Close Open Privacy Scan
App Privacy Score
Low risk · 235 finding(s)
Dependency score: 97 (Low risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Application data flows
No high- or medium-confidence application data-flow findings in this scan.
</> First-Party Code
first-party (npm)
npm first-partyexpand_more 25 low-confidence finding(s)
const fetchImage = process.env.MOCHA_DOCS_SKIP_IMAGE_DOWNLOAD
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const response = await fetch(API_ENDPOINT, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
query: SUPPORTER_QUERY,
variables: variables,
}),
});
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
if (process.env.NETLIFY && process.env.CONTEXT !== "deploy-preview") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NETLIFY && process.env.CONTEXT !== "deploy-preview") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
require("js-yaml").load(fs.readFileSync(filepath, "utf8")),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
require("strip-json-comments").default(fs.readFileSync(filepath, "utf8")),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const css = fs.readFileSync(path.join(srcdir, "mocha.css"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const js = fs.readFileSync(path.join(srcdir, "mocha.js"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const tmpl = fs.readFileSync(
path.join(srcdir, "lib", "browser", "template.html"),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(destdir, "mocha.css"), css);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(destdir, "mocha.js"), js);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(path.join(destdir, "index.html"), tmpl);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
configData = readFileSync(filepath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envConfig = parse(process.env.MOCHA_OPTIONS || "");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(output, json);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return !!process.env.CI;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
forbidOnly: !!process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
retries: process.env.CI ? 2 : 0,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reporter: process.env.CI ? "github" : "list",
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reuseExistingServer: !process.env.CI,
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.CI) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFileSync(
filepath,
remark()
.data("settings", {
bullet: "-",
incrementListMarker: false,
listItemIndent: "one",
})
.use([remarkGithub, remarkInlineLinks])
.processSync(readFileSync(filepath))
.toString(),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.processSync(readFileSync(filepath))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
chokidar
npm dependencyexpand_more 2 low-confidence finding(s)
const envPoll = process.env.CHOKIDAR_USEPOLLING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envInterval = process.env.CHOKIDAR_INTERVAL;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
coffeescript
npm dependencyexpand_more 15 low-confidence finding(s)
fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
CoffeeScript.run(fs.readFileSync('Cakefile').toString(), {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
code = fs.readFileSync(source);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.readFile(source, function(err, code) {
if (err) {
return watchErr(err);
}
compileScript(source, code.toString(), base);
return rewatch();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(jsPath, js, function(err) {
if (err) {
printLine(err.message);
return process.exit(1);
} else if (opts.compile && opts.watch) {
return timeLog(`compiled ${sourcePath}`);
}
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.writeFile(sourceMapPath, generatedSourceMap, function(err) {
if (err) {
printLine(`Could not write source map: ${err.message}`);
return process.exit(1);
}
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
raw = fs.readFileSync(filename, 'utf8');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
nodeSourceMapsSupportEnabled = (typeof process !== "undefined" && process !== null) && (process.execArgv.includes('--enable-source-maps') || ((ref = process.env.NODE_OPTIONS) != null ? ref.includes('--enable-source-maps') : void 0));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs = require('fs');
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
historyPath = process.env.XDG_CACHE_HOME || process.env.HOME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
historyPath = process.env.XDG_CACHE_HOME || process.env.HOME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DEBUG_REWRITTEN_TOKEN_STREAM) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.DEBUG_TOKEN_STREAM) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
debug
npm dependencyexpand_more 5 low-confidence finding(s)
r = process.env.DEBUG;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let val = process.env[key];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.DEBUG = namespaces;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.DEBUG;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.DEBUG;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
eslint
npm dependencyexpand_more 13 low-confidence finding(s)
results.source = fs.readFileSync(filePath, "utf-8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await writeFile(filePath, output);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = await fsp.readFile(filePath, {
encoding: "utf8",
signal: controller?.signal,
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.ESLINT_FLAGS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
retrier.retry(() => fs.writeFile(r.filePath, r.output)),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const enabled = !!process.env.TIMING;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (typeof process.env.TIMING !== "string") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.TIMING.toLowerCase() === "all") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = readFileSync(sourceFile, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs.promises.readFile(this.filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs.promises.writeFile(
this.filePath,
stringify(suppressions, { space: 2 }),
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
eslint-plugin-n
npm dependencyexpand_more 2 low-confidence finding(s)
ig.add(fs.readFileSync(filePath, "utf8"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const text = fs.readFileSync(filePath, "utf8")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
js-yaml
npm dependencyexpand_more 2 low-confidence finding(s)
const pkg = JSON.parse(readFileSync(new URL('../package.json', import.meta.url)))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
input = readFileSync(options.file === '-' ? 0 : options.file, 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
npm-run-all2
npm dependencyexpand_more 10 low-confidence finding(s)
const packageName = process.env['npm_package_name']
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (m != null && m[1] && process.env[key] != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
overwriteConfig(retv, packageName, m[1], process.env[key])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.silent = process.env['npm_config_loglevel'] === 'silent'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await readFile(resolve(__dirname, '../../package.json'), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!npmPath && process.env['npm_execpath']) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const npmExecPath = process.env['npm_execpath']
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!npmPath && !process.env['npm_execpath'] && options.packageInfo != null) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isYarn = process.env['npm_config_user_agent']?.startsWith('yarn')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const isPnpm = Boolean(process.env['PNPM_SCRIPT_SRC_DIR'])
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
nyc
npm dependencyexpand_more 31 low-confidence finding(s)
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env.BABEL_DISABLE_CACHE = process.env.BABEL_DISABLE_CACHE = '1'
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env.SPAWN_WRAP_SHIM_ROOT = process.env.SPAWN_WRAP_SHIM_ROOT || process.env.XDG_CACHE_HOME || require('os').homedir()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env.SPAWN_WRAP_SHIM_ROOT = process.env.SPAWN_WRAP_SHIM_ROOT || process.env.XDG_CACHE_HOME || require('os').homedir()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const source = await fs.readFile(filename, 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const inCode = await fs.readFile(inFile, 'utf-8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(outFile, outCode)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (!process.env.NYC_CWD) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NYC_PROCESS_ID = this.processInfo.uuid
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(
coverageFilename,
JSON.stringify(coverage),
'utf-8'
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const report = JSON.parse(await fs.readFile(path.resolve(baseDirectory, filename)), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NYC_CWD = process.cwd()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NYC_CWD = process.cwd()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
await fs.writeFile(argv.outputFile, JSON.stringify(map), 'utf8')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NYC_CWD = process.cwd()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
cwd = cwd || process.env.NYC_CWD || process.cwd()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require('fs')
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
envToCopy[env] = process.env[env]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
envToCopy[envName] = process.env[envName]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFileSync(mapPath, JSON.stringify(sourceMap))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.loadedMaps[hash] = JSON.parse(await fs.readFile(mapPath, 'utf8'))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NYC_CONFIG ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
parent: process.env.NYC_PROCESS_ID || null
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NYC_PROCESSINFO_EXTERNAL_ID) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
config._processInfo.externalId = process.env.NYC_PROCESSINFO_EXTERNAL_ID
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
delete process.env.NYC_PROCESSINFO_EXTERNAL_ID
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.NYC_CONFIG_OVERRIDE) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Object.assign(config, JSON.parse(process.env.NYC_CONFIG_OVERRIDE))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NYC_CONFIG = JSON.stringify(config)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
prettier
npm dependencyexpand_more 57 low-confidence finding(s)
if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return dist_default.retry.readFile(retryOptions)(filePath, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { statSync, realpathSync } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs2 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs3 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs3.readFileSync(filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs3.writeFileSync(filePath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs2 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer2 = attempt(() => fs2.readFileSync(path18), Buffer2.alloc(0));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs3 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs4 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs4.readFileSync(filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs4.writeFileSync(filePath, content);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs5 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { statSync, realpathSync } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs6 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs7 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs8 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs8.writeFileSync(this.storePath, store);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = fs8.readFileSync(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs9 from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs9.readFile(filePath, "utf8").then(parse_default2).catch(noop2);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs10 from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return fs10.readFile(filePath, "utf8").catch(noop2);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs11 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs11.readFileSync(filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs11.readFileSync(filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileBuffer = fs11.readFileSync(filePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs11.readFileSync(filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fileContent = fs11.readFileSync(filePath, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs12 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import { createWriteStream } from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return dist_default36.retry.readFile(retryOptions)(filePath, options);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs13 from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs9 from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs4 from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs3 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs2 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = await fs4.readFile(cacheFile, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs7 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs6 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs5 from "fs";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const data = fs5.readFileSync(pathToFile, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs5.writeFileSync(filePath, data);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const buffer = fs6.readFileSync(absolutePath);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
import fs8 from "fs/promises";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
writeFormattedFile: (file, data) => fs8.writeFile(file, data)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
input = await fs9.readFile(filename, "utf8");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
remark-github
npm dependencyexpand_more 1 low-confidence finding(s)
pkg = JSON.parse(String(fs.readFileSync(path.join(cwd, 'package.json'))))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rewiremock
npm dependencyexpand_more 2 low-confidence finding(s)
fs = require(FS_MODULE_NAME);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs = require(FS_MODULE_NAME);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
semver
npm dependencyexpand_more 2 low-confidence finding(s)
process.env.NODE_DEBUG &&
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
/\bsemver\b/i.test(process.env.NODE_DEBUG)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
typescript
npm dependencyexpand_more 20 low-confidence finding(s)
var import_fs = __toESM(require("fs"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.XDG_CACHE_HOME) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return process.env.XDG_CACHE_HOME;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = __toESM(require("fs"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const content = JSON.parse(host.readFile(typesRegistryFilePath));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
var fs = __toESM(require("fs"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
unexpected
npm dependencyexpand_more 1 low-confidence finding(s)
return process.env[varName];
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
unexpected-set
npm dependencyexpand_more 2 low-confidence finding(s)
} else if (typeof process !== 'undefined' && process.env.UNEXPECTED_DEPTH) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
defaultDepth = parseInt(process.env.UNEXPECTED_DEPTH, 10);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webpack
npm dependencyexpand_more 31 low-confidence finding(s)
(this.outputFileSystem).writeFile(targetPath, content, (err) => {
if (err) return callback(err);
// information marker that the asset has been emitted
compilation.emittedAssets.add(file);
// cache the information that the Source has been written to that location
const newGeneration =
targetFileGeneration === undefined
? 1
: targetFileGeneration + 1;
/** @type {CacheEntry} */
(cacheEntry).writtenTo.set(targetPath, newGeneration);
this._assetEmittingWrittenFiles.set(targetPath, newGeneration);
this.hooks.assetEmitted.callAsync(
file,
{
content,
source,
outputPath,
compilation,
targetPath
},
callback
);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
return /** @type {OutputFileSystem} */ (
this.outputFileSystem
).readFile(targetPath, (err, existingContent) => {
if (
err ||
!content.equals(/** @type {Buffer} */ (existingContent))
) {
return doWrite(content);
}
return alreadyWritten();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(this.outputFileSystem).writeFile(
/** @type {string} */ (this.recordsOutputPath),
JSON.stringify(
this.records,
(n, value) => {
if (
typeof value === "object" &&
value !== null &&
!Array.isArray(value)
) {
const keys = Object.keys(value);
if (!isSorted(keys)) {
return sortObject(value, keys);
}
}
return value;
},
2
),
callback
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(this.inputFileSystem).readFile(
/** @type {string} */
(this.recordsInputPath),
(err, content) => {
if (err) return callback(err);
try {
this.records =
/** @type {Records} */
(parseJson(/** @type {Buffer} */ (content).toString("utf8")));
} catch (parseErr) {
return callback(
new Error(
`Cannot parse records: ${
/** @type {Error} */ (parseErr).message
}`
)
);
}
return callback(null);
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env[key]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(file, (err, content) => {
if (err) reject(err);
else resolve(/** @type {Buffer} */ (content).toString() || "");
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env[key] !== undefined
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env[key]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.fs.readFile(path, (err, content) => {
if (err) return callback(err);
try {
const context = dirname(this.fs, path);
const source = /** @type {Buffer} */ (content).toString();
const [imports] = lexer.parse(source);
/** @type {Set<string>} */
const added = new Set();
for (const imp of imports) {
try {
// import.meta
if (imp.d === -2) {
continue;
}
/** @type {string | null} */
const dependency =
imp.n ||
parseString(source.slice(imp.s, imp.e).trim());
if (!dependency) {
continue;
}
// We should not track Node.js build dependencies
if (dependency.startsWith("node:")) continue;
if (builtinModules.has(dependency)) continue;
// Avoid extra jobs for identical imports
if (added.has(dependency)) continue;
push({
type: RBDT_RESOLVE_ESM_FILE,
context,
path: dependency,
expected: imp.d > -1 ? false : undefined,
issuer: job
});
added.add(dependency);
} catch (err1) {
logger.warn(
`Parsing of ${path} for build dependencies failed at 'import(${source.slice(
imp.s,
imp.e
)})'.\n` +
"Build dependencies behind this expression are ignored and might cause incorrect cache invalidation."
);
logger.debug(pathToString(job));
logger.debug(/** @type {Error} */ (err1).stack);
}
}
} catch (err2) {
logger.warn(
`Parsing of ${path} for build dependencies failed and all dependencies of this file are ignored, which might cause incorrect cache invalidation..`
);
logger.debug(pathToString(job));
logger.debug(/** @type {Error} */ (err2).stack);
}
process.nextTick(callback);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.fs.readFile(packageJson, (err, content) => {
if (err) {
if (err.code === "ENOENT") {
resolveMissing.add(packageJson);
const parent = dirname(this.fs, packagePath);
if (parent !== packagePath) {
push({
type: RBDT_DIRECTORY_DEPENDENCIES,
context: undefined,
path: parent,
expected: undefined,
issuer: job
});
}
callback();
return;
}
return callback(err);
}
resolveFiles.add(packageJson);
/** @type {JsonObject} */
let packageData;
try {
packageData = JSON.parse(
/** @type {Buffer} */
(content).toString("utf8")
);
} catch (parseErr) {
return callback(/** @type {Error} */ (parseErr));
}
const depsObject = packageData.dependencies;
const optionalDepsObject = packageData.optionalDependencies;
/** @type {Set<string>} */
const allDeps = new Set();
/** @type {Set<string>} */
const optionalDeps = new Set();
if (typeof depsObject === "object" && depsObject) {
for (const dep of Object.keys(depsObject)) {
allDeps.add(dep);
}
}
if (
typeof optionalDepsObject === "object" &&
optionalDepsObject
) {
for (const dep of Object.keys(optionalDepsObject)) {
allDeps.add(dep);
optionalDeps.add(dep);
}
}
for (const dep of allDeps) {
push({
type: RBDT_RESOLVE_DIRECTORY,
context: packagePath,
path: dep,
expected: !optionalDeps.has(dep),
issuer: job
});
}
callback();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.fs.readFile(path, (err, content) => {
if (err) {
if (err.code === "EISDIR") {
this._fileHashes.set(path, "directory");
return callback(null, "directory");
}
if (err.code === "ENOENT") {
this._fileHashes.set(path, null);
return callback(null, null);
}
if (err.code === "ERR_FS_FILE_TOO_LARGE") {
/** @type {Logger} */
(this.logger).warn(`Ignoring ${path} for hashing as it's very large`);
this._fileHashes.set(path, "too large");
return callback(null, "too large");
}
return callback(/** @type {WebpackError} */ (err));
}
const hash = createHash(this._hashFunction);
hash.update(/** @type {string | Buffer} */ (content));
const digest = hash.digest("hex");
this._fileHashes.set(path, digest);
callback(null, digest);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.fs.readFile(packageJsonPath, (err, content) => {
if (err) {
if (err.code === "ENOENT" || err.code === "ENOTDIR") {
// no package.json or path is not a directory
this.fs.readdir(path, (err, elements) => {
if (
!err &&
/** @type {string[]} */ (elements).length === 1 &&
/** @type {string[]} */ (elements)[0] === "node_modules"
) {
// This is only a grouping folder e.g. used by yarn
// we are only interested in existence of this special directory
this._managedItems.set(path, "*nested");
return callback(null, "*nested");
}
/** @type {Logger} */
(this.logger).warn(
`Managed item ${path} isn't a directory or doesn't contain a package.json (see snapshot.managedPaths option)`
);
return callback();
});
return;
}
return callback(/** @type {WebpackError} */ (err));
}
/** @type {JsonObject} */
let data;
try {
data = JSON.parse(/** @type {Buffer} */ (content).toString("utf8"));
} catch (parseErr) {
return callback(/** @type {WebpackError} */ (parseErr));
}
if (!data.name) {
/** @type {Logger} */
(this.logger).warn(
`${packageJsonPath} doesn't contain a "name" property (see snapshot.managedPaths option)`
);
return callback();
}
const info = `${data.name || ""}@${data.version || ""}`;
this._managedItems.set(path, info);
callback(null, info);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const fs = require("fs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const packageInfo = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(infrastructureLogging.stream).isTTY && process.env.TERM !== "dumb";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(compiler.inputFileSystem).readFile(manifest, (err, result) => {
if (err) return callback(err);
/** @type {CompilationDataItem} */
const data = {
path: manifest,
data: undefined,
error: undefined
};
// Catch errors parsing the manifest so that blank
// or malformed manifest files don't kill the process.
try {
data.data =
/** @type {DllReferencePluginOptionsManifest} */
(
/** @type {unknown} */
(parseJson(/** @type {Buffer} */ (result).toString("utf8")))
);
} catch (parseErr) {
// Store the error in the params so that it can
// be added as a compilation error later on.
const manifestPath = makePathsRelative(
compiler.context,
manifest,
compiler.root
);
data.error = new DllManifestError(
manifestPath,
/** @type {Error} */ (parseErr).message
);
}
compilationData.set(params, data);
return callback();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
intermediateFileSystem.writeFile(targetPath, buffer, callback);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(this.options.path, (err, buffer) => {
if (err) {
if (err.code !== "ENOENT") {
return callback(err);
}
return callback();
}
/** @type {JSONContent} */
const json = JSON.parse(/** @type {Buffer} */ (buffer).toString());
/** @type {Map<string, string | number | null>} */
data = new Map();
for (const key of Object.keys(json)) {
data.set(key, json[key]);
}
dataChanged = false;
return callback();
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.writeFile(this.options.path, JSON.stringify(json), callback);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
loaderContext.fs.readFile(resourcePath, (err, result) => {
if (err) return callback(err);
loaderContext.addDependency(resourcePath);
callback(null, result);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.options.proxy || process.env.http_proxy || process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
this.options.proxy || process.env.http_proxy || process.env.HTTP_PROXY;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
intermediateFs.readFile(lockfileLocation, (err, buffer) => {
if (err && err.code !== "ENOENT") {
compilation.missingDependencies.add(lockfileLocation);
return callback(err);
}
compilation.fileDependencies.add(lockfileLocation);
compilation.fileSystemInfo.createSnapshot(
compiler.fsStartTime,
buffer ? [lockfileLocation] : [],
[],
buffer ? [] : [lockfileLocation],
{ timestamp: true },
(err, s) => {
if (err) return callback(err);
const lockfile = buffer
? Lockfile.parse(buffer.toString("utf8"))
: new Lockfile();
lockfileCache = {
lockfile,
snapshot: /** @type {Snapshot} */ (s)
};
callback(null, lockfile);
}
);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
intermediateFs.writeFile(filePath, result.content, (err) => {
if (err) return callback(err);
callback(null, result);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(filePath, (err, result) => {
if (err) {
if (err.code === "ENOENT") return doFetch();
return callback(err);
}
const content = /** @type {Buffer} */ (result);
/**
* Continue with cached content.
* @param {Buffer | undefined} _result result
* @returns {void}
*/
const continueWithCachedContent = (_result) => {
if (!upgrade) {
// When not in upgrade mode, we accept the result from the lockfile cache
return callback(null, { entry, content });
}
return doFetch(content);
};
if (!verifyIntegrity(content, entry.integrity)) {
/** @type {Buffer | undefined} */
let contentWithChangedEol;
let isEolChanged = false;
try {
contentWithChangedEol = Buffer.from(
content.toString("utf8").replace(/\r\n/g, "\n")
);
isEolChanged = verifyIntegrity(
contentWithChangedEol,
entry.integrity
);
} catch (_err) {
// ignore
}
if (isEolChanged) {
if (!warnedAboutEol) {
const explainer = `Incorrect end of line sequence was detected in the lockfile cache.
The lockfile cache is protected by integrity checks, so any external modification will lead to a corrupted lockfile cache.
When using git make sure to configure .gitattributes correctly for the lockfile cache:
**/*webpack.lock.data/** -text
This will avoid that the end of line sequence is changed by git on Windows.`;
if (frozen) {
logger.error(explainer);
} else {
logger.warn(explainer);
logger.info(
"Lockfile cache will be automatically fixed now, but when lockfile is frozen this would result in an error."
);
}
warnedAboutEol = true;
}
if (!frozen) {
// "fix" the end of line sequence of the lockfile content
logger.log(
`${filePath} fixed end of line sequence (\\r\\n instead of \\n).`
);
intermediateFs.writeFile(
filePath,
/** @type {Buffer} */
(contentWithChangedEol),
(err) => {
if (err) return callback(err);
continueWithCachedContent(
/** @type {Buffer} */
(contentWithChangedEol)
);
}
);
return;
}
}
if (frozen) {
return callback(
new Error(
`${
entry.resolved
} integrity mismatch, expected content with integrity ${
entry.integrity
} but got ${computeIntegrity(content)}.
Lockfile corrupted (${
isEolChanged
? "end of line sequence was unexpectedly changed"
: "incorrectly merged? changed by other tools?"
}).
Run build with un-frozen lockfile to automatically fix lockfile.`
)
);
}
// "fix" the lockfile entry to the correct integrity
// the content has priority over the integrity value
entry = {
...entry,
integrity: computeIntegrity(content)
};
storeLockEntry(lockfile, url, entry);
}
continueWithCachedContent(result);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
intermediateFs.writeFile(
filePath,
/** @type {Buffer} */
(contentWithChangedEol),
(err) => {
if (err) return callback(err);
continueWithCachedContent(
/** @type {Buffer} */
(contentWithChangedEol)
);
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
intermediateFs.readFile(lockfileLocation, (err, buffer) => {
if (err && err.code !== "ENOENT") {
writeDone();
return callback(err);
}
const lockfile = buffer
? Lockfile.parse(buffer.toString("utf8"))
: new Lockfile();
for (const [key, value] of /** @type {LockfileUpdates} */ (
lockfileUpdates
)) {
lockfile.entries.set(key, value);
}
intermediateFs.writeFile(
tempFile,
lockfile.toString(),
(err) => {
if (err) {
writeDone();
return (
/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
(intermediateFs.unlink)(tempFile, () => callback(err))
);
}
intermediateFs.rename(tempFile, lockfileLocation, (err) => {
if (err) {
writeDone();
return (
/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
(intermediateFs.unlink)(tempFile, () => callback(err))
);
}
writeDone();
callback();
});
}
);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
intermediateFs.writeFile(
tempFile,
lockfile.toString(),
(err) => {
if (err) {
writeDone();
return (
/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
(intermediateFs.unlink)(tempFile, () => callback(err))
);
}
intermediateFs.rename(tempFile, lockfileLocation, (err) => {
if (err) {
writeDone();
return (
/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
(intermediateFs.unlink)(tempFile, () => callback(err))
);
}
writeDone();
callback();
});
}
);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.readFile(p, (err, buf) => {
if (err) return callback(err);
/** @type {JsonObject} */
let data;
try {
data = JSON.parse(/** @type {Buffer} */ (buf).toString("utf8"));
} catch (err1) {
return callback(/** @type {Error} */ (err1));
}
return callback(null, data);
});
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
webpack-cli
npm dependencyexpand_more 13 low-confidence finding(s)
if (!process.env.WEBPACK_CLI_SKIP_IMPORT_LOCAL && require("import-local")(__filename)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if (process.env.WEBPACK_CLI_START_FINISH_FORCE_LOG) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const WEBPACK_PACKAGE_IS_CUSTOM = Boolean(process.env.WEBPACK_PACKAGE);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env.WEBPACK_PACKAGE
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
const WEBPACK_DEV_SERVER_PACKAGE_IS_CUSTOM = Boolean(process.env.WEBPACK_DEV_SERVER_PACKAGE);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? process.env.WEBPACK_DEV_SERVER_PACKAGE
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
helpWidth: typeof process.env.WEBPACK_CLI_HELP_WIDTH !== "undefined"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
? Number.parseInt(process.env.WEBPACK_CLI_HELP_WIDTH, 10)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
(process.env.NODE_ENV === "development" ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV === "production" ||
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV === "none")) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
configuration.mode = process.env.NODE_ENV;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
process.env.NODE_ENV = options.configNodeEnv;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
yargs
npm dependencyexpand_more 1 low-confidence finding(s)
return process.env[key]
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- glob prod — dist-only: no readable source
- minimatch prod — dist-only: no readable source
Development
- @eslint/markdown dev — dist-only: no readable source
- @rollup/plugin-alias dev — dist-only: no readable source
- @test/esm-only-loader dev — registry 404
- cross-env dev — dist-only: no readable source
- rimraf dev — dist-only: no readable source
- rollup dev — dist-only: no readable source
- rollup-plugin-polyfill-node dev — dist-only: no readable source
- rollup-plugin-visualizer dev — dist-only: no readable source