2accf635f61c7e8a Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:178
				...(process.env.N8N_AI_OPENAI_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b9d2a0f3e9f6b6a Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:179
					N8N_AI_OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1708f812601c50db Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:180
					OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18b382e0edfba6b8 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:182
				...(process.env.LANGSMITH_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a6bf43bb9ea7ddf Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:183
					LANGSMITH_API_KEY: process.env.LANGSMITH_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6937967c11227b73 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:185
				...(process.env.ANTHROPIC_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612c5f3d701f4f36 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:186
					ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d4b7d2125c75f41 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:188
				...(process.env.OPENROUTER_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #697f4ecc696f9e54 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:189
					OPENROUTER_API_KEY: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b7d9d8994f92f5c Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:191
				...(process.env.CEREBRAS_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff18cda120e71ee4 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:192
					CEREBRAS_API_KEY: process.env.CEREBRAS_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b362e5324f5b0f3c Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:195
				...(process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2de433577806c52b Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:196
					N8N_INSTANCE_AI_SANDBOX_ENABLED: process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d2ab521d8baf0e8 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:198
						process.env.N8N_INSTANCE_AI_SANDBOX_PROVIDER ?? 'daytona',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e11cd1db8c477c8 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:199
					N8N_INSTANCE_AI_SANDBOX_IMAGE: process.env.N8N_INSTANCE_AI_SANDBOX_IMAGE ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31c874cc1ea908f2 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:201
				...(process.env.DAYTONA_API_URL && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d35a054e6a20aaf1 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:202
					DAYTONA_API_URL: process.env.DAYTONA_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #575a7037d1ca4d19 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:204
				...(process.env.DAYTONA_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41e31f6be2cba2eb Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:205
					DAYTONA_API_KEY: process.env.DAYTONA_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21bcd37502626361 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:13
const IS_CI = !!process.env.CI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bdc16c6ed38109b Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:14
const IS_DEV = !!process.env.N8N_EDITOR_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #171d40e37eb704cf Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:22
	const testEnv = process.env.N8N_TEST_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f6c725a984371a2 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:52
const SKIP_WEB_SERVER = process.env.PLAYWRIGHT_SKIP_WEBSERVER === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cca16119f42d71f Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:109
		headless: process.env.SHOW_BROWSER !== 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10550584b86d645d Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:113
		currentsFixturesEnabled: !!process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6fa6beda894ad06 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:119
				['junit', { outputFile: process.env.PLAYWRIGHT_JUNIT_OUTPUT_NAME ?? 'results.xml' }],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59fee40d698f195b Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:122
				...(process.env.CURRENTS_RECORD_KEY ? [currentsReporter(currentsConfig)] : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79b5ae28fafbb85a Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:125
				...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59550511b5678c2b Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:132
				...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce1aaf5370a19b2a Filesystem access.
repo/packages/testing/playwright/reporters/benchmark-summary-reporter.ts:2
import { appendFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01972f803d6711f6 Environment-variable access.
repo/packages/testing/playwright/reporters/benchmark-summary-reporter.ts:242
		const summaryPath = process.env.GITHUB_STEP_SUMMARY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52d5232c8df339f8 Environment-variable access.
repo/packages/testing/playwright/reporters/langsmith-eval.ts:23
		if (process.env.LANGSMITH_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fdb0d1e50a847ae6 Environment-variable access.
repo/packages/testing/playwright/reporters/langsmith-eval.ts:26
		const project = process.env.LANGSMITH_PROJECT ?? 'unset';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #054cac7568bd4641 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:40
		this.webhookUrl = options.webhookUrl ?? process.env.QA_METRICS_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a26c471ce525f4a9 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:41
		this.webhookUser = options.webhookUser ?? process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d78216b4cf632bc1 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:42
		this.webhookPassword = options.webhookPassword ?? process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38e83f18d063d0d8 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:133
		const ref = process.env.GITHUB_REF ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bed1d3a2eb33755 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:135
		const runId = process.env.GITHUB_RUN_ID ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18fa841e5a567bd8 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:140
				sha: (process.env.GITHUB_SHA ?? this.gitFallback('rev-parse HEAD'))?.slice(0, 8) ?? null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd5df1a022217c2d Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:142
					process.env.GITHUB_HEAD_REF ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82d03dd699a2247c Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:143
					process.env.GITHUB_REF_NAME ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51a6f50e550340a7 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:150
					runId && process.env.GITHUB_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d12f628373bd03f Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:151
						? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dce5c96095f1ac26 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:153
				workflow: process.env.GITHUB_WORKFLOW ?? null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8b8992f637c788b Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:154
				job: process.env.GITHUB_JOB ?? null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3238520e9de0d19d Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:155
				attempt: process.env.GITHUB_RUN_ATTEMPT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bdf1bb9dc872e78 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:156
					? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c4affa9606888fb Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:160
				provider: !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b374d038b167f65 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:162
					: process.env.RUNNER_ENVIRONMENT === 'github-hosted'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #473ebfac12368260 Filesystem access.
repo/packages/testing/playwright/scripts/aggregate-coverage.mjs:96
		writeFileSync(path.join(dir, `${label}-${i}.lcov`), transform(readFileSync(file, 'utf8'))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0608eec1a1df0d9c Filesystem access.
repo/packages/testing/playwright/scripts/ast-viewer.ts:11
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de35d79611789504 Environment-variable access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:23
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1d5fd590424c2a8 Environment-variable access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:24
const IMAGE_ROOT_PREFIX = process.env.IMAGE_ROOT_PREFIX ?? '/usr/local/lib/node_modules/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e664fe79a31d508 Filesystem access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:40
				const name = JSON.parse(readFileSync(pkgJson, 'utf8')).name as string;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #719ac2fbbf89ed7c Filesystem access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:113
				source = readFileSync(r.bytesFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97c7b27ec95c1570 Filesystem access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:119
				const map = JSON.parse(readFileSync(`${r.bytesFile}.map`, 'utf8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45a9fff2968675ec Filesystem access.
repo/packages/testing/playwright/scripts/build-test-image.mjs:4
import { writeFileSync, existsSync, mkdirSync, copyFileSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5884d35e790b577a Filesystem access.
repo/packages/testing/playwright/scripts/build-test-image.mjs:51
		writeFileSync(
			dockerfilePath,
			`FROM ${targetImage}
COPY e2e.controller.js /usr/local/lib/node_modules/n8n/dist/controllers/e2e.controller.js
`,
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed86f530830e48a8 Filesystem access.
repo/packages/testing/playwright/scripts/canvas-perf-sentinels.mjs:82
		return readFileSync(attachment.path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bae1548802a1a31 Environment-variable access.
repo/packages/testing/playwright/scripts/canvas-perf-sentinels.mjs:150
	const summaryPath = process.env.GITHUB_STEP_SUMMARY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51e0d42ee85505e5 Filesystem access.
repo/packages/testing/playwright/scripts/canvas-perf-sentinels.mjs:161
	const raw = readFileSync(path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1dd5ab3f1c53cb9c Environment-variable access.
repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87
const TOKEN = process.env.CODECOV_API_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #450eea87d04730c9 Filesystem access.
repo/packages/testing/playwright/scripts/coverage-pipeline.test.ts:39
		writeFileSync(join(sibling, 'specA', '.spec'), 'tests/e2e/x.spec.ts');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #798dfa07b8a3fadc Filesystem access.
repo/packages/testing/playwright/scripts/distribute-tests.mjs:232
	writeFileSync(allowPath, [...union].join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b937153290aa586f Environment-variable access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:32
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab9e7d3aafea38c2 Environment-variable access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:37
	const dir = process.env.N8N_COVERAGE_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45c5a524e32250b6 Filesystem access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:44
			parsed = JSON.parse(readFileSync(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23915401f7047b33 Filesystem access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:64
			JSON.parse(readFileSync(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f2550e53dcba38b Filesystem access.
repo/packages/testing/playwright/scripts/emit-spec-backend-lcovs.ts:47
					parsed = JSON.parse(readFileSync(join(dir, rf), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9462ca650f8d436 Filesystem access.
repo/packages/testing/playwright/scripts/fetch-currents-metrics.mjs:12
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #012a4f7378960f88 Environment-variable access.
repo/packages/testing/playwright/scripts/fetch-currents-metrics.mjs:86
	const apiKey = process.env.CURRENTS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5a96c2e597b1967 Filesystem access.
repo/packages/testing/playwright/scripts/fetch-currents-metrics.mjs:130
	fs.writeFileSync(OUTPUT_PATH, JSON.stringify(output, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5afc25596505fadc Filesystem access.
repo/packages/testing/playwright/scripts/impact-map.mjs:98
const map = buildMap(parseLcov(readFileSync(lcovPath, 'utf8')), specId);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a72fe124f6cb61f Filesystem access.
repo/packages/testing/playwright/scripts/impact-map.mjs:99
const diff = parseDiff(readFileSync(diffPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7b0a1d02476953d Filesystem access.
repo/packages/testing/playwright/scripts/import-jaeger-traces.mjs:44
const raw = JSON.parse(readFileSync(tracesFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77c7d660b45a0740 Filesystem access.
repo/packages/testing/playwright/scripts/import-jaeger-traces.mjs:52
writeFileSync(
	wrappedFile,
	JSON.stringify({
		data: traces,
		total: traces.length,
		limit: traces.length,
		offset: 0,
		errors: null,
	}),
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c45c3486674186b8 Filesystem access.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49
		body: readFileSync(metricsFile),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #278417e61addbffd Filesystem access.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59
		body: readFileSync(logsFile),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c90892681273ce2 Environment-variable access.
repo/packages/testing/playwright/scripts/run-coverage-shard.mjs:36
	const image = process.env.TEST_IMAGE_N8N ?? 'n8nio/n8n:local';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #967ab43eb011eb71 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-instance-ai.mjs:25
const apiKey = process.env.ANTHROPIC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8fddbf35b6c9c28 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-instance-ai.mjs:40
		return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d232d36f1b177f Filesystem access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:39
import { mkdtempSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2e0ecad034f0f77 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:69
if (process.env.N8N_BASE_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #838949723cf5f79f Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:70
	backendUrl = process.env.N8N_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b3fb170d6fa00e8 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:72
	brokerPort = process.env.N8N_RUNNERS_BROKER_PORT ?? String(await getFreePort());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #600277232cd52c36 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:86
		return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #590e185a44498dbe Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:99
	N8N_LOG_LEVEL: process.env.N8N_LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6654d20e0a6c4113 Environment-variable access.
repo/packages/testing/playwright/scripts/select-affected-e2e.mjs:72
	const changedFiles = process.argv.slice(2).join(',') || process.env.CHANGED_FILES || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04afa9cf8a025080 Environment-variable access.
repo/packages/testing/playwright/scripts/select-affected-e2e.mjs:77
		allSpecs: process.env.ALL_SPECS_FILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8091981bc9d7233 Environment-variable access.
repo/packages/testing/playwright/scripts/select-affected-e2e.mjs:78
		base: process.env.BASE_REF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f013fe4b2e6f43bc Filesystem access.
repo/packages/testing/playwright/scripts/select-affected-e2e.test.ts:33
			fs.writeFileSync(p, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53d001f232f1c279 Filesystem access.
repo/packages/testing/playwright/scripts/select-affected-e2e.test.ts:42
			fs.writeFileSync(p, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bca263ddef9a2a3 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:75
		writeFileSync(
			join(laneDir, 'test-results.json'),
			JSON.stringify(testResultsWithReports(specs)),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a248ad8e98020eae Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:94
		const written = JSON.parse(readFileSync(join(laneDir, looseFiles[0]), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7676997da43868be Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:116
		writeFileSync(
			join(root, 'test-results.json'),
			JSON.stringify({ suites: [{ specs: [{ tests: [{ results: [{ attachments: [] }] }] }] }] }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af7d5096d310b590 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:127
		writeFileSync(join(root, 'test-results.json'), '{ not valid json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0495f02cef714455 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:91
		args['hardware-runner'] ?? process.env.SIZING_MATRIX_RUNNER ?? DEFAULT_HARDWARE.runner;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ceac41b2d1227ab4 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:94
		: process.env.SIZING_MATRIX_VCPU

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9be39b6c9dc794dc Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:95
			? Number(process.env.SIZING_MATRIX_VCPU)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #674b3a9d0c6c37cd Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:99
		: process.env.SIZING_MATRIX_RAM_GB

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f3524a2ecaa15b Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:100
			? Number(process.env.SIZING_MATRIX_RAM_GB)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc22081d6b443a7f Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:113
		const pkg = JSON.parse(readFileSync(join(REPO_ROOT, 'packages/cli/package.json'), 'utf8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #660a92f814236cdb Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:124
		const head = readFileSync(join(REPO_ROOT, '.git/HEAD'), 'utf8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c3d32339596ce7a Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:127
			return readFileSync(join(REPO_ROOT, '.git', refPath), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #025d9d7b1559ba8c Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:139
	const overrides = JSON.parse(readFileSync(path, 'utf8')) as SpecMapping;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #323de4e288479c1c Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:181
	const apiKey = process.env.CURRENTS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31e14e81542dbe8f Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:221
	writeFileSync(outPath, buf);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ed5397abed606c3 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:288
			report = JSON.parse(readFileSync(file, 'utf8')) as JSONReport;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71a5a27490f64876 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:296
			writeFileSync(join(laneDir, `${stem}.run-report.${index}.json`), body);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0bf0e957079d685 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:305
		const report = JSON.parse(readFileSync(path, 'utf8')) as RunReport;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5986de7e87509191 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:367
	writeFileSync(args.out, JSON.stringify(matrix, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a5bb9c20d6ca8d5 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:372
		writeFileSync(args.markdownOut, renderMarkdown(matrix));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #922250a6ec198b9a Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-topologies.test.ts:72
		const source = readFileSync(workerCmd, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow production #34eb42cafcecb6d1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/api-helper.ts:660 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/api-helper.ts:662 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/api-helper.ts:660
		const response = await this.request.post('/rest/login', {
			data: {
				emailOrLdapLoginId: credentials.email,
				password: credentials.password,
			},
			maxRetries: 3,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow production #706d6a04eab35e33 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/public-api-helper.ts:182 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/public-api-helper.ts:164 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/public-api-helper.ts:182
			const acceptResponse = await isolatedContext.post('/rest/invitations/accept', {
				data: { token, firstName, lastName, password },
			});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow production #7bdb4895dfc26e78 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/user-api-helper.ts:39 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/user-api-helper.ts:31 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/user-api-helper.ts:39
		const inviteResponse = await this.api.request.post('/rest/invitations', {
			data: [{ email: user.email, role: user.role }],
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow production #955015fd317d6644 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/user-api-helper.ts:55 · flow /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/user-api-helper.ts:31 → /tmp/closeopen-gagie1_z/repo/packages/testing/playwright/services/user-api-helper.ts:55
		const acceptResponse = await this.api.request.post('/rest/invitations/accept', {
			data: {
				token,
				firstName: user.firstName,
				lastName: user.lastName,
				password: user.password,
			},
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs production #83365072933c67f2 Filesystem access.
repo/packages/testing/playwright/services/workflow-api-helper.ts:2
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2efdfb859a424547 Filesystem access.
repo/packages/testing/playwright/services/workflow-api-helper.ts:345
		const fileContent = readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #324c8725b0d4a53f Filesystem access.
repo/packages/testing/playwright/utils/benchmark/run-heap-analysis.ts:148
		unboundGrowthOutput = await readFile(or.analysisOutputFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14db6525ee8a4794 Filesystem access.
repo/packages/testing/playwright/utils/benchmark/run-heap-analysis.ts:159
		shapeGrowthOutput = await readFile(sr.analysisOutputFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6d26afea4432eb2 Filesystem access.
repo/packages/testing/playwright/utils/benchmark/run-heap-analysis.ts:233
	await writeFile(reportPath, JSON.stringify(report, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d52dc71424f0369 Filesystem access.
repo/packages/testing/playwright/utils/path-helper.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb69d745d75d312b Filesystem access.
repo/packages/testing/playwright/utils/performance-helper.ts:342
			await writeFile(`${outputDir}/${label}-smaps-raw.txt`, data.raw);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd65e59d801c47fe Filesystem access.
repo/packages/testing/playwright/utils/performance-helper.ts:351
		await writeFile(`${outputDir}/${label}-rss-breakdown.json`, JSON.stringify(summary, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa7f71874465e991 Environment-variable access.
repo/packages/testing/playwright/utils/url-helper.ts:14
	return process.env.N8N_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83d34546f5730abb Environment-variable access.
repo/packages/testing/playwright/utils/url-helper.ts:23
	return process.env.N8N_EDITOR_URL ?? process.env.N8N_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f727b31c94de2c86 Filesystem access.
repo/packages/testing/rules-engine/src/baseline.ts:33
		const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43e1f5bf22f3165e Filesystem access.
repo/packages/testing/rules-engine/src/baseline.ts:74
	fs.writeFileSync(filePath, JSON.stringify(baseline, null, '\t') + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c73e2f0c3e832e0 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:49
		writeFileSync(join(bs, 'spec_a', '.spec'), 'tests/e2e/a.spec.ts');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2c57634d2c8e546 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:50
		writeFileSync(join(bs, 'spec_a', 'raw-1.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d00628166db58a7c Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:52
		writeFileSync(join(bs, 'no_marker', 'raw-1.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69f14a2662ebf513 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:54
		writeFileSync(join(bs, 'no_raw', '.spec'), 'x');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7474acf6840eb861 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:57
		writeFileSync(join(bs, 'spec_jsonl', '.spec'), 'tests/e2e/b.spec.ts');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c720aeeecf7d12e Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:58
		writeFileSync(join(bs, 'spec_jsonl', 'raw-1.jsonl'), '{}\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #edcc98bc1ae700e0 Filesystem access.
repo/packages/testing/test-impact/src/map-build.ts:66
		const spec = readFileSync(specMarker, 'utf8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d38530087e55201e Filesystem access.
repo/packages/testing/test-impact/src/map-build.ts:84
		writeFileSync(
			join(outDir, `${slug}${suffix}.lcov`),
			forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c45025e3db3bc5e0 Filesystem access.
repo/packages/testing/test-impact/src/map-build.ts:86
			forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3125e83d8b6a6e62 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:29
		fs.writeFileSync(p, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7e0f6d7fcb2e4a4 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:57
		fs.writeFileSync(mapPath, '{not valid json,,,');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40294ce77aa88f80 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:73
		fs.writeFileSync(mapPath, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a2e3ced2962b1d3 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:92
		fs.writeFileSync(mapPath, JSON.stringify(interned));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #153403185bfba6c3 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:109
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26105c6d9575f761 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:127
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8324ca1a166f5fa4 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:140
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8994670c80fc7e11 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:155
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93ca87670252ba45 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:169
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #382c43b1eb40adb9 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:191
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8dcc49a02c9058f6 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:204
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23a7009af006ea6e Filesystem access.
repo/packages/testing/test-impact/src/select.ts:70
		const parsed: unknown = JSON.parse(fs.readFileSync(mapFile, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e34e1ed8e222f5b Filesystem access.
repo/packages/testing/test-impact/src/select.ts:93
		? parseSpecList(fs.readFileSync(input.allSpecsFile, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34cd65630bac57c6 Environment-variable access.
repo/scripts/agent-setup.mjs:122
	NODE_OPTIONS: process.env.NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a534c3d4757ba2da Environment-variable access.
repo/scripts/agent-setup.mjs:123
		? `${process.env.NODE_OPTIONS} ${NODE_OPTS}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fd4533a3f2c94f5 Filesystem access.
repo/scripts/agent-setup.mjs:167
	const content = await readFile(path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2dc5e47f1884234d Filesystem access.
repo/scripts/agent-setup.mjs:201
	writeFileSync(summaryPath, JSON.stringify(summary, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b44b15ff4bc6fa2b Filesystem access.
repo/scripts/backend-module/setup.mjs:35
		const content = await readFile(path.join(templateDir, template), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #89bc45ffeda65927 Filesystem access.
repo/scripts/backend-module/setup.mjs:36
		await fs.writeFile(target, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1136ec11e9db7011 Environment-variable access.
repo/scripts/build-n8n.mjs:15
const isCI = process.env.CI === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52767969725fdc69 Environment-variable access.
repo/scripts/build-n8n.mjs:19
	process.env.CI === 'true' && process.env.INCLUDE_TEST_CONTROLLER !== 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec3cf6d001f4bbe7 Environment-variable access.
repo/scripts/build-n8n.mjs:23
process.env.FORCE_COLOR = isCI ? '0' : '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1901d8dcea34010 Environment-variable access.
repo/scripts/build-n8n.mjs:131
if (process.env.CI !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a73288f888fa589 Filesystem access.
repo/scripts/build-n8n.mjs:148
		const packageJsonContent = await fs.readFile(packageJsonPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bae843dcb6f417a3 Filesystem access.
repo/scripts/build-n8n.mjs:165
		await fs.writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25f40f805ccfbbc5 Filesystem access.
repo/scripts/build-n8n.mjs:186
	const content = await fs.readFile(cliPackagePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #edd71e02cb43fa1b Filesystem access.
repo/scripts/build-n8n.mjs:189
	await fs.writeFile(cliPackagePath, JSON.stringify(packageJson, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2471d48457c31013 Environment-variable access.
repo/scripts/build-n8n.mjs:198
const generateLicenses = process.env.N8N_GENERATE_LICENSES === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d304d3a257a8643 Environment-variable access.
repo/scripts/build-n8n.mjs:200
	process.env.npm_config_shamefully_hoist = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07234769b259a30a Environment-variable access.
repo/scripts/build-n8n.mjs:256
		if (process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae36b3dbc1606393 Environment-variable access.
repo/scripts/build-n8n.mjs:267
if (process.env.CI !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d733b03bf01eab4d Filesystem access.
repo/scripts/check-workspace-deps.mjs:12
		const content = readFileSync(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34da226cc0b693fa Filesystem access.
repo/scripts/check-zod-peer-deps.mjs:55
		const pkg = JSON.parse(readFileSync(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a43b98886671ab9 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:16
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b35695ee78584a63 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:26
	if (process.env.DOCKER_PLATFORM) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddf50e79bcd82a72 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:27
		return process.env.DOCKER_PLATFORM;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #116b70ee30d23caf Environment-variable access.
repo/scripts/dockerize-n8n.mjs:115
	const override = process.env.CONTAINER_ENGINE?.toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9793745783a0ba9d Environment-variable access.
repo/scripts/dockerize-n8n.mjs:143
const noCache = process.env.DOCKER_BUILD_NO_CACHE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9675c8abcfe6e6b7 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:144
const withBaseImage = process.env.DOCKER_BUILD_BASE_IMAGE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e53aed588d914fe Environment-variable access.
repo/scripts/dockerize-n8n.mjs:145
const nodeVersion = process.env.NODE_VERSION || '24.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26793115e867272f Environment-variable access.
repo/scripts/dockerize-n8n.mjs:156
		imageBaseName: process.env.IMAGE_BASE_NAME || 'n8nio/n8n',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9b0044bc03b826e Environment-variable access.
repo/scripts/dockerize-n8n.mjs:157
		imageTag: process.env.IMAGE_TAG || 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce06b14e143a4b45 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:164
		imageBaseName: process.env.RUNNERS_IMAGE_BASE_NAME || 'n8nio/runners',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9930fd5da0c954d2 Filesystem access.
repo/scripts/format.mjs:3
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22a6aeb50166b623 Filesystem access.
repo/scripts/generate-emoji-data.mjs:126
	const rawData = JSON.parse(readFileSync(compactDataPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dec6c889675ddced Filesystem access.
repo/scripts/generate-emoji-data.mjs:133
	const fullData = JSON.parse(readFileSync(fullDataPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131d0d3be8116ee0 Filesystem access.
repo/scripts/generate-emoji-data.mjs:240
	writeFileSync(OUTPUT_PATH, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee24889123bc50d1 Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:48
	const lucideJson = JSON.parse(readFileSync(LUCIDE_JSON_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7617882e1b44c7c Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:57
			cache = JSON.parse(readFileSync(CACHE_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f9e99e8370db582 Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:79
		writeFileSync(CACHE_PATH, JSON.stringify(cache, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b11a426141ff1c5b Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:128
	writeFileSync(OUTPUT_PATH, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd4e036694b44cc6 Filesystem access.
repo/scripts/grind.mjs:70
	const pkg = JSON.parse(readFileSync(resolve(pkgRootDir, 'package.json'), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d58b6e623dd44e8d Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:10
const BASE = process.env.N8N_BASE_URL ?? 'http://localhost:5678';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18b3392c6fadba73 Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:11
const KEY = process.env.N8N_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a89bf04c6760ad1f Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:17
const CLEAR = (process.env.CLEAR ?? 'false').toLowerCase() === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9882a1813ef74dc8 Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:18
const PERSONAL_WORKFLOWS = Number(process.env.WF_MULTIPLIER) || 50;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff3d52a7e19812c0 Filesystem access.
repo/scripts/licenses/check-sbom-licenses.mjs:43
	const raw = await readFile(SPDX_IDS_PATH, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb29289354b0f555 Filesystem access.
repo/scripts/licenses/check-sbom-licenses.mjs:212
		sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0e1ab6ef8ea8aae Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:53
		const raw = await readFile(OVERRIDES_PATH, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9658496eaa2f8919 Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:124
				const pkg = JSON.parse(await readFile(path.join(dir, entry.name), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1583243a3ec9217e Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:272
	const sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b781a5b71fd2e8bf Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:279
		licenseText = (await readFile(licenseFile, 'utf-8')).trim() || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23d7bc1de0c9b210 Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:319
	await writeFile(outputPath, JSON.stringify(enriched, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad8b8187253cd47b Filesystem access.
repo/scripts/licenses/enrich-sbom.test.mjs:251
			await writeFile(path.join(dir, rel), JSON.stringify(json));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d14298be5f746136 Filesystem access.
repo/scripts/licenses/pipeline.test.mjs:53
		const sbom = JSON.parse(await readFile(enriched, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1d780efb8db67bb Filesystem access.
repo/scripts/licenses/properties.test.mjs:71
		const raw = JSON.parse(readFileSync(path.join(HERE, 'spdx-license-ids.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29070b4394b2ca48 Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:90
			const text = await readFile(path.join(resolvedPkgDir, candidate), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9838b2bdf8436a4 Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:123
		const raw = await readFile(OVERRIDES_PATH, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91d2cfd2d51dcead Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:254
	const sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75283747ed8a46e8 Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:285
	await writeFile(outputPath, markdown);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f6714f3dcd513c9 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:418
		await writeFile(path.join(pkgDir, 'LICENSE'), 'PKGA LICENSE TEXT');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98a495730d839ac0 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:426
		await writeFile(path.join(pkgDir, 'LICENSE.md'), 'SCOPED PKGB TEXT');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #601a2a976053280e Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:434
		await writeFile(path.join(pkgDir, 'README.md'), 'not a license');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5ba4fede6b051ab Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:435
		await writeFile(path.join(pkgDir, 'CHANGELOG'), 'not a license');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86a190164c5e09b6 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:436
		await writeFile(path.join(pkgDir, 'package.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f251b86dc049824d Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:437
		await writeFile(path.join(pkgDir, 'COPYING'), 'COPYING IS A LICENSE');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20cb431fb251cf25 Filesystem access.
repo/scripts/mutation-health/build-matrix.mjs:202
	writeFileSync(file, JSON.stringify(coverageMap));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c162aafa7bdbdf0e Filesystem access.
repo/scripts/mutation-health/build-matrix.mjs:210
		return parseLedgerBody(readFileSync(ledgerFile, 'utf8')).rows;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4741618625a11b61 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:241
	const sourceFile = (process.env.SOURCE_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e01391848b05c342 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:242
	const requestedMode = (process.env.REQUESTED_MODE ?? 'both').trim() || 'both';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53bf32666df9597c Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:243
	const topNRaw = (process.env.TOP_N ?? '6').trim() || '6';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0107dd93f2e90763 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:244
	const ledgerFile = (process.env.LEDGER_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0ee3afb539be62e Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:245
	const signalsFile = (process.env.SIGNALS_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b4746c394de2439 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:246
	const coverageFile = (process.env.COVERAGE_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #987b258cd2cc91f7 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:267
	const bootstrapRaw = (process.env.BOOTSTRAP_PACKAGES ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5ef830d6a1e8048 Filesystem access.
repo/scripts/mutation-health/emit-payload.mjs:309
	const summary = JSON.parse(await readFile(summaryPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f2821fd0b0085e9 Filesystem access.
repo/scripts/mutation-health/emit-payload.mjs:331
		const signals = JSON.parse(await readFile(signalsPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f6081531e1b175a Filesystem access.
repo/scripts/mutation-health/emit-payload.mjs:362
	await writeFile(outPath, JSON.stringify({ ledger, events }, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b70312afd10acc49 Filesystem access.
repo/scripts/mutation-health/ledger.mjs:48
	const raw = await readFile(path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cffe491cfde6dc1 Filesystem access.
repo/scripts/mutation-health/ledger.test.mjs:116
		writeFileSync(file, body(MULTI_PKG_FIXTURE));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58d2af20000ec4ff Filesystem access.
repo/scripts/mutation-health/ledger.test.mjs:123
		writeFileSync(file, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0be2d22f07031109 Filesystem access.
repo/scripts/mutation-health/ledger.test.mjs:130
		writeFileSync(file, body(MULTI_PKG_FIXTURE));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cfac18d15c7fd3b Environment-variable access.
repo/scripts/mutation-health/mutate.mjs:67
const THRESHOLD = Number(process.env.STRYKER_THRESHOLD ?? 80);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44ab6072d5f6f370 Filesystem access.
repo/scripts/mutation-health/mutate.mjs:394
		await writeFile(summaryJsonPath, JSON.stringify(summary, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5ae56080ee82c92 Filesystem access.
repo/scripts/mutation-health/mutate.mjs:407
	const raw = JSON.parse(await readFile(rawJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b070785999c47b8f Filesystem access.
repo/scripts/mutation-health/mutate.mjs:419
	await writeFile(summaryJsonPath, JSON.stringify(summary, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2034be49910273a0 Filesystem access.
repo/scripts/mutation-health/pick-next.mjs:369
		return JSON.parse(await readFile(resolved, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a30d6aaaa0af610 Filesystem access.
repo/scripts/mutation-health/pick-next.mjs:497
	const pkgName = JSON.parse(await readFile(pkgJsonPath, 'utf8')).name;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00a9b2bff5ae3679 Environment-variable access.
repo/scripts/mutation-health/stryker.default.mjs:34
	concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fff611f837cde98 Environment-variable access.
repo/scripts/nathan.mjs:34
const IDLE_MS = posNum(process.env.NATHAN_IDLE_MS, 8000, 'NATHAN_IDLE_MS'); // grace after a result for trailing msgs

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #edf97f3f24fdc24e Environment-variable access.
repo/scripts/nathan.mjs:37
const TIMEOUT_MS = posNum(process.env.NATHAN_TIMEOUT_MS, 1_500_000, 'NATHAN_TIMEOUT_MS'); // 25 min

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f7c60b6acd70d2f Filesystem access.
repo/scripts/nathan.mjs:104
const readSavedToken = () => { try { return fs.readFileSync(tokenFile, 'utf8').trim() || null; } catch { return null; } };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21c3c7ebeb8d6cb0 Filesystem access.
repo/scripts/nathan.mjs:107
	fs.writeFileSync(tokenFile, `${t}\n`, { mode: 0o600 });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a088a2434aa5393d Environment-variable access.
repo/scripts/nathan.mjs:136
const slackTarget = process.env.NATHAN_SLACK_CHANNEL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fdf51f601afd8844 Environment-variable access.
repo/scripts/nathan.mjs:137
	? `Slack channel ${process.env.NATHAN_SLACK_CHANNEL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53cefcb89dbd80ec Environment-variable access.
repo/scripts/nathan.mjs:232
const user = process.env.NATHAN_USER || os.userInfo().username;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #47fa5b9f48a188f5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/scripts/nathan.mjs:235
	res = await fetch(WEBHOOK, {
		method: 'POST',
		headers: { 'content-type': 'application/json' },
		body: JSON.stringify({
			token,
			text,
			command: '/nathan',
			response_url: tunnel.url + CALLBACK_PATH,
			user_id: user,
			user_name: user,
			channel_id: process.env.NATHAN_SLACK_CHANNEL || DEFAULT_SLACK_CHANNEL,
			trigger_id: String(Date.now()),
		}),
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #9385fdd91f739edb Environment-variable access.
repo/scripts/nathan.mjs:245
			channel_id: process.env.NATHAN_SLACK_CHANNEL || DEFAULT_SLACK_CHANNEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77feaee09d81c958 Environment-variable access.
repo/scripts/prepare.mjs:6
if (process.env.CI || process.env.DOCKER_BUILD) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c9771a7cbf85454 Environment-variable access.
repo/scripts/reset.mjs:8
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #923374568c08c3fe Environment-variable access.
repo/scripts/reset.mjs:32
const nodeOptions = process.env.NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78f5a7d83b7d7531 Environment-variable access.
repo/scripts/reset.mjs:33
	? `${process.env.NODE_OPTIONS} --max-old-space-size=${mem}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b03053831f86e6a7 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:11
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #296d5a0d58892ef9 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:18
	const resolved = path.resolve(process.env[envVar] || path.join(rootDir, defaultRelPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ca06a021d5ec868 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:28
	imageBaseName: process.env.IMAGE_BASE_NAME || 'n8nio/n8n',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e2c00fb78fa7578 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:29
	imageTag: process.env.IMAGE_TAG || 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #072a893994ee2dac Environment-variable access.
repo/scripts/scan-n8n-image.mjs:30
	trivyImage: process.env.TRIVY_IMAGE || 'aquasec/trivy:latest',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ffd8eb8942f4c515 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:31
	severity: process.env.TRIVY_SEVERITY || 'CRITICAL,HIGH,MEDIUM,LOW',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8df6c2d79c901e3 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:32
	outputFormat: process.env.TRIVY_FORMAT || 'table',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #974025c9908b4aba Environment-variable access.
repo/scripts/scan-n8n-image.mjs:33
	outputFile: process.env.TRIVY_OUTPUT || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae24dd082aa3b01c Environment-variable access.
repo/scripts/scan-n8n-image.mjs:34
	scanTimeout: process.env.TRIVY_TIMEOUT || '10m',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b64b76a28b9b7ae Environment-variable access.
repo/scripts/scan-n8n-image.mjs:35
	ignoreUnfixed: process.env.TRIVY_IGNORE_UNFIXED === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a95f83836bd46f5 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:36
	scanners: process.env.TRIVY_SCANNERS || 'vuln',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc58c5465540a311 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:37
	quiet: process.env.TRIVY_QUIET === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b008516b53169e9 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:11
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92a336206934c584 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:13
const IMAGE = process.env.SMOKE_IMAGE || 'n8nio/n8n:local';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce5582d5170db033 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:24
	ref: process.env.CLOUD_CHART_REF || 'main',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91a1f52ac44b6682 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:27
	chartPath: process.env.CLOUD_CHART_PATH || 'packages/instance-controller/charts/n8napp/n8n',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c64623936dffd9b6 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:29
		process.env.CLOUD_CHART_VALUES ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1567603614985129 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:81
const cloud = process.env.SMOKE_SKIP_CLOUD === 'true' ? [] : await fetchCloudInvocations();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a0741193a9a92b2 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:82
if (process.env.SMOKE_SKIP_CLOUD !== 'true' && cloud.length === 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7a94c58b31e9492 Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:62
		const pkg = JSON.parse(readFileSync(join(asDir, 'package.json'), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57f03b2d10521d36 Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:78
	const pkg = JSON.parse(readFileSync(join(dir, 'package.json'), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ffbcb799926bf93 Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:212
		? JSON.parse(readFileSync(resultsFile, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca4300ef53872572 Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:221
	writeFileSync(resultsFile, `${JSON.stringify(data, null, 2)}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e80161b6c52272b7 Filesystem access.
repo/scripts/typescript-migration/summarize.mjs:96
		.map((f) => JSON.parse(readFileSync(join(RESULTS_DIR, f), 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5ecf89ceb440b6d Filesystem access.
repo/scripts/typescript-migration/summarize.mjs:121
	writeFileSync(out, `${md.join('\n')}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/instance-ai

npm first-party
high pii_flow production #4b4b98fda8413a6e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219 · flow /tmp/closeopen-gagie1_z/repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:222 → /tmp/closeopen-gagie1_z/repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219
	const response = await fetch(getOpenAiResponsesUrl(model.url), {
		method: 'POST',
		headers: {
			Authorization: `Bearer ${model.apiKey}`,
			'Content-Type': 'application/json',
		},
		body: JSON.stringify(requestBody),
		signal: abortSignal,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ff7a812660d0cd4d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:74 · flow /tmp/closeopen-gagie1_z/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:75 → /tmp/closeopen-gagie1_z/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:74
		const response = await fetch(new URL(path, this.config.baseUrl), {
			headers: { Authorization: `Bearer ${this.config.apiKey}` },
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8cea505565c9760f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:91 · flow /tmp/closeopen-gagie1_z/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:94 → /tmp/closeopen-gagie1_z/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:91
		const response = await fetch(new URL(path, this.config.baseUrl), {
			method,
			headers: {
				Authorization: `Bearer ${this.config.apiKey}`,
				'Content-Type': 'application/json',
			},
			body: JSON.stringify(body),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 324 low-confidence finding(s)
low env_fs test-only #e05dfc284999fa62 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/case-files-schema.test.ts:19
		const raw = jsonParse<unknown>(readFileSync(join(WORKFLOWS_DIR, file), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #21f2d081512a8383 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:18
			originalEnv[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd6e997f4e119e7a Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:19
			delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d22e6d78b2531230 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:26
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cb15f47cc594727 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:28
				process.env[key] = originalEnv[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #140b8ff96d2329c0 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:35
			process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #52a06acaad7be1a3 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:36
			process.env.GITHUB_SHA = '357e949547671e2cd1c017eb4e7c809cd55bd121';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54064e2d43117309 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:40
			process.env.LANGSMITH_BRANCH = 'feature-branch';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a6e83834240ce5b0 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:41
			process.env.GITHUB_HEAD_REF = 'should-not-be-used';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e1cdac9e2a3cf230 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:42
			process.env.GITHUB_REF_NAME = '30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6b4948f97026492f Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:48
			process.env.GITHUB_HEAD_REF = 'feature-x';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5ee2a08c25d60487 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:49
			process.env.GITHUB_REF_NAME = '30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c090ea43f99c31bc Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:55
			process.env.GITHUB_REF_NAME = 'master';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c13ba0bd0428ae69 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:61
			process.env.LANGSMITH_BRANCH = '30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8ad83263405584f Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:67
			process.env.LANGSMITH_BRANCH = 'feature//thing';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #09b21c07952649ff Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:73
			delete process.env.GITHUB_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #418a886b1364f751 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:74
			process.env.LANGSMITH_BRANCH = 'feature-x';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd115f06da0032be Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:86
			process.env.LANGSMITH_BRANCH = 'should-not-be-used';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #759e6e06471acdcb Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:109
			originalEnv[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48d376d4a2e8d9aa Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:110
			delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60357607a94e4027 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:117
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cf71ce9b9d7ca086 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:119
				process.env[key] = originalEnv[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33939ee7e64af283 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:129
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91972e037d86c421 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:130
		process.env.GITHUB_EVENT_NAME = 'pull_request_review';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #251b129d94001c05 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:131
		process.env.GITHUB_RUN_ID = '12345';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1db7ca30e33f167e Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:141
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0080684cc451885 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:142
		process.env.LANGSMITH_BRANCH = 'feature-x';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc49a0807ffefdf9 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:143
		process.env.LANGSMITH_REVISION_ID = '357e949547671e2cd1c017eb4e7c809cd55bd121';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0da651f14b7c8e65 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:144
		process.env.GITHUB_REF = 'refs/pull/30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e95e7774a05151d Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/conversation-seed.test.ts:53
		writeFileSync(path, JSON.stringify(makeSeed()));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ccdaadf91cd5eb38 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/conversation-seed.test.ts:62
		writeFileSync(path, JSON.stringify({ messages: [{ id: 'm1' }] }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c751693911115574 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/conversation-seed.test.ts:69
		writeFileSync(path, JSON.stringify({ messages: [] }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6efe2f31e1f64353 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/data-workflows-schema.test.ts:9
import { readdirSync, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #61b4de9b93d3a54f Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/data-workflows.test.ts:9
import { readdirSync, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b681a8b72df078c9 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder-timeout.test.ts:3
import { mkdtempSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c92d0bffd7bdc658 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder.test.ts:3
import { mkdtempSync, readFileSync, rmSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25f240c4ea21740c Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder.test.ts:221
		const logged = readFileSync(String(result.logFile), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e1bf3c4e1c3b4e7 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder.test.ts:271
			const parsed: unknown = JSON.parse(readFileSync(path, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9514a199eeb41d59 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/prebuilt-workflows.test.ts:1
import { mkdtempSync, rmSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #61e368aa89e4b3d8 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/prebuilt-workflows.test.ts:30
		writeFileSync(path, JSON.stringify(content));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56d21f0089e068c0 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/prebuilt-workflows.test.ts:56
		writeFileSync(path, '{ this is not json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4310b2c94d8e29c7 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/stub-services.test.ts:15
	await fs.writeFile(file, JSON.stringify(entries), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27b4878ab10429db Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:38
const VERIFIER_DEBUG = process.env.N8N_EVAL_VERIFIER_DEBUG === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8297ac8165a075e9 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/args.ts:190
	if (validated.buildViaMcp && !process.env.LANGSMITH_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53cc2b536fe2c36e Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:8
import { existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1257dd3866c6aa36 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:248
	const content = readFileSync(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e59524f6f4ada5db Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:373
	writeFileSync(args.manifestPath, JSON.stringify(manifest, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfd2132feba923b3 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:402
	writeFileSync(args.statsPath, JSON.stringify(stats, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eca2026111091441 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:572
	console.log(readFileSync(args.manifestPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b86ae39ba85312b Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:31
	const isCI = process.env.GITHUB_ACTIONS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6636fe9afd6e1d1b Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:39
		trigger: process.env.GITHUB_EVENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b9f1d9d2cfe5b58 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:40
		runId: process.env.GITHUB_RUN_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5bd5902788166e45 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:42
			process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bbec3faff7babac Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:43
		commitSha: process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa6984e16b7af95d Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:45
		prNumber: process.env.GITHUB_REF?.match(/refs\/pull\/(\d+)\//)?.[1],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9532b8bd4564b20 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:70
	if (process.env.GITHUB_ACTIONS !== 'true') return undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e4ec26b59953942 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:73
		process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6e52b751d21af03 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:74
	const sha = process.env.GITHUB_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4774d9bb1c84b2f Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:163
		fs.readFile(summaryPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77c310c3dcfe1d44 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:164
		fs.readFile(resultsPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54625c3cf9b47ccc Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:421
		return await fs.readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d357943a00907b4 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:1256
	await fs.writeFile(args.out, html, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5cca76f8065d70a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:11
import { mkdirSync, unlinkSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e30b33eb03454e8b Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:426
		const hasLangSmith = Boolean(process.env.LANGSMITH_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e02a131c83524fd5 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:469
		const commitSha = process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d309702037d70e3 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:1819
	writeFileSync(jsonPath, JSON.stringify(report, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47618b59d8d5f306 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:1825
	writeFileSync(
		prCommentPath,
		formatComparisonMarkdown(evaluation, outcome, {
			commitSha,
			slugByTestCase,
			rerun,
			gate,
			passMetrics: { passAtK: metrics.passAtK, passHatK: metrics.passHatK },
			experimentUrl,
		}),
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29d21903fded44b5 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:18
import { existsSync, readFileSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5f77d6923c4edbe Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:39
	const content = readFileSync(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c379dae9d71334a7 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:69
	writeFileSync(tmpPath, JSON.stringify({ mcpServers: { [serverName]: block } }), { mode: 0o600 });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3e401d6674f1665 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:314
			writeFileSync(logFile, stdout || stderr || fallback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe61d87487b4cc19 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:81
		const content = readFileSync(exampleIdsFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c3f0d4533825b10 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:105
		baseUrl: get('--base-url') ?? process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c92a33eb13f8238a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:189
	const content = readFileSync(absolute, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0326b3febfb4f777 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:456
				await fs.writeFile(workflowPath, JSON.stringify(record.workflow, null, 2), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #536a9c9023af899c Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:460
	await fs.writeFile(jsonlPath, lines.join('\n') + '\n', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1968315085ba1b4 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:501
	await fs.writeFile(csvPath, [csvHeader, ...csvRows].join('\n') + '\n', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #597a9a00d9c11142 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:592
	await fs.writeFile(
		path.join(outputDir, 'summary.json'),
		JSON.stringify(summary, null, 2),
		'utf8',
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25b0c34dd8d2463b Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:617
		await fs.writeFile(reportFile, html, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #649e70749dfe28b1 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:637
	const apiKey = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb71c1b185cdaf33 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/report.ts:124
				fs.readFile(summaryPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #722077dbe640c461 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/report.ts:125
				fs.readFile(resultsPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #497d94251571bd4a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/report.ts:674
	await fs.writeFile(args.reportFile, html, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e572b310a2480f7f Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:142
		const loginEmail = email ?? process.env.N8N_EVAL_EMAIL ?? '[email protected]';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40fc91ae8516f21a Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:143
		const loginPassword = password ?? process.env.N8N_EVAL_PASSWORD ?? 'PlaywrightTest123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba0b5fc6a7e6dee5 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:19
		await writeFile(join(dir, 'README.md'), '# hello');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4bef0740bfcba31c Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:26
		await writeFile(join(dir, 'docs', 'workflow.md'), '...');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd0f67b3656c53d2 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:32
		await writeFile(join(dir, 'readme.txt'), '...');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b39de5afccb361ab Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:40
			await writeFile(join(outside, 'secret.md'), 'should not be readable');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a104232989dcb0d6 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:54
			await writeFile(join(parent, 'sibling.md'), '# sibling');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b05164930bace0c7 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:83
		await writeFile(join(dir, 'leftover.md'), '# still here');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78ffafc0808cec32 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:93
		await writeFile(join(dir, 'project', 'briefing.md'), '# moved');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1527f75c0bd6b69 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:114
		await writeFile(join(dir, 'doc.md'), '# Architecture\n\nThis describes the workflow.');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cef29d2726c01259 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:124
		await writeFile(join(dir, 'doc.md'), 'random unrelated content');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #887ec9dae36146ca Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:134
		await writeFile(join(dir, 'doc.md'), '# Architecture only');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c49d24b6681d8fbf Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:137
		const raw = await readFile(join(dataDir, file), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4458b0d755b3bc14 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:213
		const raw = await readFile(packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e2c73e6e2bc4cd0 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:295
	await writeFile(reportPath, JSON.stringify(report, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3b6fdf5166198fa Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:302
		await writeFile(htmlPath, renderHtml(report), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fceb8b4cd770f629 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/graders/fs.ts:75
			content = await readFile(absPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1fad183983824d2 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/render-existing.ts:15
const report = jsonParse<RunReport>(readFileSync(inputPath, 'utf-8'), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a43c52497e117e0 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/render-existing.ts:18
writeFileSync(outputPath, renderHtml(report), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e0efdd8ddf5d541 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/runner.ts:205
	const raw = await readFile(fixturePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d64e9f82b34b287d Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/credentials/seeder.ts:120
		const envToken = template.envVar ? process.env[template.envVar] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ff67cdeb6c75209 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/data/discovery/index.ts:1
import { readFileSync, readdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f106727e55cf0f86 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/data/discovery/index.ts:13
	const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #222653e7c6cebe82 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/discovery/cli.ts:37
const DEFAULT_MODEL = process.env.N8N_INSTANCE_AI_EVAL_MODEL ?? 'anthropic/claude-sonnet-4-6';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3869930a98597886 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/discovery/cli.ts:266
	if (!process.env.ANTHROPIC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5454558365dc0842 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/export-latest-verifier-request.ts:292
	return jsonParse<T>(readFileSync(filePath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f0917e0f2ed1092 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/export-latest-verifier-request.ts:354
		model: (process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-5.5').split('/').at(-1) ?? 'gpt-5.5',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d6f037821c531f4 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/export-latest-verifier-request.ts:404
	writeFileSync(outputPath, JSON.stringify(requestBody, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dde92be349a4a96c Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/conversation-seed.ts:63
		raw = JSON.parse(readFileSync(filePath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6981e4be86e0feb Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:90
		process.env.LANGSMITH_ENDPOINT ?? process.env.LANGCHAIN_ENDPOINT ?? US_DEFAULT_ENDPOINT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #782405786e389ef0 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:92
	const homeKey = process.env.LANGSMITH_API_KEY ?? process.env.LANGCHAIN_API_KEY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f656866d96f230c0 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:98
	const usHost = bareHost(process.env.LANGSMITH_ENDPOINT_US ?? US_DEFAULT_ENDPOINT);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e26756c5d13b10a3 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:100
		const usKey = process.env.LANGSMITH_API_KEY_US ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77688b8188f09d6a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/prebuilt-workflows.ts:20
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df1fd47d04ebcaaf Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/prebuilt-workflows.ts:36
		raw = JSON.parse(readFileSync(path, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9141308de01f741 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:115
	const raw = process.env.N8N_EVAL_MAX_CONCURRENT_SCENARIOS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #716888fef4531e6c Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:209
		await writeFile(
			filePath,
			JSON.stringify(
				{
					timestamp,
					workflowId: input.workflowId,
					testCaseName: input.testCaseName,
					scenarioName: input.scenarioName,
					passed: input.passed,
					result: input.result ?? null,
					verificationResults: input.verificationResults,
					verifierAttempts: input.verifierAttempts,
					buildTrace: input.buildTrace ?? null,
				},
				null,
				2,
			),
			'utf8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a5b8111cd99a341 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:1572
		process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3326a732ec3f430d Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:1573
			process.env.N8N_AI_ANTHROPIC_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #414c85792ccec2c1 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:1574
			process.env.ANTHROPIC_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa22c4d15305e116 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/stub-services.ts:325
		content = await fs.readFile(jsonPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f99e9de9811eab3 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/run-debug-report.ts:25
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612515ca5bf30164 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/run-debug-report.ts:426
	fs.writeFileSync(reportPath, html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21044807beab2615 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/run-debug-report.ts:427
	fs.writeFileSync(path.join(reportDir, 'workflow-eval-llm-debug.html'), html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e4344dddcf43e30 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/workflow-report.ts:10
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06103f27d6720b25 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/workflow-report.ts:1641
	fs.writeFileSync(reportPath, html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38892a70db74f6ba Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/workflow-report.ts:1644
	fs.writeFileSync(path.join(reportDir, 'workflow-eval-report.html'), html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #230484a67ca5f0cf Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:56
		modelId: process.env.N8N_INSTANCE_AI_EVAL_MODEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a71ae75d424cc21c Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:58
		baseUrl: process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3863782211151e86 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:125
		const raw = readFileSync(join(DATA_DIR, file), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad50d830139b7bdb Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:218
	const apiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a3a5e6cf51ca64d Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/utils/get-json-files.ts:1
import { readdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3215c70c2aa89f3 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/utils/load-eval-cases.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7b73eb2564be0f6 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/utils/load-eval-cases.ts:16
	const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ab88662d54aac8a Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:38
	return process.env.N8N_VERSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d27ef1a307faa475 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:55
	const apiKey = process.env.DAYTONA_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d2a4eb415eb2524 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:60
	const apiUrl = process.env.DAYTONA_API_URL || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #248c0ad4bc2e2fe4 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:63
	const baseImage = process.env.SANDBOX_IMAGE || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bce5085991fb3a8 Filesystem access.
repo/packages/@n8n/instance-ai/scripts/print-prompts.ts:12
import { mkdirSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09e0de2df4184025 Filesystem access.
repo/packages/@n8n/instance-ai/scripts/print-prompts.ts:146
			writeFileSync(target, renderFile(agent, variant), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ffc523d5033395e Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:3
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c32abdfcea3dc0f Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:10
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8aa427d2b0264b9 Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:12
		process.env.N8N_ENABLED_MODULES = enabledModules;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7ccfc3850b1897b Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:21
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a51bda6e04d1216b Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:23
		process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b8aa33e1572a5de Filesystem access.
repo/packages/@n8n/instance-ai/src/knowledge-base/materialize-knowledge-base.ts:177
			entry.content ?? (await readFile(join(referenceSourceDir, entry.fileName), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f769ed59e34fa798 Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:7
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5d678de33d31603d Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:12
			delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7cdecf2daa1fbb0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:14
			process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e8c80ef7a72fbc7 Filesystem access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:19
		const skill = readFileSync(
			join(INSTANCE_AI_SKILLS_DIR, 'workflow-builder', 'SKILL.md'),
			'utf-8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c2dd81394886efe Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:369
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de0f9d292544f01f Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:371
		process.env.N8N_ENABLED_MODULES = enabledModules;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a0c5ed95b7e6fe81 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:527
				const originalE2ETests = process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f03a9b177c220c75 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:528
				process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #224923fa5f14c9f3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:563
						delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65e65edae43314b7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:565
						process.env.E2E_TESTS = originalE2ETests;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #58c9d3ab31290974 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/instance-ai/src/tools/__tests__/n8n-docs.tool.test.ts:127
		expect(registry.byUrl.get(GOOGLE_OAUTH_URL)?.title).toBe('Google: OAuth2 single service');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #e75bfdbc5e74bc13 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/instance-ai/src/tools/__tests__/n8n-docs.tool.test.ts:128
		expect(registry.byUrl.get(FIGMA_CREDENTIALS_URL)?.title).toBe('Figma credentials');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #c6cb64f1f1318151 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/executions.tool.ts:189
	if (process.env.E2E_TESTS !== 'true' || allowList === undefined) return undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #452054acedc10b4e Filesystem access.
repo/packages/@n8n/instance-ai/src/tools/workflows/build-workflow.tool.ts:237
		const raw = readFileSync(
			join(INSTANCE_AI_SKILLS_DIR, POST_BUILD_FLOW_SKILL_ID, 'SKILL.md'),
			'utf-8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5fa2e90b3cda1be6 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:346
	const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #306ba652e8ea30d5 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:347
	const originalLangSmithTracing = process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9a1fea0358a3fb7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:348
	const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39c22034e2686429 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:349
	const originalLangSmithProject = process.env.LANGSMITH_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cbfe2b643f54773 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:350
	const originalLangChainProject = process.env.LANGCHAIN_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a6e1ce22e07fc10 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:351
	const originalTraceInternal = process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c1c27e7c8a1868e Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:352
	const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e00035e9b01b0cb Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:357
		process.env.LANGSMITH_API_KEY = 'test-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #23c62633b7c1ab8e Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:358
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a71ba1ac3386963 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:359
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #def74988ebda1b06 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:360
		delete process.env.LANGSMITH_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e2ab37955055250b Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:361
		delete process.env.LANGCHAIN_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac2657d10780bcc2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:362
		delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b05745e67862d03 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:363
		delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #88e88800c07f2512 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:367
		process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0088ae2d23dfcc6 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:369
			delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #183b81573b466c09 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:371
			process.env.LANGSMITH_TRACING = originalLangSmithTracing;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58393a111a6d3e5c Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:374
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77b56338cea1ec3c Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:376
			process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b547070427781282 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:379
			delete process.env.LANGSMITH_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d38f8300cabd847 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:381
			process.env.LANGSMITH_PROJECT = originalLangSmithProject;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #07436518db54c8c3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:384
			delete process.env.LANGCHAIN_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #22ecbfca50d14a78 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:386
			process.env.LANGCHAIN_PROJECT = originalLangChainProject;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #686b5263eea95035 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:389
			delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #029e86da72000b7a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:391
			process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = originalTraceInternal;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77a7631d9c6f8b3f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:394
			delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #155361496f4ce7f4 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:396
			process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5afc043496cd4d63 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:478
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e82ae6b400ef2b3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:479
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7be0f6f22c5b2059 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:489
		expect(process.env.LANGSMITH_TRACING).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e41db59c5e4b8d3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:490
		expect(process.env.LANGCHAIN_TRACING_V2).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0a310b2183c0d4d0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:506
		process.env.LANGSMITH_PROJECT = 'instance-ai-evals';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c5bcc14b4feaf00 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1152
		process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0e3b495ef6d678f2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1962
		delete process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24cc0118344aceb9 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1963
		delete process.env.LANGCHAIN_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f3cac36ad2f2d48 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1964
		delete process.env.LANGSMITH_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0fe86757392f1813 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1965
		delete process.env.LANGCHAIN_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #766d998548ff7e89 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1966
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f8025c8cb2725136 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1967
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5fc489d50c34f79a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1988
		process.env.N8N_DIAGNOSTICS_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0840f543e1811271 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2134
		process.env.LANGCHAIN_TRACING_V2 = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0c664d356ddba622 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2154
	const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c646982ba7d1a90 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2155
	const originalLangSmithTracing = process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0f4056640ea57f3f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2156
	const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fbf50e2ce8756637 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2157
	const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #565213786af42681 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2162
		process.env.LANGSMITH_API_KEY = 'test-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #270531cf504f31a0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2163
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #146b4c9a86b8c087 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2164
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb142f86aec75b11 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2165
		delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3f9bea6cd0e2550 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2169
		process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f5be1acefd6d91e Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2171
			delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10746794b7da9224 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2173
			process.env.LANGSMITH_TRACING = originalLangSmithTracing;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f234aa946a6c4b81 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2176
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c3a33a68c5ede74 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2178
			process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7d1bb04b6c9a570 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2181
			delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59a9f8df2ba3eef4 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2183
			process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6086ad4af2d87012 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2217
		delete process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fbce2b97bdf614c7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2218
		process.env.LANGCHAIN_TRACING_V2 = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88b730e89e1429a8 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:671
	return process.env.LANGSMITH_PROJECT ?? process.env.LANGCHAIN_PROJECT ?? DEFAULT_PROJECT_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23c07aa5313217d2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:675
	if (readBooleanEnvFlag(process.env.N8N_DIAGNOSTICS_ENABLED) === false) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9aef2e72ceec59c7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:680
		process.env.LANGCHAIN_TRACING_V2 ?? process.env.LANGSMITH_TRACING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e4043657069ed3b Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:690
		process.env.LANGSMITH_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c01c6e03abe57fd0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:691
			process.env.LANGCHAIN_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e58877a47ed99fd Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:692
			process.env.LANGSMITH_ENDPOINT ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63c5d3fc22aaecef Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:693
			process.env.LANGCHAIN_ENDPOINT ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6d58f337a95beed Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:700
		process.env.N8N_INSTANCE_AI_TRACE_INTERNAL === 'true' ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f570bebcf45cf1b2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:701
		process.env.N8N_INSTANCE_AI_TRACE_INCLUDE_INTERNAL === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62c5f3a14928c227 Filesystem access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:1496
				return extractPackageVersion(JSON.parse(await readFile(packageJsonPath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a6f6121a2a856dd9 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:3
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0f8892a26f87a275 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:8
			delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #715509c37f0c1cf9 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:10
			process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c100ca6aa636e3b8 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:15
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #710e31cbda18ad9d Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:21
		process.env.N8N_ENABLED_MODULES = 'instance-ai';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cde5299aecd782a Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:27
		process.env.N8N_ENABLED_MODULES = 'instance-ai,agents';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c1a7a9890972b24 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:33
		process.env.N8N_ENABLED_MODULES = ' instance-ai, agents ';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #69fd3398d0da0510 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:38
		delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9ec7272183fd77d Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:54
		process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a43d420b96c37097 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:63
		process.env.N8N_INSTANCE_AI_MODEL_API_KEY = 'generic-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9aca04b59d615ea5 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:64
		process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c1ebb4422f49fa7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:65
		process.env.ANTHROPIC_API_KEY = 'provider-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f07a4e6caec8c5e Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:73
		process.env.OPENAI_API_KEY = 'openai-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e434c489d02984d Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/agent-feature-enabled.ts:5
		(process.env.N8N_ENABLED_MODULES ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b2b38821c19b256 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:38
		process.env.N8N_INSTANCE_AI_EVAL_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #522dc9134dfeed47 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:39
		process.env.N8N_INSTANCE_AI_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4aa4a828368dd742 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:47
	const providerKey = providerKeyEnv ? process.env[providerKeyEnv] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bff5ddc5daafee0c Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:49
		process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #396d12fcea82ca2c Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:50
		(provider === 'anthropic' ? process.env.N8N_AI_ANTHROPIC_KEY : undefined) ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e45487a6a157e73 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:68
	const url = process.env.N8N_INSTANCE_AI_MODEL_URL?.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8be441e9c4796aa4 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:155
		const cachedArchive = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #608cc1b66622e1f2 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:157
		const cachedEtag = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9ea07c95934eb90 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:159
		const cachedSha = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #97cf18ae6b3a2f3c Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:272
		await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #beee5364ea8e5fc6 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:273
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"pre-existing"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42913b2ac721b7f8 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:274
		await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60684148eff314cb Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:316
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"orphan"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #158fc26d5446b72a Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:332
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc4bee79283388c4 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:354
		await fsp.writeFile(path.join(blockedArchivePath, 'block'), '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dfe40f4e314ec389 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:362
		const etagOnDisk = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #413b3a7d4d12f44d Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:442
		await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), corruptArchive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aa036c6402e7c237 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:443
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25c73db0af55d970 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:444
		await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3be6c9259f20dea4 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:446
		await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'deadbeef'.repeat(8));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d6230abee6d6f50 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:523
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), legacyArchive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27da1ac26b157f61 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:524
			await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"legacy-etag"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d90883a4edbcf42 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:525
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(legacyArchive));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #344fbf965aa942fb Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:539
			const channelOnDisk = await fsp.readFile(path.join(cacheDir, 'channel.txt'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91cf54a7ea607364 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:547
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ce1dfa6d0da13b2 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:548
			await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"latest-etag"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76060fef26666abf Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:549
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(archive));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc280b0a06044aab Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:550
			await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'latest');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18762323f92fb682 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:609
		delete process.env.N8N_INSTANCE_AI_TEMPLATES_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcdd97eab0147f21 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:610
		delete process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cfc8de9e60d93a9e Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:611
		delete process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5540447d40914db Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:616
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '6';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef55aa72573e56e8 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:623
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = 'banana';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ed671423444af84f Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:635
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c80153cf00699c6 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:638
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '-4';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #340d54fb879bd6e1 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:644
		process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #08696f41f42f443b Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:645
		process.env.N8N_INSTANCE_AI_TEMPLATES_URL = 'https://example.com/v2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba2db4bb306aac21 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/lazy-runtime-workspace.test.ts:171
		await lazyWorkspace.filesystem?.readFile('/workspace/report.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a9f5faf0a208f5e2 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/lazy-runtime-workspace.test.ts:194
		await lazyWorkspace.filesystem?.readFile('/workspace/report.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12e42032f07dcab5 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/lazy-runtime-workspace.test.ts:210
		await lazyWorkspace.filesystem?.readFile('/workspace/report.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f8ec59672ffb77a Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:90
		delete process.env[LINK_WORKSPACE_SDK_ENV];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78f24ee508ec7b8d Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:92
		process.env[LINK_WORKSPACE_SDK_ENV] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #579eaf94d44adb4f Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:227
		process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9826c3a9c871c454 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:229
		delete process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef4a9dc76bcb34b5 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:242
	const originalLinkSdk = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f60eb209a920ea6 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/scoped-workspace.test.ts:87
		await workspace.filesystem?.writeFile('src/workflow.ts', 'code', { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cf40468490d703e Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/scoped-workspace.test.ts:101
			workspace.filesystem?.readFile('/workspace/builders/agent-2/src/workflow.ts'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #906f5c4bc0e5f94a Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:33
		await expect(readFile(join(stagingDir, 'skills/demo/SKILL.md'), 'utf-8')).resolves.toBe(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2be35f47b8d71525 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:37
			readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0c85f72245bd8bc Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:52
		await expect(readFile(join(first.stagingDir, 'package.json'), 'utf-8')).resolves.toBe(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c809a8e94edc2217 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:78
			readFile(join(results[0].stagingDir, 'skills/post-build-flow/SKILL.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63080278e8c60475 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:81
			readFile(join(results[0].stagingDir, 'knowledge-base/templates/example.ts'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #394ec17b1771a09a Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:162
			readFile(join(stagingDir, 'skills/data-table-manager/SKILL.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #591e07e000c6918d Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:165
			readFile(
				join(stagingDir, 'skills/data-table-manager/references/data-table-playbook.md'),
				'utf-8',
			),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb53be7d62259e2d Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:171
			readFile(join(stagingDir, 'skills/registry.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28cd44c10cb26637 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:174
			readFile(join(stagingDir, 'skills/.manifest.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37f441b00dc05880 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:177
			readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82c49bbffaf80ebe Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:180
			readFile(join(stagingDir, 'knowledge-base/best-practices/index.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #301f686423ac7469 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:183
			readFile(join(stagingDir, 'knowledge-base/.manifest.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7fd7de453ee7ac6 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:238
			const buffer = await fsp.readFile(archivePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d61eaa36617d99ad Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:281
			const raw = await fsp.readFile(path.join(this.cacheDir, ETAG_FILENAME), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0be4b5916d6f34e1 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:290
			const raw = await fsp.readFile(path.join(this.cacheDir, SHA256_FILENAME), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c0ca2a7de1a0761 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:299
			const raw = (await fsp.readFile(path.join(this.cacheDir, CHANNEL_FILENAME), 'utf-8')).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85d22aee1cb46954 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:552
		await fsp.writeFile(tmp, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #353e70019ed5b9d5 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:592
	const url = process.env.N8N_INSTANCE_AI_TEMPLATES_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f23b33983552391 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:593
	const hoursRaw = process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71300b00f197cc88 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:594
	const disabled = process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64ed1e9c0a850ec3 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/lazy-runtime-workspace.ts:225
		return await (await this.getFilesystem()).readFile(path, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13f44a4fb29097ea Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/lazy-runtime-workspace.ts:229
		await (await this.getFilesystem()).writeFile(path, content, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ddd7b6f9adff278 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/pack-workspace-sdk.ts:45
	const v = process.env[ENV_FLAG];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e47ad196b60f124 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/pack-workspace-sdk.ts:94
		const tarball = await readFile(tarballPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa6ae568ebbbfc99 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:125
	const linkFlag = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3334fe1f8fb43855 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:361
		await filesystem.writeFile(path, content, { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1dab1a305ad90045 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:380
			const content = await filesystem.readFile(path, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46a162be932dd9e0 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/scoped-workspace.ts:75
		return await this.filesystem.readFile(resolvePath(this.root, path), options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f26bd66addd198af Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/scoped-workspace.ts:79
		await this.filesystem.writeFile(resolvePath(this.root, path), content, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6266e159098a4bd0 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/snapshot-image-context.ts:39
		await writeFile(targetPath, content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42eea4f7a16c0844 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/workspace-files.ts:43
			return decodeWorkspaceFileContent(await filesystem.readFile(filePath, { encoding: 'utf-8' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #399aeab8a958425a Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/workspace-files.ts:80
			await workspace.filesystem.writeFile(filePath, content, { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/cli

npm first-party
high pii_flow production #336c9b725d668fd5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/cli/src/client.ts:90 · flow /tmp/closeopen-gagie1_z/repo/packages/@n8n/cli/src/client.ts:49 → /tmp/closeopen-gagie1_z/repo/packages/@n8n/cli/src/client.ts:90
			response = await fetch(url.toString(), { method, headers, body });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 23 low-confidence finding(s)
low env_fs test-only #6fcbb98de3f36000 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:25
		delete process.env.N8N_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #166fe8da2f97b5b1 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:26
		delete process.env.N8N_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cdc45c376f2aa18 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:36
		process.env.N8N_URL = 'https://env.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d023489fe513b10b Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:37
		process.env.N8N_API_KEY = 'env_key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac268b43833b01d9 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:49
		process.env.N8N_URL = 'https://env.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #49b347b024e62938 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:50
		process.env.N8N_API_KEY = 'env_key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3303c4f72c8b614c Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:88
		process.env.N8N_API_KEY = 'env_key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67df78869558399a Filesystem access.
repo/packages/@n8n/cli/src/base-command.ts:156
			return fs.readFileSync(0, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce564c1c5ab4adce Filesystem access.
repo/packages/@n8n/cli/src/base-command.ts:159
			return fs.readFileSync(flags.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd91335943916eab Filesystem access.
repo/packages/@n8n/cli/src/commands/package/export.ts:69
			fs.writeFileSync(flags.output, archive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d53b1db5d0433ea8 Filesystem access.
repo/packages/@n8n/cli/src/commands/package/import.ts:68
			const buffer = fs.readFileSync(flags.file);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a55829798660423 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:39
		const content = fs.readFileSync(skillSource, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87411903abac08a5 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:61
		fs.writeFileSync(targetFile, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10de9cd5407589dc Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:77
			const existing = fs.readFileSync(targetFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #850bf747e652b8f7 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:82
			fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #005f087d4a46de22 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:85
			fs.writeFileSync(targetFile, stripped);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f91379a888d34f Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:95
			const existing = fs.readFileSync(targetFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0175a3033c81e3f Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:100
			fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc584dd5a867f318 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:103
			fs.writeFileSync(targetFile, stripped);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #723849bf1ea26908 Filesystem access.
repo/packages/@n8n/cli/src/config.ts:21
		const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38434178a4ab0e00 Filesystem access.
repo/packages/@n8n/cli/src/config.ts:30
	fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', {
		mode: 0o600,
	});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7743898091dad0c Environment-variable access.
repo/packages/@n8n/cli/src/config.ts:52
		url: flags.url ?? process.env.N8N_URL ?? config.url,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e62d6922c3a2717e Environment-variable access.
repo/packages/@n8n/cli/src/config.ts:53
		apiKey: flags.apiKey ?? process.env.N8N_API_KEY ?? config.apiKey,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/computer-use

npm first-party
high pii_flow production #7fa46d7567f39da9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/computer-use/src/gateway-client.ts:302 · flow /tmp/closeopen-gagie1_z/repo/packages/@n8n/computer-use/src/gateway-client.ts:308 → /tmp/closeopen-gagie1_z/repo/packages/@n8n/computer-use/src/gateway-client.ts:302
		const response = await fetch(url, {
			method: 'POST',
			headers,
			body: JSON.stringify({
				rootPath: this.dir,
				tools,
				hostIdentifier: `${os.userInfo().username}@${os.hostname()}`,
				toolCategories: this.activeToolCategories,
			}),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 37 low-confidence finding(s)
low env_fs production #4b6a197bc38fee1f Environment-variable access.
repo/packages/@n8n/computer-use/src/config.test.ts:102
		process.env.N8N_GATEWAY_ALLOWED_ORIGINS = 'https://from-env.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be1e9879a41fb63c Environment-variable access.
repo/packages/@n8n/computer-use/src/config.ts:78
	return process.env[`${ENV_PREFIX}${name}`];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6e00b1e9027f561 Environment-variable access.
repo/packages/@n8n/computer-use/src/config.ts:167
	const logLevel = envString('LOG_LEVEL') ?? process.env.LOG_LEVEL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb4171ff956aa3ba Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:44
		await fs.writeFile(path.join(dir, 'settings.json'), JSON.stringify(initial), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70cfe97fcb59936c Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:87
		await fs.writeFile(filePath, 'not-json', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1278e8cc5282e11b Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:102
		const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69e824f2021e05ea Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:121
		await fs.writeFile(file, existing, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71b2bb50b3342f09 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:124
		const raw = await fs.readFile(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43c10a70c911a51d Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:243
		const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60ab872d4a827df3 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.ts:107
		await fs.writeFile(filePath, JSON.stringify(initialSettings, null, 2), {
			encoding: 'utf-8',
			mode: 0o600,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec460cf57fc8f27e Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.ts:264
		await fs.writeFile(this.filePath, JSON.stringify(this.persistent, null, 2), {
			encoding: 'utf-8',
			mode: 0o600,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #197f3ec4f6879767 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.ts:277
		const raw = await fs.readFile(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #362a2f55fce08806 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:102
		const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55a487c07e75d032 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:123
		const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f7de59b6583434 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:137
		await fs.writeFile(file, existing, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07ff241a320b53cc Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:141
		const raw = await fs.readFile(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22c0449f927f04cc Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:150
		const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6efc222b96854906 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/edit-file.ts:38
		const content = await fs.readFile(resolvedReadablePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8879cde98d03850 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/edit-file.ts:44
		await fs.writeFile(resolvedWritablePath, content.replace(oldString, newString), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18bc527d1f02d7be Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/read-file.ts:47
		const fileContent = await fs.readFile(resolvedPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f0b22a883c2adba Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/search-files.test.ts:29
	await fs.writeFile(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d202cde0324fa67 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/search-files.test.ts:231
			await fs.writeFile(path.join(baseDir, 'binary.dat'), Buffer.from([0xff, 0xfe, 0xfd, 0xfc]));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be2c3113a19847ad Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/search-files.ts:95
				const fileContent = await fs.readFile(fullPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff3ec4046817132e Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/write-file.ts:35
		await fs.writeFile(resolvedPath, content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95ccd433e9c2c1bf Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/index.ts:18
		if (process.env.WAYLAND_DISPLAY && !process.env.DISPLAY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7c5f11308f2b4f7 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:259
	const originalWaylandDisplay = process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cf04b3b897cef50 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:260
	const originalDisplay = process.env.DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2471821833a0bf85 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:265
			delete process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #351749ee9efda884 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:267
			process.env.WAYLAND_DISPLAY = originalWaylandDisplay;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beacc61c30f5bae3 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:270
			delete process.env.DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d23734576c342395 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:272
			process.env.DISPLAY = originalDisplay;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f26fa238a3f14025 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:278
		process.env.WAYLAND_DISPLAY = 'wayland-0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #490b95dc144015a9 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:279
		delete process.env.DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #041a25baa7e28f8d Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:287
		delete process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae08228487806ea1 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:288
		process.env.DISPLAY = ':0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f57bba8bb3f2fa0 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:297
		delete process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0df28a0115a98c7 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:298
		process.env.DISPLAY = ':0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/mcp-apps

npm first-party
medium telemetry production #62dc4b8169406187 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:120
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDER_FAILED, {
			...getPreviewTelemetryPayload(),
			reason,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bee0ae8b35e5e22c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:129
		telemetry.track(
			WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDERED_SUCCESSFULLY,
			getPreviewTelemetryPayload(),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8e142c048da3bd29 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:147
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.OPEN_IN_N8N_CLICKED, {
			...getPreviewTelemetryPayload(),
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3fc11da69be95e1a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:193
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_COMPLETED, {
			...getPreviewToolCallTelemetryPayload(requestId),
			duration_ms: Math.max(0, Math.round(performance.now() - startedAt)),
			outcome,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #49dd4f636d3ac320 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:212
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_CRASHED, {
			...getPreviewTelemetryPayload(),
			...(message ? { error_message: sanitizeTelemetryErrorMessage(message) } : {}),
			source: WORKFLOW_PREVIEW_CRASH_SOURCES.PREVIEW_IFRAME_ERROR,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f4fde2d60718976e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:234
		telemetry.track(
			WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_REQUESTED,
			getPreviewToolCallTelemetryPayload(requestId),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ee2f76286fda037 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/composables/use-mcp-app-crash-telemetry.ts:33
		telemetry.track(event, {
			app,
			...getMcpClientTelemetryProperties(hostVersion.value),
			error_message: sanitizeTelemetryErrorMessage(getErrorMessage(error)),
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #756180ee43846361 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/composables/use-mcp-app-telemetry.ts:48
			telemetry.track(events.renderFailed, {
				app,
				...getMcpClientTelemetryProperties(hostVersion.value),
				error_message: getConnectionErrorReason(connectionError.value),
				reason: renderFailedReason,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #537a7e5da7e0aeb9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:54
		telemetry.track('Test event', { boot_ms: 42 });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #89bdb36ce2ba80ce Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:70
		telemetry.track('Test event', {
			apiKey: 'secret-api-key',
			error_message: 'Authorization: Bearer abc.def-ghi_jkl/mno=',
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #254318ed81c3ce2d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:93
		telemetry.track('Test event');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7211df3af358d260 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:103
		telemetry.track('Test event');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4e9f7ee70d8d7657 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:111
		telemetry.track('Test event');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bc019695083cd784 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:118
		telemetry.track('Test event', { reason: 'x' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #80625a97639a396a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.ts:88
			this.rudderStack?.track(
				event,
				{
					...sanitizedProperties,
					instance_id: this.config.instanceId,
					version_cli: this.config.versionCli,
				},
				// Send a fake IP so RudderStack does not capture the user's real one.
				{ context: { ip: '0.0.0.0' } },
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 2 low-confidence finding(s)
low env_fs production #fc16d6cabd0d3cb4 Filesystem access.
repo/packages/@n8n/mcp-apps/src/server/resource-loader.ts:35
	const html = await readFile(join(getPackageRoot(), 'dist', 'apps', fileName), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab315b33bdf8f83a Filesystem access.
repo/packages/@n8n/mcp-apps/src/server/sdk-version.test.ts:31
			const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) as PackageJson;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/agents

npm first-party
medium telemetry test-only #9297c659487dfe86 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:10
		tracker.track(inner);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #98f1c52ece0a1423 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:34
		tracker.track(a);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #85f03dc388620de3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:35
		tracker.track(b);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #a915f9621ef28bf2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:46
		tracker.track(rejected);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #344dd5183cd25066 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:58
		tracker.track(inner);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #db6e9a7f4c765684 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:67
		tracker.track(Promise.resolve());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #78cad6dad7a0426e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/loop/agent-runtime.ts:669
		this.backgroundTasks.track(titlePromise);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7e7760e143a59b89 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/memory/memory-orchestrator.ts:373
		this.backgroundTasks.track(queued);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1a0aed9afbbe4aa0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/memory/scoped-memory-task-runner.ts:130
		this.tracker.track(queued);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 92 low-confidence finding(s)
low env_fs test-only #6111b787f2dddc56 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/fixtures/generate-bulk-vector-fixture.ts:87
	if (!process.env.OPENAI_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #88cf25ca953ad985 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/fixtures/generate-bulk-vector-fixture.ts:139
	await writeFile(OUT_PATH, JSON.stringify(fixture));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7e6c5f2b01b4f6d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-pinecone.test.ts:21
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #89c140e6a4fa90c0 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-pinecone.test.ts:22
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #deefcc2c48e60dbc Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-postgres.test.ts:20
const PG_URL = process.env.PG_VECTOR_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1222f2244668f56 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-postgres.test.ts:21
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #444fe89b4d75773e Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-qdrant.test.ts:18
const QDRANT_URL = process.env.QDRANT_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64f8f5b7a74cd87e Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-qdrant.test.ts:19
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #139c3e78a71e43ce Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-qdrant.test.ts:20
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #20908ce45847dc08 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:21
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #95f45906514f8003 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:22
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ee6af7853ff3f85 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:23
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f85b21ef134e52f2 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:24
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f8f1ac2a456f4b87 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/helpers.ts:24
		return Boolean(process.env[envVar]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9e3e680783c3f956 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/helpers.ts:26
	const isReplayMode = Boolean(process.env.CI);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #540ba3fcac00e3b3 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/pg-vector-store.test.ts:14
const PG_URL = process.env.PG_VECTOR_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8cbdc85c1f43efd8 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/pinecone-vector-store.test.ts:17
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9d195a94a8b27ef Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/qdrant-vector-store.test.ts:14
const QDRANT_URL = process.env.QDRANT_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e650ce7fb0cc942 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/qdrant-vector-store.test.ts:15
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0e1bc93475f275c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/supabase-vector-store.test.ts:22
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b197412e2f39091 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/supabase-vector-store.test.ts:23
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #902633636f1b198e Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/supabase-vector-store.test.ts:24
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cce03a51b014d1b1 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:36
		previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b41384a12f65a5c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:37
		process.env.LANGCHAIN_TRACING_V2 = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa0eeb70136cd857 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:68
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #233a6c271ed48c84 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:70
			process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc76b0ba10ba30a2 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vcr.ts:13
export const IS_RECORD_MODE = process.env.VCR_MODE === 'record';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe943eacb2cf42c7 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vcr.ts:19
export const IS_REPLAY_MODE = Boolean(process.env.CI);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9a7f0f95e25c696c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-pinecone.test.ts:21
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03c1569d41eb4697 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-postgres.test.ts:20
const PG_URL = process.env.PG_VECTOR_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #baa15af58c2cf471 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-qdrant.test.ts:19
const QDRANT_URL = process.env.QDRANT_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb2c836581e82bf5 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-qdrant.test.ts:20
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc8a2d0cb03fb38d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-supabase.test.ts:22
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c986c85367d9af0d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-supabase.test.ts:23
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3321d045396bf90c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-supabase.test.ts:24
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a80122744c145311 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-helpers.ts:43
		readFileSync(path.resolve(__dirname, '../fixtures/bulk-vector-fixture.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #93a426401f29fd9b Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:113
		await memFs.writeFile('/project/index.ts', 'console.log("hello")');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7aedd823fc71a431 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:114
		await memFs.writeFile('/project/README.md', '# Project');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7beac240d3a5d639 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:176
		await memFs.writeFile('/data.json', '{"key": "value", "count": 42}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #445069881948f3a1 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:206
		await memFs.writeFile('/project/source.txt', 'alpha');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c718dcffa2b6d569 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:207
		await memFs.writeFile('/project/remove-me/old.txt', 'remove this');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ceb60f08bffa22b0 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:296
		await memFs.writeFile(
			'/project/config.ts',
			[
				'export const region = "OLD_REGION";',
				'export const owner = "OLD_OWNER";',
				'export const status = "OLD_STATUS";',
			].join('\n'),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #500d6ba38f8c0e74 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:76
	const previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a91dd9e58a5be9ec Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:89
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c686c90a351fb1ba Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:94
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8e0e92970972dc8 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:96
			process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #000be9c92064fe2c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:132
		expect(process.env.LANGCHAIN_TRACING_V2).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f21e35fb2bd59e7 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/base-filesystem.test.ts:211
			const content = await fs.readFile('/test');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5caf4ddae7a47a43 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/base-filesystem.test.ts:221
			await expect(fs.readFile('/test')).rejects.toThrow();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #470bef7a4e50f352 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/sandbox/daytona-sandbox.test.ts:549
		await expect(filesystem.readFile('/workspace/file.txt')).resolves.toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #739850765942a9ae Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/sandbox/n8n-sandbox-filesystem.test.ts:62
		await filesystem.writeFile('/workspace/nested/file.txt', 'hello', { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8bd1d683791d4eb8 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/sandbox/n8n-sandbox-filesystem.test.ts:76
		const content = await filesystem.readFile('/workspace/file.txt', { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #16e33b7ba2f9ba95 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/test-utils.ts:93
		const content = await this.readFile(src);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64703c8409f09f9e Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/test-utils.ts:94
		await this.writeFile(dest, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34ce41766a491ef8 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:215
			await memFs.writeFile('/log.txt', 'line1\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a47657ef82910672 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:218
			const content = await memFs.readFile('/log.txt', { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #08a11fc2419af834 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:223
			await memFs.writeFile('/original.txt', 'original');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5e25a72901e29a0 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:226
			expect(await memFs.readFile('/copy.txt', { encoding: 'utf-8' })).toBe('original');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ad26a54c0d6552f Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:230
			expect(await memFs.readFile('/moved.txt', { encoding: 'utf-8' })).toBe('original');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c85de2001b56b38a Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:235
			await memFs.writeFile('/deep/nested/file.txt', 'data');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #481d1b3a81455463 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:244
			await expect(memFs.readFile('/nonexistent')).rejects.toThrow('ENOENT');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c4f334a052d2021 Environment-variable access.
repo/packages/@n8n/agents/src/integrations/langsmith.ts:361
		process.env.LANGCHAIN_TRACING_V2 ??= 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e237e229e9011a15 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:195
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6a75270c0196256 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:196
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8e741834365d98d Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:282
		process.env.HTTPS_PROXY = 'http://proxy:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70efc94e2b3bd884 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:289
		process.env.HTTP_PROXY = 'http://proxy:9090';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c476abca2f3bd7b8 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:308
		process.env.HTTPS_PROXY = 'http://https-proxy:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c951565365309ed Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:309
		process.env.HTTP_PROXY = 'http://http-proxy:9090';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02c1152456ec3e15 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/model/model-factory.ts:40
	const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #50115e75216906bd Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/agents/src/sdk/catalog.ts:129
	const response = await fetch(MODELS_DEV_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #82d6694a93d5f783 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:1
import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #250ae095957343ea Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:277
			writeFileSync(
				join(skillDir, 'SKILL.md'),
				`---
name: workflow-builder
description: Build workflows.
---

Use the workflow SDK.`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a5a3099fac1f272 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:286
			writeFileSync(join(skillDir, 'references', 'guide.md'), 'Guide text');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad842ab371a2bc81 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:287
			writeFileSync(join(skillDir, 'examples', 'slack.workflow.ts'), 'export default {};');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b3a101211e32a40 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:329
			writeFileSync(
				join(intentSkillDir, 'SKILL.md'),
				`---
name: intent-recognition
description: Classify intent.
---

Classify automation intent.`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c96a36e8fd2d440 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:338
			writeFileSync(join(intentSkillDir, 'references', 'taxonomy.md'), 'Taxonomy text');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a6d146f8a751d0ca Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:339
			writeFileSync(
				join(workflowSkillDir, 'SKILL.md'),
				`---
name: workflow-builder
description: Build workflows.
---

Use the workflow SDK.`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ddb4a8e68985ab2 Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:3
import { existsSync, lstatSync, readdirSync, readFileSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14103d7c1299ec5a Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:115
				content: readFileSync(join(skill.directory, normalizedPath), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e120594209cf818e Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:131
		const content = readFileSync(skillPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d29e1ffe9c9f9039 Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:317
			sha256: createHash('sha256').update(readFileSync(abs)).digest('hex'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afe085f7e6b77450 Filesystem access.
repo/packages/@n8n/agents/src/workspace/filesystem/n8n-sandbox-filesystem.ts:49
		const content = await client.readFile(sandboxId, path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9aea9d060403623b Filesystem access.
repo/packages/@n8n/agents/src/workspace/filesystem/n8n-sandbox-filesystem.ts:65
		await client.writeFile(sandboxId, path, content, options?.overwrite ?? true);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f147761a5c399e85 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/batch-str-replace-file.ts:61
				const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1c4594ea38e3a9d Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/batch-str-replace-file.ts:74
				await filesystem.writeFile(input.path, editedContent, { overwrite: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5820b3e45fa5b76 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/read-file.ts:22
			const content = await filesystem.readFile(input.path, {
				encoding: (input.encoding ?? 'utf-8') as BufferEncoding,
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae226d1a6d07ff44 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/str-replace-file.ts:38
				const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a5b53527930495a Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/str-replace-file.ts:51
				await filesystem.writeFile(input.path, editedContent, { overwrite: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f76af319347e897f Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/write-file.ts:26
			await filesystem.writeFile(input.path, input.content, { recursive: input.recursive });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c144279e5318326f Filesystem access.
repo/packages/@n8n/agents/vitest.integration.setup.ts:11
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6537780acd32550f Environment-variable access.
repo/packages/@n8n/agents/vitest.integration.setup.ts:174
	process.env.OPENAI_API_KEY = 'sk-proj-1234567890';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c159be355aad0f8c Environment-variable access.
repo/packages/@n8n/agents/vitest.integration.setup.ts:175
	process.env.ANTHROPIC_API_KEY = 'sk-proj-1234567890';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/errors

npm first-party
medium telemetry production #2148e94b36b727f0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/errors/src/application.error.ts:1
import type { Event } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e7bf1f39908c0162 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/errors/src/types.ts:1
import type { Event } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

first-party (npm): packages/@n8n/task-runner

npm first-party
medium telemetry test-only #d6dfe88a3e653567 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/task-runner/src/__tests__/task-runner-sentry.test.ts:1
import type { ErrorEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35f63eebf84f6bb7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/task-runner/src/task-runner-sentry.ts:2
import type { ErrorEvent, Exception } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 6 low-confidence finding(s)
low env_fs test-only #033fad396a51cf35 Environment-variable access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts:508
				process.env.N8N_RUNNERS_TASK_BROKER_URI = 'http://127.0.0.1:5679';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #445a802e085730e1 Filesystem access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts:1098
		const packageJson = JSON.parse(fs.readFileSync('package.json', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9cc1c4da7ce23b70 Filesystem access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/require-resolver-global-modules.test.ts:39
		fs.writeFileSync(
			scriptPath,
			`const Module = require("module");
if (process.env.NODE_PATH) { Module._initPaths(); }
try {
  require("${packageName}");
  console.log(JSON.stringify({ success: true }));
} catch (e) {
  console.log(JSON.stringify({ success: false, error: e.message }));
}`,
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66e1bd10aa426275 Filesystem access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/require-resolver-global-modules.test.ts:51
		fs.writeFileSync(
			scriptNoInitPath,
			`process.env.NODE_PATH = "${nodeModulesPath}";
try {
  require("${packageName}");
  console.log(JSON.stringify({ success: true }));
} catch (e) {
  console.log(JSON.stringify({ success: false, error: e.message }));
}`,
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ecbdf27c39187a0 Environment-variable access.
repo/packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts:193
		if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #856d55b6968adb59 Environment-variable access.
repo/packages/@n8n/task-runner/src/start.ts:14
if (process.env.NODE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/nodes-langchain

npm first-party
medium telemetry production #4b580b49ec336a36 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/sqlite.ts:32
	temp.track();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 9 low-confidence finding(s)
low env_fs production #1ab10e0b07a26778 Filesystem access.
repo/packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/sqlite.ts:2
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30957fc4a5a2ce83 Filesystem access.
repo/packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/sqlite.ts:35
	fs.writeFileSync(tempDbPath, bufferString);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #6312cf5ab4509490 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/nodes-langchain/nodes/mcp/McpClientTool/__test__/McpClientTool.node.test.ts:304
			const url = new URL('https://my-mcp-endpoint.ai/sse');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #852996c547a78935 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/nodes-langchain/nodes/mcp/McpClientTool/__test__/McpClientTool.node.test.ts:356
			const url = new URL('https://my-mcp-endpoint.ai/sse');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ae233d4a659f03ae Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/nodes-langchain/nodes/mcp/McpClientTool/__test__/McpClientTool.node.test.ts:2036
			await expect(customFetch!(new URL('https://allowed.example/sse'), {} as any)).rejects.toThrow(

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #3fc7b59c82e36184 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/__tests__/microsoft-utils.test.ts:573
			process.env.ENABLE_OBSERVABILITY = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #49006599e41e5787 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/__tests__/microsoft-utils.test.ts:574
			process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67d3a1563a4428a7 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/microsoft-utils.ts:334
		process.env.ENABLE_OBSERVABILITY === 'true' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27ca879f458fc955 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/microsoft-utils.ts:335
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/workflow

npm first-party
medium telemetry production #55c12fd87e0de2ae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/workflow/src/errors/base/base.error.ts:1
import type { Event } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 4 low-confidence finding(s)
low env_fs production #ac4a7def0e557598 Environment-variable access.
repo/packages/workflow/src/expression.ts:552
						env: process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false' ? {} : process.env,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecc8972e2a13afd9 Filesystem access.
repo/packages/workflow/src/interfaces.ts:7
import type { PathLike } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #add447f56830f63d Environment-variable access.
repo/packages/workflow/src/workflow-data-proxy-env-provider.ts:16
		? process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #292e074c0c1095f0 Environment-variable access.
repo/packages/workflow/stryker.config.mjs:30
	concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/ai-utilities

npm first-party
expand_more 61 low-confidence finding(s)
low env_fs production #76e24980998ff76f Environment-variable access.
repo/packages/@n8n/ai-utilities/integration-tests/openai.ts:136
			if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c00b97b68fa81ac Filesystem access.
repo/packages/@n8n/ai-utilities/scripts/copy-tokenizer-json.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #cca9eb66d9989032 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/follow-redirects.test.ts:149
		const url = new URL('https://example.com');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #4c2561b7305c5f32 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:27
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #efb30e47ca6b828d Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:28
		delete process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca3e91d915834be6 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:29
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c95c411eecff22c9 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:30
		delete process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3abf8b442d2fd5b4 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:31
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d99260f809b8aae9 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:32
		delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a34e7453ed91e88f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:33
		delete process.env.N8N_AI_TIMEOUT_MAX;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31d1c0142bfe2c5b Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:59
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c57ddec525b9dda Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:76
			process.env.https_proxy = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9d08a2262e8c710 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:89
			process.env.HTTP_PROXY = 'http://http-proxy.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e64fb08e299a95c Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:90
			process.env.http_proxy = 'http://http-proxy-lowercase.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #16e1994bb830680d Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:91
			process.env.HTTPS_PROXY = 'https://https-proxy.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ab3bb80e222ace3c Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:92
			process.env.https_proxy = 'https://https-proxy-lowercase.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6608640cc5327d47 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:108
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #038095cccca0f87e Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:117
			process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb10bfc0091cbd84 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:127
			process.env.HTTP_PROXY = httpProxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2903d57cebe6e5d5 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:128
			process.env.HTTPS_PROXY = httpsProxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #407c31179a29ea07 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:137
			process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55d96107d3295ae1 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:138
			process.env.NO_PROXY = 'localhost,127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #efd216c81aa6e208 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:148
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54f33d8c4859e0f2 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:149
			process.env.NO_PROXY = '*.internal.company.com,localhost';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29002a8c5f8cea0c Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:159
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eafbcd5c905a7c2e Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:160
			process.env.NO_PROXY = 'localhost,127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce837c958d27ebf0 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:169
			process.env.https_proxy = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b9c783a04049d35 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:170
			process.env.no_proxy = 'localhost';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1f18eaa00a8b945 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:181
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #128871df924975d4 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:235
			process.env.N8N_AI_TIMEOUT_MAX = '300000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f635d574904e0c0 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:259
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de2c94cc0b9014c0 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:260
		delete process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3885bf24df163f04 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:261
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1adcd2271f02ecbc Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:262
		delete process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71cd3289a0bfc137 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:263
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4d3cbac2d392bf8 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:264
		delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #dbf9dcccacc88866 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:318
			const url = new URL('https://api.openai.com/v1');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #64e6476eedecb50e Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:343
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9e57b669e520248b Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:356
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5fbc8d6483e615b8 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:375
			process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #0bad45992194fb8d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:377
			const url = new URL('http://api.example.com/data');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #cc37f6cef9f11480 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:388
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f10ade7463d90c21 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:401
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ea2e209149e2988 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:402
			process.env.NO_PROXY = 'localhost,127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd18ae7e2e4dadc1 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:415
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ed349dc9c4fc96d7 Filesystem access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/n8n-binary-loader.real-pdf.test.ts:31
		const pdfBuffer = readFileSync(
			join(__dirname, '../../../../../nodes-base/nodes/ReadPdf/test/sample.pdf'),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #819149d6156f0d73 Filesystem access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/tokenizer/tiktoken.test.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #38d2342bbffa1408 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:14
		writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66cffca5b53dcd18 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:15
		writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b62bd88f97af5c0 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:19
		writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #715a36d646bd0586 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:20
		writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #691502cf63544214 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/get.ts:531
				(variant) => `// ── mode: ${variant.mode} ──\n${readFileSync(variant.filePath, 'utf-8')}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d87260e6196f555 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/get.ts:555
		const content = readFileSync(pathResult.filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c90366c1db688433 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/http-proxy-agent.ts:37
const DEFAULT_TIMEOUT = parseInt(process.env.N8N_AI_TIMEOUT_MAX ?? '3600000', 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5df72f221fbff4a Filesystem access.
repo/packages/@n8n/ai-utilities/src/utils/n8n-binary-loader.ts:8
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fd4df4829d6c7fb Filesystem access.
repo/packages/@n8n/ai-utilities/src/utils/tokenizer/tiktoken.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2343f1e77abca3c4 Filesystem access.
repo/packages/@n8n/ai-utilities/src/utils/tokenizer/tiktoken.ts:11
	const content = await readFile(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #955206b39ba40657 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:13
	if (process.env.N8N_VECTOR_STORE_MAX_MEMORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #835e9839d13d65aa Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:14
		const parsed = parseInt(process.env.N8N_VECTOR_STORE_MAX_MEMORY, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e3130ab456c93cc Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:22
	if (process.env.N8N_VECTOR_STORE_TTL_HOURS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a20dba637a7582f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:23
		const parsed = parseInt(process.env.N8N_VECTOR_STORE_TTL_HOURS, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/ai-workflow-builder.ee

npm first-party
expand_more 63 low-confidence finding(s)
low env_fs test-only #39f7969d61a126b8 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/cli.test.ts:402
				delete process.env.LANGSMITH_DATASET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8df5f358c79dfcaa Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/csv-prompt-loader.test.ts:18
		fs.writeFileSync(csvPath, content, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9a932ed0480e4a27 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:5
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #096e8ffa827f3e96 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:157
			expect(fs.readFileSync(promptPath, 'utf-8')).toBe('Create a test workflow');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a9eeb61404746dd6 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:170
			const workflow = jsonParse<ParsedWorkflow>(fs.readFileSync(workflowPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba928696e2805f10 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:186
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cf34ca16f337a65a Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:200
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4e627268fa900389 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:222
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dd8bee020c0fa613 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:242
			expect(fs.readFileSync(errorPath, 'utf-8')).toBe('Generation failed: timeout');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a610809387a18f28 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:271
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f2ef7e00929512d Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:288
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ddb7db063c208903 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:321
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2858904e6bab6012 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:333
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ccc6dcc8d8bff9c Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:346
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71fda47242b855b8 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:361
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3984086abeb4fe5 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:388
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d2c52a5a49da8c0 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/argument-parser.ts:602
	return process.env.LANGSMITH_DATASET_NAME ?? 'workflow-builder-canvas-prompts';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #424790b7052ae26d Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/ci-metadata.ts:27
	const isCI = process.env.GITHUB_ACTIONS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1abddadcd5cbba2d Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/ci-metadata.ts:35
		trigger: process.env.GITHUB_EVENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6f5ad822d6a2a38 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/ci-metadata.ts:36
		runId: process.env.GITHUB_RUN_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #edcf23ed44ccca9b Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/csv-prompt-loader.ts:49
	const rows = parseCsv(readFileSync(resolvedPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d7213be5b7c6084a Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:71
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb1f2f8bf52e995b Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:112
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7fc6806cae84be48 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:187
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27265c3f395d9e81 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:212
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #21999535fd7be424 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:267
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be86e7503661959e Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:322
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f3ad4fb54cbb4f7 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:363
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f76cdf154616ec7 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:392
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d802a245978523cb Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:429
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cea21a440c8808f3 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/csv-writer.ts:254
		writeFileSync(outputPath, '', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70026d22c46f8c9b Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/csv-writer.ts:306
	writeFileSync(outputPath, lines.join('\n') + '\n', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83bf31b87ee024a3 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:8
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #486b04558941c0e3 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:67
			fs.writeFileSync(path.join(exampleDir, 'prompt.txt'), result.prompt, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d8a2e12a5355fd6 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:72
				fs.writeFileSync(
					path.join(exampleDir, 'workflow.json'),
					JSON.stringify(workflowForExport, null, 2),
					'utf-8',
				);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f530ff645016fcc3 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:81
				fs.writeFileSync(path.join(exampleDir, 'code.ts'), result.generatedCode, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a2f89ad2e4e90eb Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:86
				fs.writeFileSync(path.join(exampleDir, 'response.txt'), result.agentTextResponse, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d797dcf4984d107d Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:91
			fs.writeFileSync(
				path.join(exampleDir, 'feedback.json'),
				JSON.stringify(feedbackOutput, null, 2),
				'utf-8',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #753df651049cef76 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:99
				fs.writeFileSync(path.join(exampleDir, 'error.txt'), result.error, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #197e9897d2060943 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:107
			fs.writeFileSync(
				path.join(outputDir, 'summary.json'),
				JSON.stringify(summaryOutput, null, 2),
				'utf-8',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #967c2044a8a5650e Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/runner.ts:1362
	process.env.LANGSMITH_TRACING = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64ad8e4862d65682 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/langsmith/trace-filters.ts:154
	const envValue = process.env.LANGSMITH_MINIMAL_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ec3657e077eef40 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/lifecycles/introspection-analysis.ts:63
				await fs.writeFile(summaryPath, summaryContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #810718e1e996891d Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/evaluators/workflow-similarity.ts:111
			writeFile(generatedPath, JSON.stringify(generatedWorkflow)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6631a4e8a3de7e1a Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/evaluators/workflow-similarity.ts:112
			writeFile(groundTruthPath, JSON.stringify(groundTruthWorkflow)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a72e453584aefe8a Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:4
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d1c09cac06b3307 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:87
	const apiKey = process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #519a9c15e1da8087 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:151
	const apiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f2b40cd08d6e2fd Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:297
	const envConcurrency = process.env.EVALUATION_CONCURRENCY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bf3ce051a43efee Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:312
	return process.env.GENERATE_TEST_CASES === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #465e9df924364d68 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:320
	const envCount = process.env.GENERATE_TEST_CASES_COUNT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56fbb07faa03d651 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.test.ts:1
import { readFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d2ed7d48497d02c Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.ts:1
import { readFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #daba25d2a4487696 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.ts:20
	const disabledNodesEnv = process.env.N8N_EVALS_DISABLED_NODES ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6300b212741ac6dc Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.ts:72
	const nodesData = readFileSync(nodesPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d43c0d3c8d2d0ab6 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/categorize-prompts.ts:3
import { writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f98ddd7e468486b Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/categorize-prompts.ts:31
	const parsedConcurrency = parseInt(process.env.CONCURRENCY ?? '', 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #177812a5d1237de6 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/categorize-prompts.ts:154
	writeFileSync(summaryPath, summaryLines.join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4203197e22a23221 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/workflow-to-mermaid.ts:3
import { readFileSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3138cea44609849f Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/workflow-to-mermaid.ts:132
	const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60e61eb2c07d2a95 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/workflow-to-mermaid.ts:204
		writeFileSync(outputFile, markdownContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d15f6deba182cbc Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/src/ai-workflow-builder-agent.service.ts:146
			const envConfig = { apiKey: process.env.N8N_AI_ANTHROPIC_KEY ?? '' };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaec946099bee7e8 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/src/tools/add-node.tool.ts:165
				if (process.env.E2E_TESTS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/api-types

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #d16037e75ca2bd32 Environment-variable access.
repo/packages/@n8n/api-types/src/schemas/password.schema.ts:6
const envMinLength = parseInt(process.env.N8N_PASSWORD_MIN_LENGTH ?? '', 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/backend-common

npm first-party
expand_more 13 low-confidence finding(s)
low env_fs test-only #282f2be2bbb7d7ef Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/__tests__/logger.test.ts:528
			delete process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a6969fbc6a1c7727 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/__tests__/logger.test.ts:564
			process.env.NO_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7421d2c7984e402e Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/__tests__/logger.test.ts:590
			delete process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17b18eee412207e1 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/logger.ts:35
	private readonly noColor = process.env.NO_COLOR !== undefined && process.env.NO_COLOR !== '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #772b18f2028a4687 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/logger.ts:39
		process.env.NO_COLOR !== 'false' && process.env.NO_COLOR !== '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10a8975feac2f2d5 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:22
		process.env.N8N_DISABLED_MODULES = 'insights';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b28a599e4ca2755 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:55
		process.env.N8N_ENABLED_MODULES = 'instance-ai';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df6501ab36a61440 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:90
		process.env.N8N_ENABLED_MODULES = 'insights';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f187c8eb5ec1913 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:91
		process.env.N8N_DISABLED_MODULES = 'insights';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e48aa8551663a518 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/modules.config.test.ts:13
	process.env.N8N_ENABLED_MODULES = 'insights,invalidModule';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac436b9f27130f28 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/modules.config.test.ts:18
	process.env.N8N_DISABLED_MODULES = 'insights,invalidModule';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d482f2db716be929 Filesystem access.
repo/packages/@n8n/backend-common/src/modules/module-registry.ts:5
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73a03245f286eedd Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/module-registry.ts:96
			const dir = process.env.NODE_ENV === 'test' && srcDirExists ? 'src' : 'dist';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/backend-network

npm first-party
expand_more 116 low-confidence finding(s)
low env_fs test-only #314cf921cba40d6a Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:98
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03f87e8d27e9b02b Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:99
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9335f8157f39feea Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:100
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #feef4ec54b7e47de Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:101
		delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b11a662c5cc142e7 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:216
		if (env.HTTP_PROXY) process.env.HTTP_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d95b585e0f8d80ec Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:217
		if (env.HTTPS_PROXY) process.env.HTTPS_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5ca1799b97ed2245 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:218
		if (env.ALL_PROXY === true) process.env.ALL_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faa451e2f65aad8e Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:219
		if (env.ALL_PROXY && env.ALL_PROXY !== true) process.env.ALL_PROXY = env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1118d0138a307b1f Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:220
		if (env.NO_PROXY) process.env.NO_PROXY = env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d8322fbbca5f168 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:240
			process.env.HTTP_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51b544037fbf2a00 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:256
			process.env.HTTP_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #72f2aa56349edc6f Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/backend-network/src/http/__tests__/legacy-request.test.ts:227
			expect(validateUrl).toHaveBeenCalledWith(new URL(`${baseUrl}/ok`));

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #9f6ca98683e937e1 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/backend-network/src/http/__tests__/outbound-http.test.ts:71
		const url = new URL('https://api.example.com/data');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #ae9729b4afcec910 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:61
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8dfa3abf56b7440e Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:62
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13e83ed89182a823 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:63
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e2cd037358f1d5f2 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:64
		delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c52128194ca1931 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:86
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9d50d30088a656a Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:111
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4dd3fcfbb783192a Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:112
			process.env.NO_PROXY = '127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a6f60a4bfc9ef78 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:146
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc01099ae738c62f Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:172
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aa77ac951d54a6ba Filesystem access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-subpath-purity.test.ts:69
		const source = readFileSync(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #488096d2c96038f8 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:75
			savedEnv[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9aa0df20e8fdee6 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:79
		process.env.HTTP_PROXY = 'http://127.0.0.1:1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b4c85b9c1c15fa7d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:80
		process.env.HTTPS_PROXY = 'http://127.0.0.1:1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9b91f6553c97068d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:81
		process.env.NO_PROXY = '127.0.0.1,localhost';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76c7ce807db03093 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:89
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ef4329138d05ee1 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:91
				process.env[key] = savedEnv[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70db727171ed5fcd Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:577
			if (isProxyVar(key)) delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #714227f8cb79cfa6 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:598
		process.env.HTTPS_PROXY = 'http://env-proxy:3128';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33e6d38090948c69 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:603
		process.env.HTTP_PROXY = 'http://env-proxy:3128';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #38fca5aceeb1ea89 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:608
		process.env.HTTP_PROXY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #669c81f9b9e9c801 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:613
		process.env.HTTP_PROXY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad1bd0579b93f98d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:614
		process.env.HTTPS_PROXY = 'http://env-proxy:3128';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #129ca4166c0a3d84 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:12
			HTTP_PROXY: process.env.HTTP_PROXY ?? process.env.http_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc6f3acc4cd48524 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:13
			HTTPS_PROXY: process.env.HTTPS_PROXY ?? process.env.https_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6963419e268cd449 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:14
			NO_PROXY: process.env.NO_PROXY ?? process.env.no_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46442cc5b282889d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:15
			ALL_PROXY: process.env.ALL_PROXY ?? process.env.all_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e8dc072cf7d1668 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:6
	const originalNoProxy = process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44a13fa1eb3c976c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:7
	const originalNoProxyLower = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8fec330f1518cf3f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:11
			delete process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b079f100f0e754a2 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:13
			process.env[name] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78a2f2abe5420bfe Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:20
		delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #289d31a407e0f4d1 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:33
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2aeda3a4deac3254 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:37
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b59b47d4b152f9f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:40
		expect(process.env.NO_PROXY).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faa298f66d9b62b4 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:44
		process.env.NO_PROXY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8fd44e42e7a1060 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:48
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d02ac1d9a5ec04dd Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:51
		expect(process.env.NO_PROXY).toBe('');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a776167d224a5aa Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:55
		process.env.NO_PROXY = 'example.com,internal.net';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0da72a6e24732ecc Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:59
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com,internal.net');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28e0d8f72a0aae2d Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:62
		expect(process.env.NO_PROXY).toBe('example.com,internal.net');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f047b6c54781eae1 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:66
		process.env.NO_PROXY = '127.0.0.1, localhost, example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c1d4c8e25972ce7 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:70
		expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f4d7cc5d59a2593 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:73
		expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0af76e82003c817f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:77
		process.env.NO_PROXY = '127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51b2cf8f239a608e Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:81
		expect(process.env.NO_PROXY).toBe('localhost,127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75c15f2062e569a9 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:84
		expect(process.env.NO_PROXY).toBe('127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57eafed7abdaf125 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:88
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b05ae4db07d49245 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:93
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #533eb5b3350ab6f1 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:94
		expect(process.env.no_proxy).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d25780029898aa57 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:97
		expect(process.env.NO_PROXY).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #def7d3d9ac4d35f5 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:98
		expect(process.env.no_proxy).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #152bb0cb748e4eee Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:102
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2264a5b15b924472 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:103
		process.env.no_proxy = 'internal.lan';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c170edf99cacbbe Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:108
		expect(process.env.no_proxy).toBe('127.0.0.1,localhost,internal.lan');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #458a782545c42d92 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:109
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,internal.lan');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #592ea28e9afd7474 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:112
		expect(process.env.no_proxy).toBe('internal.lan');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f38c56f5fe005112 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:113
		expect(process.env.NO_PROXY).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8420388b3f4aeabb Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:117
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c8ef6262a701a03 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:127
			process.env.NO_PROXY = 'example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13b146a81468882f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:130
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cfa8a5940376ed48 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:135
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1dda4c1f854504e Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:139
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d49853246b09fef Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:143
			expect(process.env.NO_PROXY).toBe('example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faecebb38c7d92ef Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:147
			process.env.NO_PROXY = 'example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4bc2848e7e2e2ab5 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:154
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #145a01e06ac5537c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:157
			expect(process.env.NO_PROXY).toBe('example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71315d09db6f2015 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:161
			delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9e28ce3658c91fed Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:164
			expect(process.env.NO_PROXY).toBe('127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c587915b6a8bf34e Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:167
			expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #09bcb878e9ae6400 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:171
			expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39dfe70b9c9cb0d5 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:178
			delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0e38fe71fbe04757 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:182
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc5acc8f70bd3808 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:185
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #405ee3ec7fb56f03 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:192
			process.env.NO_PROXY = 'first.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a74c9e369841affb Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:195
			expect(process.env.NO_PROXY).toBe('first.example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63b001f8d29921cc Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:199
			process.env.NO_PROXY = 'second.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8932acdaf3b13718 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:201
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,second.example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #859e770fe89023ea Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:204
			expect(process.env.NO_PROXY).toBe('second.example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0581241accd63377 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:7
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70ef53b9c59d2443 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:8
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0a9d46af137a36c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:9
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba743f2bd99e46c7 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:10
		delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0e2047111945f7f5 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:14
		process.env.HTTP_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6219b984f38a83a4 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:24
		process.env.HTTP_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7367cee28c3e2a43 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:25
		process.env.NO_PROXY = 'api.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c994452bb22f26e9 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:31
		process.env.ALL_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #00a555cc088a9e2c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:37
		process.env.HTTPS_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6c571a0884b99c7 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:43
		process.env.HTTP_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fec7ff977497a672 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:44
		process.env.NO_PROXY = 'api.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44ba0b46ec586933 Filesystem access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-subpath-purity.test.ts:73
		const source = readFileSync(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #627007320ee6bebc Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:38
		value: process.env[name],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94db2bf424d693cd Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:44
		delete process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d96371895655ea2 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:46
		process.env[name] = captured.value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15d292dd89b02ada Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:55
	const lower = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5795b6ea40365bcf Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:57
	const upper = process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17b40f8e58a0a117 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:101
		process.env.NO_PROXY = merged;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fc37ab5c3c00cff Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:102
		process.env.no_proxy = merged;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96e47946abb39e95 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:74
		process.env.HTTP_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #203b844f9d7c9ceb Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:75
		process.env.http_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e457405413a2ddef Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:76
		process.env.HTTPS_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d919dba35ee7cc2 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:77
		process.env.https_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77d2a95d45571027 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:78
		process.env.ALL_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cbaf91213e9c02c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:79
		process.env.all_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/backend-test-utils

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #6ad91f7196ff289c Environment-variable access.
repo/packages/@n8n/backend-test-utils/src/test-db.ts:45
	const templateDb = dbType === 'postgresdb' ? process.env.N8N_TEST_TEMPLATE_DB : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/benchmark

npm first-party
expand_more 24 low-confidence finding(s)
low env_fs test-only #67f4d8a597396d97 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:37
	const n8nTag = argv.n8nDockerTag || process.env.N8N_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9ca6ad696131247 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:38
	const benchmarkTag = argv.benchmarkDockerTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #50cb3d1e62cb8aa5 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:39
	const k6ApiToken = argv.k6ApiToken || process.env.K6_API_TOKEN || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7eec8a3bd4bed0fe Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:41
		argv.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ec1718ee9c78872 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:43
		argv.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d48e0c6605bb8656 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:44
	const baseRunDir = argv.runDir || process.env.RUN_DIR || '/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #53d86a23ae1620c4 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:45
	const n8nLicenseCert = argv.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #260eb6e6afe2e316 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:46
	const n8nLicenseActivationKey = process.env.N8N_LICENSE_ACTIVATION_KEY || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c875ee102007bdcb Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:47
	const n8nLicenseTenantId = argv.n8nLicenseTenantId || process.env.N8N_LICENSE_TENANT_ID || '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1a4b6dc0e09ece3d Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:76
				PATH: process.env.PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74d2d2cab26f9e95 Filesystem access.
repo/packages/@n8n/benchmark/scripts/run.mjs:9
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b4542ca9f0bcb6f Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:103
	const n8nTag = args.n8nTag || process.env.N8N_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #813fd0eeb9d288f7 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:104
	const benchmarkTag = args.benchmarkTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7960f4962cc1d687 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:105
	const k6ApiToken = args.k6ApiToken || process.env.K6_API_TOKEN || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c66d5d12e55977ef Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:107
		args.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4efd5e7ecff20bf Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:109
		args.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #98c3c2a66ae05465 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:110
	const n8nLicenseCert = args.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #236b1bc8a1a8354a Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-data-loader.ts:44
		const fileContent = fs.readFileSync(credentialFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48ee9f99915a37d9 Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-data-loader.ts:55
		const fileContent = fs.readFileSync(workflowFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e4766a8fc575a38a Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-data-loader.ts:66
		const fileContent = fs.readFileSync(dataTableFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #147bd1c54da032c6 Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-loader.ts:77
				fs.readFileSync(scenarioManifestPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6db851bc323c6a1d Filesystem access.
repo/packages/@n8n/benchmark/src/test-execution/k6-executor.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #628428d40d4f1967 Filesystem access.
repo/packages/@n8n/benchmark/src/test-execution/k6-executor.ts:158
		const testScript = fs.readFileSync(fullTestScriptPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e669049be216ad7b Filesystem access.
repo/packages/@n8n/benchmark/src/test-execution/k6-executor.ts:170
		const summaryReport = fs.readFileSync(summaryReportPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/config

npm first-party
expand_more 6 low-confidence finding(s)
low env_fs production #686ae9d15a936583 Environment-variable access.
repo/packages/@n8n/config/src/configs/database.config.ts:146
	const raw = process.env.N8N_DB_PING_TIMEOUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab668c356ef03992 Filesystem access.
repo/packages/@n8n/config/src/decorators.ts:3
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7554bf405100b2f3 Environment-variable access.
repo/packages/@n8n/config/src/decorators.ts:20
	if (envName in process.env) return process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b275ff787a63b12a Environment-variable access.
repo/packages/@n8n/config/src/decorators.ts:23
	const filePath = process.env[`${envName}_FILE`];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f21ca4361e939504 Filesystem access.
repo/packages/@n8n/config/src/decorators.ts:25
		const value = readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10673ca66d8eb38c Environment-variable access.
repo/packages/@n8n/config/src/utils/utils.ts:9
	const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/db

npm first-party
expand_more 33 low-confidence finding(s)
low env_fs production #34ef6fc7fe982cf1 Filesystem access.
repo/packages/@n8n/db/scripts/new-migration.mjs:74
	const original = readFileSync(indexPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #017e214a1f424ab0 Filesystem access.
repo/packages/@n8n/db/scripts/new-migration.mjs:100
	writeFileSync(indexPath, lines.join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34ce68a1ea4523e1 Filesystem access.
repo/packages/@n8n/db/scripts/new-migration.mjs:129
	writeFileSync(targetFile, migrationTemplate(className));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acce6e1ca639ca32 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:55
	const args = { command: null, dbType: null, docker: !!process.env.CI };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94cf647c8eafe6a3 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:115
		process.env.DB_TYPE = 'sqlite';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de715e0981eba69f Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:116
		process.env.DB_SQLITE_DATABASE = file;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acc234e935d8b907 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:117
		process.env.DB_TABLE_PREFIX = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce923bcf29676931 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:137
	process.env.DB_TYPE = 'postgresdb';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8be53695b83b5f59 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:138
	process.env.DB_POSTGRESDB_HOST = conn.host;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9dc89c676fc69b9 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:139
	process.env.DB_POSTGRESDB_PORT = String(conn.port);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c2d04da13b364f4 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:140
	process.env.DB_POSTGRESDB_DATABASE = conn.database;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d4f5044cd9ebd64 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:141
	process.env.DB_POSTGRESDB_USER = conn.username;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6a60286fe168ca1 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:142
	process.env.DB_POSTGRESDB_PASSWORD = conn.password;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82a112908cbb881f Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:143
	process.env.DB_POSTGRESDB_SCHEMA = conn.schema;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #789890bfea40c5d6 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:144
	process.env.DB_TABLE_PREFIX = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c7925b53486ed46 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:106
const externalHost = process.env.DB_POSTGRESDB_HOST ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4f71bb01ff947ae4 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:169
				port: Number(process.env.DB_POSTGRESDB_PORT ?? '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3130f1c7ca91617 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:170
				username: process.env.DB_POSTGRESDB_USER ?? 'postgres',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a796f211ce07bda Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:171
				password: process.env.DB_POSTGRESDB_PASSWORD ?? 'postgres',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb58c3078164aafd Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:172
				database: process.env.DB_POSTGRESDB_DATABASE ?? 'postgres',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e49dd4365f20a0ce Environment-variable access.
repo/packages/@n8n/db/src/connection/db-connection.ts:60
		if (process.env.N8N_DB_PING_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cdbef0c462150d0 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:31
				readFile(this.privateKeyPath, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f27d6e80f8a8f132 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:32
				readFile(this.publicKeyPath, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31070f92a2654917 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:111
				writeFile(this.privateKeyPath, privateKey, { encoding: 'utf8', mode: 0o600 }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46ce7e54b233ad38 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:112
				writeFile(this.publicKeyPath, publicKey, { encoding: 'utf8', mode: 0o600 }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d66798d64efe9d40 Filesystem access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:6
import { readFileSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44c787f8e1578de3 Filesystem access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:20
		const surveyFile = readFileSync(filename, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a507747afd7fc21 Environment-variable access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:46
	if (process.env.NODE_ENV === 'test') return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0994e4aef858221e Environment-variable access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:58
	if (process.env.NODE_ENV === 'test') return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4612ae2e2d5ac839 Filesystem access.
repo/packages/@n8n/db/src/migrations/sqlite/1690000000002-MigrateIntegerKeysToString.ts:3
import { statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7e9d15c53fa3f7b Environment-variable access.
repo/packages/@n8n/db/src/migrations/sqlite/1690000000002-MigrateIntegerKeysToString.ts:191
const migrationsPruningEnabled = process.env.MIGRATIONS_PRUNING_ENABLED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b127fac8ed4a077 Filesystem access.
repo/packages/@n8n/db/vite.config.ts:75
			const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd25ff23d3118c56 Filesystem access.
repo/packages/@n8n/db/vite.config.ts:93
				const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/eslint-config

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #47eb55b33e38875e Environment-variable access.
repo/packages/@n8n/eslint-config/src/configs/base.ts:418
			'unused-imports/no-unused-imports': process.env.NODE_ENV === 'development' ? 'warn' : 'error',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0acc106f7c3ad5d2 Environment-variable access.
repo/packages/@n8n/eslint-config/src/configs/base.ts:436
			'n8n-local-rules/no-skipped-tests': process.env.NODE_ENV === 'development' ? 'warn' : 'error',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f52c182f71f9bd8e Environment-variable access.
repo/packages/@n8n/eslint-config/src/configs/frontend.ts:8
const isCI = process.env.CI === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/eslint-plugin-community-nodes

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #64cd5b99961a6fa3 Filesystem access.
repo/packages/@n8n/eslint-plugin-community-nodes/src/utils/file-utils.ts:78
		const content = readFileSync(packageJsonPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ee739393258e33b Filesystem access.
repo/packages/@n8n/eslint-plugin-community-nodes/src/utils/file-utils.ts:127
		const sourceCode = readFileSync(credentialFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac24e6ae3a0f2cbf Filesystem access.
repo/packages/@n8n/eslint-plugin-community-nodes/src/utils/file-utils.ts:250
		const sourceCode = readFileSync(nodeFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/expression-runtime

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #5c043c26dd165efc Filesystem access.
repo/packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:70
			return await readFile(path.join(dir, BUNDLE_RELATIVE_PATH), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/extension-sdk

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #d22dc10da453ab37 Filesystem access.
repo/packages/@n8n/extension-sdk/scripts/create-json-schema.ts:3
import { writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee875ade510554fa Filesystem access.
repo/packages/@n8n/extension-sdk/scripts/create-json-schema.ts:21
	await writeFile(resolve(rootDir, filepath), formattedSchema);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/json-schema-to-zod

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #cc87fdcf2d2af112 Filesystem access.
repo/packages/@n8n/json-schema-to-zod/postcjs.cjs:1
require('fs').writeFileSync('./dist/cjs/package.json', '{"type":"commonjs"}', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77fcdc3e5fcee906 Filesystem access.
repo/packages/@n8n/json-schema-to-zod/postesm.cjs:1
require('fs').writeFileSync('./dist/esm/package.json', '{"type":"module"}', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/local-gateway

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #ee7abe07a067abd7 Filesystem access.
repo/packages/@n8n/local-gateway/scripts/copy-assets.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6091252b8117199 Filesystem access.
repo/packages/@n8n/local-gateway/scripts/copy-renderer.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95469f5ff633c1f1 Filesystem access.
repo/packages/@n8n/local-gateway/src/main/tray.ts:33
	img.addRepresentation({ scaleFactor: 1.0, buffer: fs.readFileSync(path1x) });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2c7c6e9d1407108 Filesystem access.
repo/packages/@n8n/local-gateway/src/main/tray.ts:35
		img.addRepresentation({ scaleFactor: 2.0, buffer: fs.readFileSync(path2x) });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/mcp-browser

npm first-party
expand_more 17 low-confidence finding(s)
low env_fs test-only #2c2f9ee6a1a8a379 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:9
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1145d5d71f5d61fd Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:81
			process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'edge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #634322f1fed5669f Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:89
			process.env.N8N_MCP_BROWSER_TRANSPORT = 'stdio';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cf7852b2b1b77694 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:90
			process.env.N8N_MCP_BROWSER_PORT = '4000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc1a758d303991b7 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:99
			process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #809512d5bb3f3eb7 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:100
			process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e5f5c4d380df8bc8 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:112
			process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'firefox';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #606f1afd8a1ab57b Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:113
			process.env.N8N_MCP_BROWSER_PORT = '5000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99a8e00fa01f6921 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:114
			process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59871ec141490330 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:115
			process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0377e1b75174929c Environment-variable access.
repo/packages/@n8n/mcp-browser/src/adapters/agent-browser.ts:200
			const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d74272e4ee807ec Filesystem access.
repo/packages/@n8n/mcp-browser/src/adapters/agent-browser.ts:471
			return readFileSync(path).toString('base64');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cad77f20aa21b05 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/adapters/playwright.ts:135
		const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131fdb326ec8ea2a Environment-variable access.
repo/packages/@n8n/mcp-browser/src/browser-discovery.ts:160
		const programFiles = process.env.ProgramFiles ?? 'C:\\Program Files';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6894880785d4815a Environment-variable access.
repo/packages/@n8n/mcp-browser/src/browser-discovery.ts:161
		const programFilesX86 = process.env['ProgramFiles(x86)'] ?? 'C:\\Program Files (x86)';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #604a9498074cbf4b Environment-variable access.
repo/packages/@n8n/mcp-browser/src/browser-discovery.ts:162
		const localAppData = process.env.LOCALAPPDATA ?? path.join(os.homedir(), 'AppData\\Local');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f4be96620e2499a Environment-variable access.
repo/packages/@n8n/mcp-browser/src/server-config.ts:20
	return process.env[`${ENV_PREFIX}${envKey}`];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/node-cli

npm first-party
expand_more 80 low-confidence finding(s)
low env_fs production #fc705b209c2a6161 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:21
			await fs.writeFile(`${tmpdir}/src/icons/icon.png`, 'fake-png-content');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac851bb95e550ff7 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:22
			await fs.writeFile(`${tmpdir}/src/assets/logo.svg`, '<svg>fake-svg</svg>');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69465462b146f7ac Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:23
			await fs.writeFile(`${tmpdir}/src/__schema__/node.json`, '{"fake": "schema"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60868c7db7278ad4 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:66
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'regular-package',
				version: '1.0.0',
				// No n8n field - this makes it an invalid n8n package
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fcf2613c1924dd6a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:95
		await fs.writeFile(`${tmpdir}/src/nodes/icons/node1.png`, 'fake-node1-png');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #429ffe4137571aca Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:96
		await fs.writeFile(`${tmpdir}/src/nodes/subdir/__schema__/schema.json`, '{"node": "schema"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eb066d62dcfbe18 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:97
		await fs.writeFile(`${tmpdir}/src/assets/images/logo.svg`, '<svg>logo</svg>');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a7ff2ab13c6ade4 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:120
		await fs.writeFile(`${tmpdir}/dist/old-file.js`, 'old content');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5facb36c7faffab Filesystem access.
repo/packages/@n8n/node-cli/src/commands/cloud-support.ts:106
		await fs.writeFile(eslintConfigPath, newConfig, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c374b18ca0e73a26 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/cloud-support.ts:130
				const eslintConfig = await fs.readFile(eslintConfigPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52cd2c4ce20fc3b2 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/dev/utils.ts:568
	return await fs
		.readFile('package.json', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4eccc6c9c65f234 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.test.ts:98
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'regular-package',
				version: '1.0.0',
				// No n8n field - this makes it an invalid n8n package
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2c7dd5bcc7824b8 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.test.ts:171
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5d05eb499d77c5a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.test.ts:187
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #170899ea6ffe5866 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.ts:85
		const expectedConfig = await fs.readFile(templatePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eabcb6e9ef70e5d1 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.ts:88
			const currentConfig = await fs.readFile(eslintConfigPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f1e0bc1ddcb8406 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/prerelease.test.ts:10
		delete process.env.RELEASE_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea2232aec3454139 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/prerelease.test.ts:28
		process.env.RELEASE_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46edd8a5b918ddb1 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/prerelease.ts:17
		if (!process.env.RELEASE_MODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48748c543887d032 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:31
		delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69f673bfa6ea6274 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:32
		delete process.env.GITHUB_ACTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a258bc921176d17c Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:40
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b2a877378d827a4 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:50
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbef0bc7f733494f Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:60
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73451ca9bbb691df Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:70
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3bfb25defdcd411 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:80
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49f2884dd0574fcd Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:100
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be7342528a5591b0 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:102
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f21c8d7a886631 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:112
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e32547fb48fb2869 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:126
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f0dbb1460a1bbcc Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:140
			await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25355c6003a44a22 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:145
			const content = await fs.readFile(workflowPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dc899ac038bc33b Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:160
		await fs.writeFile(workflowPath, originalContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d318d64416a7cfe Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:164
		const content = await fs.readFile(workflowPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7be307af9f97b694 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:172
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bd7a141e1fcc76a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:174
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8daa0ede444b6d55 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:184
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2fc8490e5221563 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.ts:56
		const isCI = Boolean(process.env.GITHUB_ACTIONS);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fc3e7a7d3e29844 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.ts:156
		const templateContent = await fs.readFile(templatePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a98e505348acb205 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.ts:163
		await fs.writeFile(dest, rendered);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d774f8af0031d887 Filesystem access.
repo/packages/@n8n/node-cli/src/configs/eslint.test.ts:50
			await fs.writeFile(pkgPath, packageJsonWithOverrides);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c96a0723cd907a82 Filesystem access.
repo/packages/@n8n/node-cli/src/configs/eslint.test.ts:61
		await fs.writeFile(pkgPath, packageJsonWithLifecycleScript);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb9717abd68dd9ba Filesystem access.
repo/packages/@n8n/node-cli/src/configs/eslint.test.ts:71
		await fs.writeFile(pkgPath, packageJsonWithOverrides);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4190d304484755b8 Filesystem access.
repo/packages/@n8n/node-cli/src/template/core.ts:75
			const content = await fs.readFile(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dd4cd74856bcf07 Filesystem access.
repo/packages/@n8n/node-cli/src/template/core.ts:79
				await fs.writeFile(file, newContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae4d6220764d6e6a Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/matchers.ts:53
			content = await fs.readFile(fullPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fad6ac06c8db843d Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/matchers.ts:90
			content = await fs.readFile(fullPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6d1cede468c70ad Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/matchers.ts:114
			content = await fs.readFile(fullPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea5d5f8dbdcc89aa Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/package-setup.ts:34
	await fs.writeFile(`${tmpdir}/package.json`, JSON.stringify(packageConfig, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5ec60095a2b8230 Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/package-setup.ts:37
		await fs.writeFile(`${tmpdir}/eslint.config.mjs`, DEFAULT_ESLINT_CONFIG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5409a22758bb23b2 Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/package-setup.ts:39
		await fs.writeFile(`${tmpdir}/eslint.config.mjs`, options.eslintConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #507df9d23e65de15 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/filesystem.ts:58
	await fs.writeFile(filePath, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b45a95cedd7bb94 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:20
			process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0 darwin x64';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b316bb69d402c4f Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:28
			process.env.npm_config_user_agent = 'yarn/1.22.19 npm/? node/v18.16.0 darwin x64';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0353a5c47a11e825 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:36
			process.env.npm_config_user_agent = 'npm/9.5.1 node/v18.16.0 darwin x64 workspaces/false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bb1d795694297d8 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:44
			process.env.npm_config_user_agent = 'pnpm/8.6.0 yarn/1.22.19 npm/9.5.1 node/v18.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e3a5d36282b3ecb Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:52
			process.env.npm_config_user_agent = 'yarn/1.22.19 npm/9.5.1 node/v18.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #676e3cb33560f577 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:60
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3593f0e9921f08c8 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:68
			process.env.npm_config_user_agent = 'node/v18.16.0 darwin x64';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20bf9ba178316cbd Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:76
			process.env.npm_config_user_agent = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72fde680978d639c Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:86
			process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72d03c0bcd00803f Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:96
				delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #355beaaf9a1728ab Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:98
				await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d24e42b18fe8fbc5 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:109
				delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3e52c8f6ce247a2 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:111
				await fs.writeFile(`${tmpdir}/yarn.lock`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65e26d4880072c94 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:122
				delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5900c8fc43671f6 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:124
				await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be7c2ea27c203a4a Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:133
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79d1bd4d0f4b0843 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:135
			await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #617f4914e41dac58 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:136
			await fs.writeFile(`${tmpdir}/yarn.lock`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30b3295054d4bc2b Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:137
			await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f3c27bfff840dc1 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:145
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92fcaafc4adc1e80 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:153
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8fe06995527cbf9 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.ts:7
		const ua = process.env['npm_config_user_agent'] ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e30d01c6734effb4 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package.ts:23
	const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16f9a52c71ddf17c Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package.ts:37
	const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5695d5156bf55f4b Filesystem access.
repo/packages/@n8n/node-cli/src/utils/prompts.ts:42
		const content = await fs.readFile(packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc55f817953b2734 Environment-variable access.
repo/packages/@n8n/node-cli/vite.config.ts:8
		reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #462c9909659fb53b Environment-variable access.
repo/packages/@n8n/node-cli/vite.config.ts:10
		...(process.env.COVERAGE_ENABLED === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #994424559fbc463f Environment-variable access.
repo/packages/@n8n/node-cli/vite.config.ts:15
						reporter: process.env.CI === 'true' ? ['cobertura'] : ['text-summary'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/scan-community-package

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #0afba499bf01ebc2 Filesystem access.
repo/packages/@n8n/scan-community-package/scanner/scanner.mjs:3
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8e27552aeb4011b Filesystem access.
repo/packages/@n8n/scan-community-package/scanner/scanner.test.mjs:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21b38d70124f5603 Filesystem access.
repo/packages/@n8n/scan-community-package/scanner/scanner.test.mjs:18
		fs.writeFileSync(
			fullPath,
			typeof contents === 'string' ? contents : JSON.stringify(contents, null, 2),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/scheduler

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #8691ca5e7d306878 Environment-variable access.
repo/packages/@n8n/scheduler/stryker.config.mjs:29
	concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/typeorm

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #e11ee3caf0d1e58b Environment-variable access.
repo/packages/@n8n/typeorm/src/driver/postgres/PostgresDriver.ts:320
			process.env.PGTZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61db78b746ceebfa Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:2
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ddf850d3bfce10a Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:6
export { ReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac3ee22f2f709c82 Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:43
		return fs.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe973b7c8e38cb1c Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:52
			fs.writeFile(path, data, (err) => {
				if (err) fail(err);
				ok();
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6573b2246c1feddf Environment-variable access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:72
		return process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1142896b982d759f Filesystem access.
repo/packages/@n8n/typeorm/src/util/ImportUtils.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcd7d4fe01a525e3 Filesystem access.
repo/packages/@n8n/typeorm/src/util/ImportUtils.ts:57
						fs.readFile(potentialPackageJson, 'utf8', (err, data) => {
							if (err != null) accept(null);
							else {
								try {
									accept(JSON.parse(data));
								} catch (err) {
									accept(null);
								}
							}
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/vitest-config

npm first-party
expand_more 7 low-confidence finding(s)
low env_fs production #2a7a203568b5e24d Environment-variable access.
repo/packages/@n8n/vitest-config/frontend.ts:29
			reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a9a9a8950493816 Environment-variable access.
repo/packages/@n8n/vitest-config/frontend.ts:47
	if (process.env.COVERAGE_ENABLED === 'true' && vitestConfig.test?.coverage) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a958bc1515ab31f1 Environment-variable access.
repo/packages/@n8n/vitest-config/frontend.ts:50
		if (process.env.CI === 'true' && coverage.provider === 'v8') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f28c592cdff5bd7c Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:44
	if (process.env.CI !== 'true') return {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4ff3db14101398e Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:61
	reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a38647260ad1451f Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:63
	...(process.env.COVERAGE_ENABLED === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43912fc01ce7862b Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:68
					reporter: process.env.CI === 'true' ? 'lcov' : 'text-summary',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/workflow-sdk

npm first-party
expand_more 54 low-confidence finding(s)
low env_fs production #e7d6e6d692e27478 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/create-workflows-zip.ts:11
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9209b686966374ec Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/extract-workflows.ts:12
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c53bb0f3825c1a06 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/extract-workflows.ts:46
		fs.writeFileSync(outputPath, entry.getData());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b3720b5ca3ff46c Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:18
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #600b6c51eb6b7f49 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:87
		const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b078ee33df24734e Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:146
			fs.writeFileSync(outputPath, JSON.stringify(workflow, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78456255b2720e6b Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:162
		const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d97e2c513ce17b5 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:179
	fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d174db4343283476 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/__tests__/fixtures-zip.ts:9
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0fd68ec56b745fea Filesystem access.
repo/packages/@n8n/workflow-sdk/src/__tests__/fixtures-zip.ts:48
	const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cebbe5e8c1e75db0 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/__tests__/fixtures-zip.ts:105
	const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fbf9512b2a0fa8b Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/code-to-json.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eef9493852f6039 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/code-to-json.ts:26
		code = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #065011beafc927b6 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/code-to-json.ts:60
	fs.writeFileSync(outputPath, JSON.stringify(json, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcbabb33f3f6ea96 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/json-to-code.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94a4da394f9e9afd Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/json-to-code.ts:27
		const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25d521c2a4241cce Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/json-to-code.ts:75
	fs.writeFileSync(outputPath, code);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b97c0eefe25df99 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/code-generator.test.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36679bccff6f12e8 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/code-generator.test.ts:2064
				const json = JSON.parse(fs.readFileSync(jsonPath, 'utf8')) as WorkflowJSON;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f0104c80da00671 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/codegen-roundtrip.test.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #338661b484c86f78 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/codegen-roundtrip.test.ts:51
	const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5778b771a91b01c8 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/codegen-roundtrip.test.ts:71
			const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08591c7121a177c4 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:7
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #415db0e5b2fce921 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:34
	await fs.promises.writeFile(nodesJsonPath, JSON.stringify(nodes));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbdec40b51c3c1c2 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:129
			const hashBefore = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4df9b756fbfca59 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:137
			await fs.promises.writeFile(nodesJsonPath, JSON.stringify([modifiedNode]));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e276cf6befed374 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:141
			const hashAfter = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1f311872c649eec Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:218
				const tsContent = await fs.promises.readFile(path.join(nodeDir, 'v1.ts'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1848485eee8248d Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:17
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2264a9fbd7efb7a2 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:47
		const pkg = JSON.parse(fs.readFileSync(sdkPackageJsonPath, 'utf-8')) as { version: string };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8175bac655c4c17 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:68
	const content = await fs.promises.readFile(nodesJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa264711af55b0cf Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:76
		const existingHash = await fs.promises.readFile(hashFilePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a17cdf9f1378a97 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:99
	await fs.promises.writeFile(hashFilePath, inputHash);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f92b39e94674178 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:111
	const packageJson = jsonParse<{ name: string }>(fs.readFileSync(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08384f00dac9577a Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:8
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d39fbf65fadb0907 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:4993
				fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #214a013e2022860c Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:5203
				fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a39b6e77384a1fe Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:5369
		const content = fs.readFileSync(indexFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4706702c31c4c71d Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:21
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f3a4618304df6e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:663
					const schemaContent = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6592a149c2ea6d1e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:689
					const schemaContent = fs.readFileSync(schemaPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #863285102114faf6 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4224
	const content = await fs.promises.readFile(jsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2cd756803bf27df Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4354
		await Promise.all(batch.map((f) => fs.promises.writeFile(f.path, f.content)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #836c0d2a7c478339 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4521
		await fs.promises.writeFile(path.join(outputDir, 'index.ts'), indexContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b00f8a1ef5c07da Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4575
		await fs.promises.writeFile(path.join(DEV_OUTPUT_PATH, 'index.ts'), placeholderContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c32d845989914a0c Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #873500f6ed642bf0 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:28
		fs.writeFileSync(generatedPath, code, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a618d5f6315f8e5 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:48
	const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3a1328276416ac7 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:65
			const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bba74f198123dc7f Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:10
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2cba440959833e9 Environment-variable access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:23
const WORKER_ID = process.env.VITEST_POOL_ID ?? '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d9ffcf1b0f4028e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:36
		const content = fs.readFileSync(generatorPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06b0e11382b7aa9c Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:51
		const storedHash = fs.readFileSync(STAMP_FILE, 'utf-8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47fb708eb9481f4e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:103
			fs.writeFileSync(STAMP_FILE, hash);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/frontend/@n8n/design-system

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #da516ead7c89e119 Filesystem access.
repo/packages/frontend/@n8n/design-system/src/icons/lucide/vite.ts:36
			const raw = readFileSync(jsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/frontend/@n8n/i18n

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs test-only #b541dfb09afd4239 Environment-variable access.
repo/packages/frontend/@n8n/i18n/src/__tests__/setup.ts:2
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/frontend/@n8n/stores

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs test-only #f69d3f46944f8603 Environment-variable access.
repo/packages/frontend/@n8n/stores/src/__tests__/setup.ts:5
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/node-dev

npm first-party
expand_more 5 low-confidence finding(s)
low env_fs production #9811c080900ef024 Filesystem access.
repo/packages/node-dev/commands/new.ts:7
import { access } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9362a81699d0f88c Filesystem access.
repo/packages/node-dev/src/Build.ts:6
import { copyFile, mkdir, readFile, writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #045929b492c0b08d Filesystem access.
repo/packages/node-dev/src/Build.ts:25
	const tsConfigString = await readFile(tsconfigPath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #185479202f8e0004 Filesystem access.
repo/packages/node-dev/src/Build.ts:39
	await writeFile(path, JSON.stringify(tsConfig, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a614660e41ebd8f Filesystem access.
repo/packages/node-dev/src/Create.ts:1
import { copyFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • first-party (npm): packages/testing/rules-engine prod — scan budget exceeded
  • first-party (npm): packages/testing/janitor prod — scan budget exceeded
  • first-party (npm): packages/testing/test-impact prod — scan budget exceeded
  • first-party (npm): packages/testing/containers prod — scan budget exceeded
  • first-party (npm): packages/testing/playwright prod — scan budget exceeded
  • first-party (npm): packages/testing/performance prod — scan budget exceeded
  • first-party (npm): packages/testing/code-health prod — scan budget exceeded
  • @n8n/di prod — scan budget exceeded
  • @oclif/core prod — scan budget exceeded
  • change-case prod — scan budget exceeded
  • fast-glob prod — scan budget exceeded
  • inquirer prod — scan budget exceeded
  • n8n-core prod — scan budget exceeded
  • n8n-workflow prod — scan budget exceeded
  • replace-in-file prod — scan budget exceeded
  • tmp-promise prod — scan budget exceeded
  • @aws-sdk/client-s3 prod — scan budget exceeded
  • @azure/identity prod — scan budget exceeded
  • @azure/storage-blob prod — scan budget exceeded
  • @langchain/core prod — scan budget exceeded
  • @n8n/backend-common prod — scan budget exceeded
  • @n8n/backend-network prod — scan budget exceeded
  • @n8n/client-oauth2 prod — scan budget exceeded
  • @n8n/config prod — scan budget exceeded
  • @n8n/constants prod — scan budget exceeded
  • @n8n/decorators prod — scan budget exceeded
  • @n8n/errors prod — scan budget exceeded
  • @n8n/utils prod — scan budget exceeded
  • @sentry/core prod — scan budget exceeded
  • @sentry/node prod — scan budget exceeded
  • @sentry/node-native prod — scan budget exceeded
  • @sentry/profiling-node prod — scan budget exceeded
  • callsites prod — scan budget exceeded
  • chardet prod — scan budget exceeded
  • cron prod — scan budget exceeded
  • file-type prod — scan budget exceeded
  • form-data prod — scan budget exceeded
  • htmlparser2 prod — scan budget exceeded
  • jsonwebtoken prod — scan budget exceeded
  • lodash prod — scan budget exceeded
  • luxon prod — scan budget exceeded
  • mime-types prod — scan budget exceeded
  • ms prod — scan budget exceeded
  • @n8n/workflow-sdk prod — scan budget exceeded
  • nanoid prod — scan budget exceeded
  • oauth-1.0a prod — scan budget exceeded
  • p-cancelable prod — scan budget exceeded
  • picocolors prod — scan budget exceeded
  • pretty-bytes prod — scan budget exceeded
  • ssh2 prod — scan budget exceeded
  • uuid prod — scan budget exceeded
  • winston prod — scan budget exceeded
  • xml2js prod — scan budget exceeded
  • qs prod — scan budget exceeded
  • @codemirror/autocomplete prod — scan budget exceeded
  • @n8n/expression-runtime prod — scan budget exceeded
  • @n8n/tournament prod — scan budget exceeded
  • ast-types prod — scan budget exceeded
  • esprima-next prod — scan budget exceeded
  • jmespath prod — scan budget exceeded
  • js-base64 prod — scan budget exceeded
  • jssha prod — scan budget exceeded
  • json-schema prod — scan budget exceeded
  • md5 prod — scan budget exceeded
  • recast prod — scan budget exceeded
  • title-case prod — scan budget exceeded
  • transliteration prod — scan budget exceeded
  • jsonrepair prod — scan budget exceeded
  • @1password/connect prod — scan budget exceeded
  • @ai-sdk/anthropic prod — scan budget exceeded
  • @apidevtools/json-schema-ref-parser prod — scan budget exceeded
  • @aws-sdk/client-secrets-manager prod — scan budget exceeded
  • @azure/keyvault-secrets prod — scan budget exceeded
  • @chat-adapter/linear prod — scan budget exceeded
  • @chat-adapter/slack prod — scan budget exceeded
  • @chat-adapter/state-memory prod — scan budget exceeded
  • @chat-adapter/telegram prod — scan budget exceeded
  • @daytona/sdk prod — scan budget exceeded
  • @google-cloud/secret-manager prod — scan budget exceeded
  • @joplin/turndown-plugin-gfm prod — scan budget exceeded
  • @modelcontextprotocol/sdk prod — scan budget exceeded
  • @mozilla/readability prod — scan budget exceeded
  • @n8n/agents prod — scan budget exceeded
  • @n8n/ai-node-sdk prod — scan budget exceeded
  • @n8n/ai-utilities prod — scan budget exceeded
  • @n8n/ai-workflow-builder prod — scan budget exceeded
  • @n8n/api-types prod — scan budget exceeded
  • @n8n/chat-hub prod — scan budget exceeded
  • @n8n/db prod — scan budget exceeded
  • @n8n/instance-ai prod — scan budget exceeded
  • @n8n/mcp-apps prod — scan budget exceeded
  • @n8n/mcp-browser prod — scan budget exceeded
  • @n8n/n8n-nodes-langchain prod — scan budget exceeded
  • @n8n/permissions prod — scan budget exceeded
  • @n8n/scheduler prod — scan budget exceeded
  • @n8n/syslog-client prod — scan budget exceeded
  • @n8n/task-runner prod — scan budget exceeded
  • @n8n_io/ai-assistant-sdk prod — scan budget exceeded
  • @n8n_io/license-sdk prod — scan budget exceeded
  • @opentelemetry/api prod — scan budget exceeded
  • @opentelemetry/core prod — scan budget exceeded
  • @opentelemetry/exporter-trace-otlp-proto prod — scan budget exceeded
  • @opentelemetry/instrumentation prod — scan budget exceeded
  • @opentelemetry/resources prod — scan budget exceeded
  • @opentelemetry/sdk-node prod — scan budget exceeded
  • @opentelemetry/sdk-trace-base prod — scan budget exceeded
  • @opentelemetry/sdk-trace-node prod — scan budget exceeded
  • @opentelemetry/semantic-conventions prod — scan budget exceeded
  • @parcel/watcher prod — scan budget exceeded
  • @pinecone-database/pinecone prod — scan budget exceeded
  • @qdrant/js-client-rest prod — scan budget exceeded
  • @rudderstack/rudder-sdk-node prod — scan budget exceeded
  • @supabase/supabase-js prod — scan budget exceeded
  • ai prod — scan budget exceeded
  • aws4 prod — scan budget exceeded
  • bcryptjs prod — scan budget exceeded
  • bull prod — scan budget exceeded
  • cache-manager prod — scan budget exceeded
  • chat prod — scan budget exceeded
  • class-transformer prod — scan budget exceeded
  • class-validator prod — scan budget exceeded
  • compression prod — scan budget exceeded
  • convict prod — scan budget exceeded
  • cookie-parser prod — scan budget exceeded
  • csrf prod — scan budget exceeded
  • csv-parse prod — scan budget exceeded
  • dotenv prod — scan budget exceeded
  • express prod — scan budget exceeded
  • express-handlebars prod — scan budget exceeded
  • express-openapi-validator prod — scan budget exceeded
  • express-prom-bundle prod — scan budget exceeded
  • express-rate-limit prod — scan budget exceeded
  • fast-json-patch prod — scan budget exceeded
  • fastest-levenshtein prod — scan budget exceeded
  • fflate prod — scan budget exceeded
  • flat prod — scan budget exceeded
  • flatted prod — scan budget exceeded
  • formidable prod — scan budget exceeded
  • handlebars prod — scan budget exceeded
  • helmet prod — scan budget exceeded
  • http-proxy-middleware prod — scan budget exceeded
  • ioredis prod — scan budget exceeded
  • isbot prod — scan budget exceeded
  • isolated-vm prod — scan budget exceeded
  • jose prod — scan budget exceeded
  • json-diff prod — scan budget exceeded
  • jsonschema prod — scan budget exceeded
  • langsmith prod — scan budget exceeded
  • ldapts prod — scan budget exceeded
  • linkedom prod — scan budget exceeded
  • lru-cache prod — scan budget exceeded
  • moment-timezone prod — scan budget exceeded
  • multer prod — scan budget exceeded
  • n8n-editor-ui prod — scan budget exceeded
  • n8n-nodes-base prod — scan budget exceeded
  • nodemailer prod — scan budget exceeded
  • open prod — scan budget exceeded
  • openid-client prod — scan budget exceeded
  • otpauth prod — scan budget exceeded
  • p-lazy prod — scan budget exceeded
  • pdf-parse prod — scan budget exceeded
  • pg prod — scan budget exceeded
  • pkce-challenge prod — scan budget exceeded
  • posthog-node prod — scan budget exceeded
  • prom-client prod — scan budget exceeded
  • psl prod — scan budget exceeded
  • raw-body prod — scan budget exceeded
  • replacestream prod — scan budget exceeded
  • samlify prod — scan budget exceeded
  • semver prod — scan budget exceeded
  • shelljs prod — scan budget exceeded
  • simple-git prod — scan budget exceeded
  • source-map-support prod — scan budget exceeded
  • sqlite3 prod — scan budget exceeded
  • sshpk prod — scan budget exceeded
  • sucrase prod — scan budget exceeded
  • swagger-ui-express prod — scan budget exceeded
  • tar prod — scan budget exceeded
  • turndown prod — scan budget exceeded
  • validator prod — scan budget exceeded
  • ws prod — scan budget exceeded
  • xmllint-wasm prod — scan budget exceeded
  • xss prod — scan budget exceeded
  • yargs-parser prod — scan budget exceeded
  • zod-to-json-schema prod — scan budget exceeded
  • @aws-crypto/sha256-js prod — scan budget exceeded
  • @aws-sdk/credential-providers prod — scan budget exceeded
  • @smithy/node-http-handler prod — scan budget exceeded
  • @smithy/protocol-http prod — scan budget exceeded
  • @smithy/signature-v4 prod — scan budget exceeded
  • @smithy/types prod — scan budget exceeded
  • @kafkajs/confluent-schema-registry prod — scan budget exceeded
  • @n8n/imap prod — scan budget exceeded
  • @thednp/dommatrix prod — scan budget exceeded
  • alasql prod — scan budget exceeded
  • amqplib prod — scan budget exceeded
  • basic-auth prod — scan budget exceeded
  • cheerio prod — scan budget exceeded
  • chokidar prod — scan budget exceeded
  • currency-codes prod — scan budget exceeded
  • eventsource prod — scan budget exceeded
  • generate-schema prod — scan budget exceeded
  • get-system-fonts prod — scan budget exceeded
  • gm prod — scan budget exceeded
  • html-to-text prod — scan budget exceeded
  • iconv-lite prod — scan budget exceeded
  • ics prod — scan budget exceeded