Close Open Privacy Scan

bolt Snapshot: commit 90dd9ea
science engine v1
schedule 2026-07-01T02:07:50.276267+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

87 /100
Low privacy risk

Low risk · 181 finding(s)

Dependency score: 87 (Low risk)

bar_chart Score Breakdown

egress −10
env_fs −3

list Scan Summary

0 high 0 medium 181 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz External domains

opencollective.com

</> First-Party Code

first-party (npm)

npm first-party
expand_more 40 low-confidence finding(s)
low env_fs test-only #6d5c0e3e9d542e6a Environment-variable access.
repo/benchmarks/createDeepNestedDocArray.js:23
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #08ed88252d662e26 Environment-variable access.
repo/benchmarks/findOneAndUpdateSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83bd8cb280954cf8 Environment-variable access.
repo/benchmarks/findOneWithCast.js:38
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f43d4320f05e271 Environment-variable access.
repo/benchmarks/insertManySimple.js:15
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #80b375a25ce37e6d Environment-variable access.
repo/benchmarks/nestedArrayLarge.js:28
    if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3307179b932169c Environment-variable access.
repo/benchmarks/recursiveToObject.js:28
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #561e025c51bf8ffb Environment-variable access.
repo/benchmarks/saveSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #0aa9a6d940bb08bd Hardcoded external endpoint. Review what data is sent to this destination.
repo/docs/js/ask-ai.js:85
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          model: 'mongodb-chat-latest',
          stream: true,
          store: true,
          input: question
        })
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #2b324e2d021b0aae Filesystem access.
repo/docs/source/api.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #538c6a9ef686c88e Filesystem access.
repo/docs/source/api.js:361
    const comments = dox.parseComments(fs.readFileSync(file, 'utf8'), { raw: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #886a63e1a7aa8168 Filesystem access.
repo/docs/source/utils.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcd53fa129fdcf0d Filesystem access.
repo/docs/source/utils.js:20
    const content = fs.readFileSync(`${dirName}/${filename}`, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #692df2553776bcf8 Environment-variable access.
repo/lib/helpers/printJestWarning.js:5
if (typeof jest !== 'undefined' && !process.env.SUPPRESS_JEST_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4751756ffc05871c Filesystem access.
repo/scripts/generateLLMsTXT.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8b617c8ed04848c Filesystem access.
repo/scripts/generateLLMsTXT.js:153
  await fs.promises.writeFile(llmsTxtPath, `${lines.join('\n').trim()}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #baa92a6fc9029e49 Filesystem access.
repo/scripts/generateSearch.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54c0643ede1a5e47 Filesystem access.
repo/scripts/generateSearch.js:54
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f50774a6c0b00163 Filesystem access.
repo/scripts/generateSearch.js:90
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c999b47556bc890 Filesystem access.
repo/scripts/loadSponsorData.js:13
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8eee52f86b018658 Filesystem access.
repo/scripts/loadSponsorData.js:77
  fs.writeFileSync(`${docsDir}/data/sponsors.json`, JSON.stringify(subscribers, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ba981bcdb1fa599 Filesystem access.
repo/scripts/loadSponsorData.js:80
  fs.writeFileSync(`${docsDir}/data/jobs.json`, JSON.stringify(jobs, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #005130ba38c80c5a Hardcoded external endpoint. Review what data is sent to this destination.
repo/scripts/loadSponsorData.js:82
  const opencollectiveSponsors = await fetch('https://opencollective.com/mongoose/members.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #9def4683d719700b Filesystem access.
repo/scripts/loadSponsorData.js:106
    fs.writeFileSync(`${docsDir}/data/opencollective.json`, JSON.stringify(opencollectiveSponsors, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73dc2e1cd7e9db29 Filesystem access.
repo/scripts/setup-encryption-tests.js:14
  await writeFile('fle-cluster-config.json', JSON.stringify(configuration, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f72018308484de6e Environment-variable access.
repo/scripts/static.js:8
const port = process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60dda1913c3f3da6 Environment-variable access.
repo/scripts/static.js:9
  ? parseInt(process.env.PORT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5422e87b25ba50a Filesystem access.
repo/scripts/tsc-diagnostics-check.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2916252b9442dc8 Filesystem access.
repo/scripts/tsc-diagnostics-check.js:5
const stdin = fs.readFileSync(0).toString('utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69bd26d172db6cf3 Filesystem access.
repo/scripts/update-mongodb-links.js:77
    const promise = fs.readFile(fullPath, { encoding: 'utf8' }).then(text => fs.writeFile(fullPath, mapURLsMongoDb(text)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #798e9235f48dda91 Filesystem access.
repo/scripts/website.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ecf6f6491b61e68 Filesystem access.
repo/scripts/website.js:116
      retArray.push(acquit.parse(fs.readFileSync(file).toString()));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da0c6eccbe1c9189 Environment-variable access.
repo/scripts/website.js:333
  const versionedDeploy = process.env.DOCS_DEPLOY ? !(base.currentVersion.listed === base.latestVersion.listed) : false;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7274f3fb49b0a872 Filesystem access.
repo/scripts/website.js:503
      await fs.promises.writeFile(versionedMarkdownPath, str);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c778c94a0ef5b5a8 Filesystem access.
repo/scripts/website.js:508
    await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e19ac1e2328a0b7 Filesystem access.
repo/scripts/website.js:517
  let contents = fs.readFileSync(path.resolve(cwd, inputFile)).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7c15890056be69d Filesystem access.
repo/scripts/website.js:530
      fs.writeFileSync(path.resolve(cwd, inputFile), contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d0667483554826b Filesystem access.
repo/scripts/website.js:587
  await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #edda109ef205b13e Filesystem access.
repo/scripts/website.js:596
    await fs.promises.writeFile(versionedMarkdownPath, markdownSource);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73d4919ff42c5c29 Environment-variable access.
repo/scripts/website.js:700
    if (process.env.GENERATE_SEARCH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e3c74ff588cbfa1 Environment-variable access.
repo/scripts/website.js:715
    if (!!process.env.DOCS_DEPLOY && !!versionObj.versionedPath) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@ark/attest

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #b26ec665ebcb5c8f Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:131
    let fileText = readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27d47b6478e9a0a0 Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:142
    writeFile(path, fileText);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #644269d8d7226f5a Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:29
            const contents = readFile(path).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76de061c47377f77 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:45
        const contents = this.virtualEnv.sys.readFile(tsPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7cc406f499260315 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:107
    const configFileText = readFileSync(path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d367c9d45965907f Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:133
        writeFile(summaryPath, outputCapture.getBuffer());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e15d005c04035d23 Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:151
    writeFile(summaryPath, summaryContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2edc1ecdb4b5559d Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:552
    writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87f4b79f3b39f7bc Environment-variable access.
pkgs/npm/@[email protected]/out/fixtures.js:12
    process.env.ATTEST_CONFIG = JSON.stringify(config);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-ignore

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #2f9ff84a19aaaf52 Filesystem access.
pkgs/npm/[email protected]/docs.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a980c40dd4d5b924 Filesystem access.
pkgs/npm/[email protected]/docs.js:6
let md = fs.readFileSync('./HEADER.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73f55fd70d049a86 Filesystem access.
pkgs/npm/[email protected]/docs.js:9
const blocks = acquit.parse(fs.readFileSync('./test/examples.test.js').toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c4e5ef3554f2765 Filesystem access.
pkgs/npm/[email protected]/docs.js:26
require('fs').writeFileSync('./README.md', md);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-require

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #2158385105681cbf Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d224ba66ec01ff2c Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:20
const text = fs.readFileSync(commander.path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9875fdc27a91f4df Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:21
const tests = fs.readFileSync(commander.test).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #febe6890265c506b Filesystem access.
pkgs/npm/[email protected]/docs.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57fdc19d3711b712 Filesystem access.
pkgs/npm/[email protected]/docs.js:3
let readme = fs.readFileSync('./README.md', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71143b2e1cf448a4 Filesystem access.
pkgs/npm/[email protected]/docs.js:5
const md = fs.readFileSync('./test/data/article.md').

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c2b81f291da3d50 Filesystem access.
pkgs/npm/[email protected]/docs.js:11
readme = readme.replace('[code]', fs.readFileSync('./test/data/simple.js'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8db45f0266280dbc Filesystem access.
pkgs/npm/[email protected]/docs.js:13
fs.writeFileSync('./README.md', readme);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #a6dd29f425e6ae51 Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6c5055de663ce2c Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a3c21efe80fe7fb Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #256c3b4677acb4e3 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1dee957f1e3e2aa Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2c4c02a2585fd3a Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bcf9f6d388a1144 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36ecdf0038f270eb Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7265480fb2d93a2 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c05f3d67b96fdaa7 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fb1f9c950b67953 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #b64a69aa92aa9daa Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b3e0200499abc03 Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5f231bc1d2ee6b6 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ac0f3a5307b26dd Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec7551f5f3d55ab5 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b28b79af94c6b1e0 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef7ef7a2a8313735 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df47800fa92c9a1a Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36a82f5000e1870a Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #578ca3e6e06e425b Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e5bc621212b084a Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89e94ca5560115ab Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb0ab2fc87caad96 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #4294a5d22c08490b Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-extra

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #f749e7e9c619a2ee Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:24
      await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7cafb87f8e621343 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:32
    await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dd35201c1551047 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:60
  fs.writeFileSync(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e21e0a0f1bf0fc02 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:16
  return fs.writeFile(file, data, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e78d4eb3fb77b45 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:25
  fs.writeFileSync(file, ...args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli2

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #047ac4f21c5eaad5 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:38
const readJsonc = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(jsoncParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddc98a444fa5f324 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:41
const readToml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(tomlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6724d00548e3a6f8 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:44
const readYaml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(yamlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d5cc878bd1ff505 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:762
            subTasks.push(fs.promises.readFile(fileName, utf8).

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7269d434fcd3d951 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:765
                return fs.promises.writeFile(fileName, fixed, utf8);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mocha

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #8b524a99eef32943 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:40
    require("js-yaml").load(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f763a0938bdd3c55 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:56
      require("strip-json-comments").default(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ccc99c6e6ccd470 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:27
  const css = fs.readFileSync(path.join(srcdir, "mocha.css"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de69d3ed159eb772 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:28
  const js = fs.readFileSync(path.join(srcdir, "mocha.js"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #224278f5ee45ea6f Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:29
  const tmpl = fs.readFileSync(
    path.join(srcdir, "lib", "browser", "template.html"),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aed43d7744216526 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:32
  fs.writeFileSync(path.join(destdir, "mocha.css"), css);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #602508b57865e0d0 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:33
  fs.writeFileSync(path.join(destdir, "mocha.js"), js);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fc5ac33d5513cdc Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:34
  fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4f8064e94337cf9 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:35
  fs.writeFileSync(path.join(destdir, "index.html"), tmpl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74684fc4a834ba5f Filesystem access.
pkgs/npm/[email protected]/lib/cli/options.js:240
      configData = fs.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3271beed2849f676 Environment-variable access.
pkgs/npm/[email protected]/lib/cli/options.js:302
  const envConfig = parse(process.env.MOCHA_OPTIONS || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5eb223fd3c5b0600 Environment-variable access.
pkgs/npm/[email protected]/lib/reporters/base.js:57
  (supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #661e03874e6ff629 Filesystem access.
pkgs/npm/[email protected]/lib/reporters/json.js:90
        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd88ef28d4e38684 Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:714
  return !!process.env.CI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mongodb

npm dependency
expand_more 52 low-confidence finding(s)
low env_fs dependency Excluded from app score #628710b59ab830d4 Filesystem access.
pkgs/npm/[email protected]/etc/prepare.js:3
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d0f877f5a373f7c Environment-variable access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:57
    if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd0d4486032b36f4 Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:339
            const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d3cc03c3a858c5f Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:343
            options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #9ca7998f97800ad2 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/gcp_machine_workflow.js:29
    const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #209408afaad9f173 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:19
    if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10d82c0e74dde1d2 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:20
        filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaf637cbdfa96279 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:22
    else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f66df82cdbccc1ba Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:23
        filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5447a8180b69afa Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:4
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2569b63a20200625 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:15
    const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0640193ba00d796 Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:19
    const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea42ae491e52c572 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:390
        MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67da0a839eb5f115 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:391
        MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f606e6da69306014 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:392
        MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da51d57bbcea9c2e Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:393
        MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #feb87b3c24665f49 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:394
        MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bce9c58f90a3e44 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:395
        MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04db504acba37925 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:396
        MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c584b374edb56cc2 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:397
        MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87800d694b40a108 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2a61592655ab1e6 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:216
                options.ca ??= await fs_1.promises.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5dcece66cfac4f1e Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:219
                options.crl ??= await fs_1.promises.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2109daf54a87a638 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:223
                    const contents = await fs_1.promises.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23354f043488eae4 Filesystem access.
pkgs/npm/[email protected]/lib/utils.js:53
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aa567b86e26e381 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:1
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e88c0edc0c958b5 Environment-variable access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:80
  if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c346c3229a46543c Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:530
      const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3402b51cd7f1a42d Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:534
      options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #289d41a3d91d3fd4 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/gcp_machine_workflow.ts:35
  const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #8f9bb71293ac3abc Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbd50b50484770c2 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:22
  if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9dacc11c34398d3d Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:23
    filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d64bed9b1842c95d Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:24
  } else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a39a9cb48a3fdd5b Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:25
    filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8b424bdd15e185a Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:29
  const token = await readFile(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c75a672224628bd Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72a8f9fc3119d2cb Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:16
  const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2de3b1c0f54ebf26 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:20
  const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #648ab55989e35e51 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:530
      MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d0e032625a9b0a8 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:531
      MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52b9002f9980285b Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:532
      MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5dfbcf5f80085ab4 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:533
      MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b5dc545d07db40d Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:534
      MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #187d38a35cb85631 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:535
      MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae12eebb8bf4fec0 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:536
      MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5d39b17e01960f3 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:537
      MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b6f63a67d5ef507 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:1
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #165fb24cfb5aa5dd Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:628
        options.ca ??= await fs.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39a01101838a2ff8 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:631
        options.crl ??= await fs.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2be08763bdb2353e Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:635
          const contents = await fs.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd395a99a8ab5a0a Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:3
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ncp

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #294a7daa2705b706 Filesystem access.
pkgs/npm/[email protected]/lib/ncp.js:1
var fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pug

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #7d4d2c87ea629e5c Filesystem access.
pkgs/npm/[email protected]/lib/index.js:13
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #084638e8a64faaab Filesystem access.
pkgs/npm/[email protected]/lib/index.js:241
    if (str === undefined) str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9a73ffcb775b77d Filesystem access.
pkgs/npm/[email protected]/lib/index.js:476
  var str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7753b54d74f2fd2f Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:489
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sift

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #5d3ab565a5662f80 Environment-variable access.
pkgs/npm/[email protected]/es/index.js:585
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbfdf8bf721ef46a Environment-variable access.
pkgs/npm/[email protected]/es5m/index.js:694
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0723e5f20bbfc74d Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:700
        else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc940a8c5de0997a Environment-variable access.
pkgs/npm/[email protected]/src/operations.ts:413
  } else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #38c4365c84a999f8 Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0ab5a815f050686 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5492b2c9603ac35a Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94408d592bc3e4c6 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cbe9fb1da30b02c Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c835a997e4d60bc Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8889c26995e9a8ad Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6086f05f7ff62ee4 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d03e4e14ab173ed Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7068ced9ffec2cdd Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @standard-schema/spec prod — dist-only: no readable source

Development

  • @mongodb-js/mongodb-downloader dev — dist-only: no readable source
  • glob dev — dist-only: no readable source
  • mkdirp dev — dist-only: no readable source
  • tstyche dev — dist-only: no readable source
  • typescript-eslint dev — dist-only: no readable source