Close Open Privacy Scan

bolt Snapshot: commit 918cf5d
science engine v2
schedule 2026-07-02T10:15:34.448728+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code. Dependency data flows are listed separately and do not affect this verdict.

Incomplete scan — only 95/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

82 /100
Low privacy risk

Low risk · 1762 finding(s)

Dependency score: 37 (High risk)

bar_chart Score Breakdown

egress −15
env_fs −3

list Scan Summary

2 high 0 medium 1760 low
First-party packages: 19
Dependency packages: 38
Ecosystem: npm

swap_horiz Application data flows

No application data flows were found. See dependency data flows below.

hub Dependency data flows (2)
high wrangler dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:293 pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:306
high wrangler dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:215 pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:223

</> First-Party Code

first-party (npm)

npm first-party
expand_more 775 low-confidence finding(s)
low env_fs production #e4f6ad57a7f3bd20 Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:10
  const repoInput = process.env.INPUT_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53c708f8204464a7 Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:25
  const tagName = process.env.TAG_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac532e79b3a5aa85 Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:31
  const commitSha = process.env.COMMIT_SHA

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be793e290ee81cea Environment-variable access.
repo/.github/scripts/create-git-tag.mjs:37
  const messageEnv = process.env.TAG_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f15a1ca370c58d9 Environment-variable access.
repo/.github/workflows/scripts/auto-close-github-discussions.js:5
const repoInfo = process.env.GITHUB_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9c4174b260e9882 Environment-variable access.
repo/.github/workflows/scripts/auto-close-github-discussions.js:16
  const token = process.env.GITHUB_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebc430bea167175c Environment-variable access.
repo/.github/workflows/scripts/auto-close-github-discussions.js:22
  const closingMessage = process.env.CLOSING_MESSAGE || 'Closing discussion due to inactivity.'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58bbd1bfa631961e Filesystem access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aca07079e69a2e6b Environment-variable access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:53
  if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4257262da63aa3af Environment-variable access.
repo/.github/workflows/scripts/detect-jobs-to-run.js:54
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `jobs=${jobsToRun.join()}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4282ec268a8e95e4 Filesystem access.
repo/eslint-local-rules/valid-exported-types-index.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #114138cfdc285748 Filesystem access.
repo/helpers/compile/build.ts:4
import { writeFileSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e15d1d3831a9304e Environment-variable access.
repo/helpers/compile/build.ts:117
  if (process.env.WATCH === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff7ab209202cc09b Filesystem access.
repo/helpers/compile/build.ts:128
    writeFileSync(metafilePath, JSON.stringify(build.metafile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6757746bdb8f7a2 Environment-variable access.
repo/helpers/compile/build.ts:158
  if (process.env.WATCH !== 'true') return context

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #863ebf4e8e5af2c1 Environment-variable access.
repo/helpers/compile/build.ts:226
  if (!process.env.IGNORE_EXTERNALS && options.bundle === true) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #566ded06778ec254 Filesystem access.
repo/helpers/compile/plugins/copyFilePlugin.ts:2
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69b9d01c1e280bf3 Environment-variable access.
repo/helpers/compile/plugins/onErrorPlugin.ts:12
        if (process.env.WATCH !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c6f362d01d3db80 Filesystem access.
repo/helpers/compile/plugins/replaceWithPlugin.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9de8a3fd42716105 Filesystem access.
repo/helpers/compile/plugins/replaceWithPlugin.ts:33
        const contents = await fs.promises.readFile(args.path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d5ded996abbe499 Environment-variable access.
repo/helpers/compile/plugins/tscPlugin.ts:76
      if (process.env.WATCH !== 'true' && process.env.DEV !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44304f913e93458e Environment-variable access.
repo/helpers/compile/plugins/tscPlugin.ts:96
        if (process.env.WATCH !== 'true' && process.env.DEV !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b3d923e6ecb0770 Filesystem access.
repo/helpers/compile/plugins/tscPlugin.ts:100
          const dtsContents = await fs.readFile(`${bundlePath}.d.ts`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c2db5806dcf2390 Filesystem access.
repo/packages/cli/helpers/build.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #450a7b3a3270b3da Environment-variable access.
repo/packages/cli/helpers/build.ts:153
const optionalPlugins = process.env.DEV === 'true' ? [] : [cliTypesBuildConfig, cliConfigBuildConfig]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0670550fc4766c18 Environment-variable access.
repo/packages/cli/jest.setup.js:11
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b86a06394a9aa3e Environment-variable access.
repo/packages/cli/jest.setup.js:18
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bca0213bf509e141 Environment-variable access.
repo/packages/cli/src/DebugInfo.ts:66
      const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #547628370f01301a Filesystem access.
repo/packages/cli/src/Format.ts:106
      await fs.writeFile(filename, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1b6db1a1b73a7e8 Filesystem access.
repo/packages/cli/src/Generate.ts:23
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #11184e88ce9df5b0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/Init.ts:467
              await fetch(`https://prisma-generate-server.prisma.workers.dev/`, {
                method: 'POST',
                headers: {
                  'Content-Type': 'application/json',
                },
                body: JSON.stringify({
                  description: prompt,
                }),
              })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #b366a13c5df73379 Filesystem access.
repo/packages/cli/src/Init.ts:656
      const envFile = fs.readFileSync(envPath, { encoding: 'utf8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #509dfcd39dc9fa43 Environment-variable access.
repo/packages/cli/src/Studio.ts:320
        const browser = args['--browser'] || process.env.BROWSER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e36962a86d8941d Filesystem access.
repo/packages/cli/src/Studio.ts:644
      return await readFile(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #38723264218af927 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:3
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #537731392b90e250 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:15
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bec3b8e7524f0873 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:19
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #062604f4b29c2ce7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:22
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b02b58bff3246d77 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:48
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3da249aa42e5bd44 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:56
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7165388b8dfcc41 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:68
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #94351b7ed2550297 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:96
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0d5f90ce0d69bb3c Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:104
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44765af2fcaee9f0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:116
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73276d5212a7f8c0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:144
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #567fba212f5529dd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:152
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72f4ad8616601164 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:164
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ad3eb29e21ec66f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:179
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c45ac5e5180c17e9 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:187
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64eb7db225bbb138 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:199
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #771e1b69b059d14f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:209
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e3c9d9fc5e28f11d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:217
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bf6b9bbe1f138c13 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:229
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1858a971576c630a Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:239
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbc00b82fa04bf5d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:247
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b90e629ff82a9b42 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:259
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1549898df550ab84 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:271
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75f225c4ec069a70 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:279
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ae5463c87711dbd3 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:291
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aea1029451d972dd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:301
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #80a4db89da0c3aba Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:309
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4bb9eef67819e478 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:321
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7144b64af7187ae0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:336
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #52c4916a351bc5c8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:340
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3602f54144646a98 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:352
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f958356ad30c4a8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:356
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5e9fc0a5a5b65bd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:368
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #93e2a8a54e86c0d4 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:372
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afad42be6cbaa300 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:387
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73af458758f76477 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:395
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70c8d966982dcc1f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:405
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5769478d40bd0ffc Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:413
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bebd8953015ebe5e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:425
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13b4fb975c71a464 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:433
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17643aefab2ae340 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:443
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8177a408e44e6f8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:451
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d3dcaeb8b3374ccf Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:457
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `DATABASE_URL="postgres://dont:overwrite@me:5432/tests"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ecb6c3c322f0328d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:461
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25258324ea9865c7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:465
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ae9c6cc2ba3c516e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:468
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82bc334bd8fedcc5 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:474
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `SOMETHING="is here"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d7d25f420876ef0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:478
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #849b7e7cff44051e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:482
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3253c81397dbe8d5 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:486
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6505bea2818d402c Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:494
  const gitignore = fs.readFileSync(join(ctx.tmpDir, '.gitignore'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e46e408130cd9c0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:497
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #400c9843f0ada2b7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:505
  fs.writeFileSync(gitignorePath, `# This should not be overridden`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #590e575b64e4a099 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:506
  fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc2aea95fc002981 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:508
  const gitignoreAfter = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f53026fd171da1ae Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:511
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f403a0a3ae644d5a Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:519
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #15a9c455d20f2518 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:522
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #378fc821863e551d Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:15
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cb77d761b87a9bf Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:21
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c954327f9e6ae9c4 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:23
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1df98363a7cb0531 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:44
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da161ce9451f0a28 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:74
    process.env.FORCE_PANIC_PRISMA_SCHEMA = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #476de1b15f7b8672 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:100
    process.env.FORCE_PANIC_GET_CONFIG = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3eade2c09a4084a3 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:126
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #96800f4e607fe00c Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:144
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68685aa4019f3376 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:170
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec3eaf049d18d150 Filesystem access.
repo/packages/cli/src/__tests__/commandState.test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75cbacaf79b9f87d Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:18
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ecb8042cbdf9398 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:24
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #05e54578aa461639 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:26
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #204d3cf2edea5287 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:70
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4428f700c9a6540 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:82
    Object.keys(envVars).map((key) => delete process.env[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #53add1b8d83e64e8 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:86
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9db04fc55a61a95 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:160
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c35bbb00af3516f Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:19
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bf1328d656be5493 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:25
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7474afca6d1f093a Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:27
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63c92be3c8dd0b7f Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:265
    expect(fs.readFileSync('schema.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6faca36406cae769 Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:271
    expect(fs.readFileSync('missing-backrelation.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6970fe1d79865dc0 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:312
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #61698b698627b23f Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:18
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77ac20cf083ca78d Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:24
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9a35ce6ad81a5390 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:26
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #50b62ac5df17b51f Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:292
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a76be79ead22f746 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:7
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb0d16c0a42ab8d7 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:63
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d68ba66956c6447c Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:140
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79e52b5c223308d0 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:241
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b35c9204607d928 Filesystem access.
repo/packages/cli/src/__tests__/nps.test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcd6cc85f3235e8e Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:20
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ed3ea033f49847e1 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:26
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #89d1a1f4e5699930 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:28
        process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff5f4fb2614c78b7 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:40
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1b13c537677fd427 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:65
    process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fb169ce45227939 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:134
    process.env.KUBERNETES_SERVICE_HOST = '10.96.0.1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b7d6154c57e9001f Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:155
    process.env.GIT_EXEC_PATH = '/nix/store/9z3jhc0rlj3zaw8nd1zka9vli6w0q11g-git-2.47.2/libexec/git-core'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7abc0ba302950148 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:176
    process.env.npm_command = 'install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3ecc8f1575594607 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:177
    process.env.npm_lifecycle_event = 'prepare'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2094f6c9cedf345 Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:32
  originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9661b972ee9b839f Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:33
  delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #585b473cdcf2aeee Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:38
  process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e3b36852295e7552 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:11
    originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b93a1ead1368f58f Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:12
    delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c905c851a5bb134f Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:16
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #727ef2dd3564e8f7 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:144
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3570cc332944fd Filesystem access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:288
          const envContent = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d129a388b2e58e92 Environment-variable access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:294
        process.env.DATABASE_URL = databaseUrl

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee4e8ee1f005ce8f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:160
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ae4e67b545793dd Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:206
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0a42afc4b8989ef Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:234
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3b02982d2c1a231 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:266
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), 'datasource db { provider = "postgresql" }', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb9a28c19bb5460e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:293
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }
model User { id Int @id }
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7544fc538fec5901 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:324
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0273743afc076675 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:327
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79805d3e4a172dd3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:363
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3d4ac18a0ddbbcc Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:366
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e87f10dc84f44a38 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:396
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1203a2920155d93b Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:399
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03c15ca1d70c1338 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:430
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #328a8bb524892ea2 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:437
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c054768f547cab71 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:464
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e5ccca7ed428bd3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:471
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1e2eb8d34c2e6307 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:503
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ade9a638b5eac6e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:510
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #45c3126b3013736d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:542
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f923033116838f1 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:549
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cd5ce1b9c1d0b2b Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:582
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57d2159859261897 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:32
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f791d8e770bff96 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:41
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad00d3373f37aa20 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:49
    fs.writeFileSync(path.join(tmpDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8aa718141d94ca34 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:58
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url = env("DATABASE_URL")
}

model User {
  id   Int    @id @default(autoincrement())
  name String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f85abc280691a16 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:79
    fs.writeFileSync(path.join(tmpDir, 'prisma.config.ts'), 'export default {}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #30724ecf9dad69fc Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:86
    fs.writeFileSync(path.join(tmpDir, '.env'), 'DATABASE_URL=test', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4da3171e22201801 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:93
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d514b2c1cb05f68 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:104
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ prisma: { seed: '' } }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c6338b6155b3fe8e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:111
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ name: 'test' }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b77a0d697ef75174 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:118
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `import { defineConfig } from 'prisma/config'\nexport default defineConfig({ migrations: { seed: 'tsx ./prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8751163824e2bb74 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:129
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({\n  migrations: {\n    seed: "npx tsx prisma/seed.ts",\n  },\n})`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33aad788c6c8bf48 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:140
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { path: 'prisma/migrations' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d19d8c528375339 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:159
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }

model User {
  id   Int    @id
  name String
  posts Post[]
}

model Post {
  id     Int    @id
  title  String
  author User   @relation(fields: [authorId], references: [id])
  authorId Int
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ac27682cfa6b77e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:186
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5914517da28758e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:198
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32eca81b31d59291 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:208
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c54d21f26143fa54 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:218
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f8a82bbbbbab3de Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:223
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e1a558a5e3fbc3d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:36
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18ea9fd7e6217cc5 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:41
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1337bbbe9820656e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:50
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb1287dc58f1c351 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:51
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3d13e5970aa7d9a Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:56
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fcc6366c9a2d0fcc Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:61
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b2ed42b913e7f44f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:66
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5feac2f591383d9 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:71
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6efb55cdec94d416 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:72
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76638b66afd5d0b7 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:34
    const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2dc52f16e7391f9 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:48
    const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #564f9a1393b4801b Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:59
    const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f75a837c56560503 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:71
      const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fd4e7050fc322c1 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:81
      const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #522c0f99d60843e3 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:97
      const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d083e4ca975f580 Environment-variable access.
repo/packages/cli/src/bootstrap/telemetry.ts:6
  return Boolean(process.env.CHECKPOINT_DISABLE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e5c105815b368ed8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/bootstrap/template-scaffold.ts:54
  const response = await fetch(PRISMA_EXAMPLES_TARBALL_URL, {
    headers: { Accept: 'application/vnd.github+json', 'User-Agent': 'prisma-cli' },
    redirect: 'follow',
    signal: AbortSignal.timeout(120_000),
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #42aad8c8c4d7bb75 Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:82
        fs.writeFileSync(destPath, tarBuffer.subarray(offset, offset + header.size))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28d39ed46de06ec4 Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:161
      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cebe3124b179039 Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:4
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a427e3a48e539d2 Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:39
    const source = await fs.readFile(path.join(typedSqlDirPath, fileName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #149c59a1e4fc73f1 Filesystem access.
repo/packages/cli/src/init/file-writer.ts:17
    fs.writeFileSync(absPath, content, options)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6cc2c18622aea6f Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:43
  return process.env.PRISMA_MANAGEMENT_API_URL ?? DEFAULT_MANAGEMENT_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d6f0cb73e0e3810 Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:182
    const apiKey = explicitApiKey ?? (databaseId ? process.env.PRISMA_API_KEY : undefined)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4fde4dd2c1580d96 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:119
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3317b0f7dda9585 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:139
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model User {
  id    Int    @id @default(autoincrement())
  name  String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea9359338d81443d Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:198
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #422708fc212edb96 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:216
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b38179a44f81c205 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:31
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82502b4504d742ed Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:37
    fs.writeFileSync(envPath, 'EXISTING_VAR="hello"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #666834e0becdacbe Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:47
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc9643b3f4f32df4 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:53
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5ae1d469ad2a6eb1 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:63
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faaee20b0e557670 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:69
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #358c43667bf4efc8 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:79
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1836a09f4d3fe664 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:90
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #121b4d53f07d06b9 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:101
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\n.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10243641c191cf8a Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:106
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), '/.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #01df3e63ecd35152 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:111
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\ndist\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #282200f792d44750 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:126
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d5069a8fb81a846 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:137
    fs.writeFileSync(path.join(tmpDir, '.env'), "DATABASE_URL='postgres://localhost:5432/mydb'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a101a38339f55121 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:142
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc3f056c6a5240c2 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:151
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c39b7999f0be422b Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:160
    fs.writeFileSync(path.join(tmpDir, '.env'), "OTHER_VAR='value'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f449fc81a955375c Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:22
    fs.writeFileSync(envPath, lines.join('\n') + '\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd08dbe4bbfb2fa8 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:28
  let content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24ad9722b6d169ef Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:46
  fs.writeFileSync(envPath, content, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae2d3b7c1007b895 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:61
  const content = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2b48287af0caf86 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:87
  const parsed = dotenv.parse(fs.readFileSync(envPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #d820dd14a8077650 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/status-page.ts:156
    const response = await fetch(SUMMARY_API_URL, { signal: AbortSignal.timeout(10_000) })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4596e0738f93cb45 Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:37
  if (process.env['CHECKPOINT_DISABLE']) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8834901538d72fa Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:94
      information: args['--telemetry-information'] || process.env.PRISMA_TELEMETRY_INFORMATION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caca570d91ca28cc Filesystem access.
repo/packages/cli/src/utils/commandState.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab55e47eb629e81a Filesystem access.
repo/packages/cli/src/utils/commandState.ts:19
  const data = await fs.promises
    .readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f523530c428d5117 Filesystem access.
repo/packages/cli/src/utils/commandState.ts:25
    await fs.promises.writeFile(filePath, JSON.stringify(state))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #566a24696e878799 Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #398a8ebffed6e39e Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:23
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ecedf7d91d0b07d Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:47
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #fcd1bfe9638539cb Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/capture.ts:11
const posthogCaptureUrl = new URL('https://proxyhog.prisma-data.net/capture')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #490da6a41d88ce40 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/status.ts:14
const npsStatusUrl = new URL('https://pub-833f4cf4b3dc4d17a6db4981affc9fbb.r2.dev/timeframe.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #c70b4917748ec2d7 Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d66d154e10f3af2 Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:165
  const data = await fs.promises
    .readFile(getConfigPath(), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ad39cb71cfa14fa Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:187
  await fs.promises.writeFile(configPath, JSON.stringify(config))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b661efad70e1d890 Environment-variable access.
repo/packages/cli/src/utils/printUpdateMessage.ts:8
  const shouldHide = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b4fd5eef25df210 Filesystem access.
repo/packages/cli/src/utils/prompt/utils/isDirEmpty.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f0746df9fc17577 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:13
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df858d3d3234387f Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:378
  await fs.writeFile(schemaTargetPath, datamodel, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfbcca6249bda6f3 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:393
    await fs.writeFile(path.join(outputDir, `${filename}.wasm`), Buffer.from(wasmBase64, 'base64'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55b4baac38c5ed2d Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:403
    await fs.writeFile(signalsPath, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ec6556512894be3 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:416
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3baee3b4e6ad5424 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:559
    content = await fs.readFile(path.join(directory, 'package.json'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #486122048d8337c1 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:633
        const content = await fs.readFile(sourcePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20b2183999bb2cef Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:634
        await fs.writeFile(targetPath, addPreamble(content))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72c29f155bdef266 Environment-variable access.
repo/packages/client-generator-js/src/generator.ts:80
      copyRuntimeSourceMaps: Boolean(process.env.PRISMA_COPY_RUNTIME_SOURCEMAPS),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f296c38ac63e02f6 Environment-variable access.
repo/packages/client-generator-ts/src/file-extensions.ts:15
  if (!recommended.includes(extension) && !process.env.PRISMA_DISABLE_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71b242cee5da479d Filesystem access.
repo/packages/client-generator-ts/src/generateClient.ts:245
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #802e092399157373 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:125
    return fs.readFileSync(bundledLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82bb2c5c7a886e47 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:129
    return fs.readFileSync(sourceLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0006bd3d375a9b89 Filesystem access.
repo/packages/client/helpers/build.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f852da8ae72f4721 Environment-variable access.
repo/packages/client/helpers/build.ts:31
const shouldMinify = !process.env.DEV && process.env.MINIFY !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18ed96c03b31868e Filesystem access.
repo/packages/client/helpers/build.ts:178
                  const wasmBuffer = fs.readFileSync(wasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ab504055126bda3 Filesystem access.
repo/packages/client/helpers/build.ts:185
                    fs.writeFileSync(base64FilePath, base64Content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5812c9a8883b370a Filesystem access.
repo/packages/client/helpers/build.ts:211
  fs.writeFileSync(path.join(runtimeDir, fileName), 'export * from "./client"\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49f42cb8af483cc4 Environment-variable access.
repo/packages/client/helpers/jestSetup.js:1
process.env.PRISMA_HIDE_PREVIEW_FLAG_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4d015960b1bd9af Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:2
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9aa545535fe8e15 Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:116
  await fs.writeFile(at, template(relImport))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28e87849b50b94ea Environment-variable access.
repo/packages/client/scripts/colors.js:14
    colors.enabled = process.env.FORCE_COLOR !== '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #617266856d0c6df4 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:3
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #229f8523a34c755e Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:10
  fs.writeFileSync(location, data, {})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2939ac336be844b0 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/huge-schema.bench.ts:26
if (!process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #598f61f7068b5020 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:1
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44c064e8f07bb08e Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:39
  await fs.writeFile('schema.prisma', str)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8cf363c1e895088e Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/caching.bench.ts:18
const BENCHMARK_DATAMODEL = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2f7285fa8c9fa08 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:16
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #170c714da50427c9 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:17
          runtimePath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2031600de8dce2d5 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:25
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7881f98832252bf2 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:26
          const wasmPath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.wasm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f50e775a787d93ff Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:27
          moduleBytes = await fs.promises.readFile(wasmPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7ad206d31388339 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/query-performance.bench.ts:257
  if (process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0b699f46ebd6a10 Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee09788f3308ab2e Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:33
  fs.writeFileSync(target, file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #852d259d20474aa2 Environment-variable access.
repo/packages/client/src/__tests__/integration/__helpers__/migrateDb.ts:10
  const databaseUrl = process.env.DATABASE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d22cec6d9e14a2d3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:11
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-execute-raw-alter')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6cb76c00dcd6dfb3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:12
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d3e320c70c41596 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/int-errors/test.ts:12
    let connectionString = process.env.TEST_MYSQL_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0700adbd4b49463 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:18
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-multischema')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f25d7b5e85890c74 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:19
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #445de2e80cad6cac Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:21
      connectionString: process.env.DATABASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee3e74fd71f41b05 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #90e5e307bee16c53 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:12
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd2e216972822391 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b85a26a79a550a06 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:15
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f97b933553b271c Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:10
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions-onDelete-default-foreign-key-error(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb7e52522b83cb9e Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:12
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24bb050e6054a9bd Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:15
    process.env.DATABASE_URL = process.env.TEST_MSSQL_JDBC_URI.replace('master', 'referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a0569124d38a91e3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:11
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-wrong-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d91428d80006c36a Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:12
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #846194a4ce7669fd Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:11
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-wrong-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4299067707104a1b Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:12
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31680daa9eb6c65d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql-feature-flag/test.ts:7
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql-feature-flag')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fab091ad6af3e46 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql/test.ts:7
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a17ea505dd289bac Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:13
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c439d2af091c4cdf Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:14
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #343a996408c5feb2 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:12
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a60351d8266d98a Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:19
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1f8362ca9e21582 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:20
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #416a9c032b8cdc01 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:8
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-mysql-binary-id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c6f289b10fdf78e1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:9
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6305ca1f85cb803a Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:9
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27f8ee60f3e98099 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:10
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1aac4537cef5f652 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:9
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0acbdf35224f610 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:10
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #81c0e456d19f3a7e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd4e1868264c00f3 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:6
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b25cc8c4bff927e8 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:20
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #21470fb9aa00c462 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:21
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d50affc7100eeb5e Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fedf457d8caaa876 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:17
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f59627414a6a31a4 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:21
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7e1081b6386df7e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be997bbfe7b26dba Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:6
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #994bc3b794a58528 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:20
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c4bdbbd032a7388 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:21
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b5e74ecaff8ad9df Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3593bbe7f26f99a2 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:17
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #843ccd431c09234e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:21
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ddb8384c32fd3783 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:8
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-postgres')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78beebdf911952f9 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:9
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f37b1161b396bf18 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-Cascade')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbce4c2d6c5d250c Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:12
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #daaf3c84d7c50940 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27d5207d684b7071 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:15
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06413b7c901b0e0d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:9
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ead74232e1a6bb1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:11
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3064580fca8b997f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:8
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-scalar-list-test')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0227763627aebd0 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:9
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b26b3f4cfff3d16e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/sqlite-variable-limit/test.ts:5
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42353d4157afe31d Filesystem access.
repo/packages/client/src/__tests__/integration/happy/transaction/test.ts:3
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #793b2dc43b4b0742 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/uncheckedScalarInputs/test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #544c724091100d7f Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ad99a90bda14ef8 Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:10
      const dtsContents = fs.readFileSync(path.join(runtimeDir, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fbb36676f7cb2c6e Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:15
    globalEngineTypeOverride = process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #651c34c6e486bae8 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:16
    delete process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #857165e1fa66a6b9 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:21
      process.env.PRISMA_CLIENT_ENGINE_TYPE = globalEngineTypeOverride

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b96a568d676e1666 Environment-variable access.
repo/packages/client/src/runtime/RequestHandler.ts:171
    if (process.env.PRISMA_CLIENT_GET_TIME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26819c0d5d2f84f8 Environment-variable access.
repo/packages/client/src/runtime/core/engines/accelerate/getUrlAndApiKey.ts:52
  if (process.env.TEST_CLIENT_ENGINE_REMOTE_EXECUTOR && url.searchParams.has('use_http')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a289c26269e28626 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:463
        } else if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec188594730a5ef8 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:465
        } else if (process.env.NO_COLOR) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb6cb1a880ade58a Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c423e3ac43afad59 Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:22
      content = fs.readFileSync(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a220b0647b043b88 Environment-variable access.
repo/packages/client/src/runtime/utils/createErrorMessageWithContext.ts:86
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #919d5097186bab4f Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74666bd7dcaad464 Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:30
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9624ecfe180efe0c Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79a4540d810f2dfc Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:14
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0968ca3700a689f5 Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ffbf7b5ea3e93e3e Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:14
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c73bd833d8385fd Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:6
const originalValue = process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f11b6b9a4079a368 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:10
    delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d0d0c55618a85dd Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:15
      delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #109f3ca81aa4eff1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:17
      process.env[VAR_NAME] = originalValue

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #577af9873488512f Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:22
    process.env[VAR_NAME] = 'postgresql://example'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #159e74a1cc29a10b Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:34
    process.env[VAR_NAME] = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a61830e2177b093 Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/datasource-url-undefined/prisma.config.ts:5
    url: process.env['UNDEFINED_VARIABLE'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8506b5f0793964fb Filesystem access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:7
const env = await fs.readFile('.env', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68fd619443bb5f6b Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:21
  process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34019f361b62a345 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:742
      expect(process.env.TEST_CONNECTION_STRING).toBeUndefined()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fda300ce92f20346 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:753
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-cjs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5cf60ac26755701b Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:765
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-esm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1639f056b836085f Environment-variable access.
repo/packages/config/src/env.ts:15
  const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca57328047617909 Environment-variable access.
repo/packages/config/vitest.setup.ts:13
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ba2c537cef20920 Environment-variable access.
repo/packages/config/vitest.setup.ts:19
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #707902cb5f662567 Filesystem access.
repo/packages/credentials-store/src/index.ts:1
import { chmod, mkdir, readFile, writeFile } from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b989ba4e07a08bf5 Environment-variable access.
repo/packages/credentials-store/src/index.ts:31
      process.env.PRISMA_PLATFORM_AUTH_FILE ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba176b1844f8a215 Filesystem access.
repo/packages/credentials-store/src/index.ts:38
      const content = await readFile(this.authFilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77197d233c7ff415 Filesystem access.
repo/packages/credentials-store/src/index.ts:82
    await writeFile(this.authFilePath, JSON.stringify(data, null, 2), { mode: 0o600 })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7dfbea3663fa18d7 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:13
  delete process.env.DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8435a6bdac7e6357 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:14
  delete process.env.DEBUG_COLORS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d5ea9b9bb7c1e73 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:29
  process.env.DEBUG = 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f30b77f70afd2a6 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:30
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #acd6c332a0dd8e6b Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:43
  process.env.DEBUG = 'test2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84bbfa76d47331db Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:44
  process.env.FORCE_COLOR = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb0fd04dde9821e5 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:45
  process.env.DEBUG_COLORS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6971dd6ab3f38c1d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:59
  process.env.DEBUG = 'test3:*:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0df8653ddc0f71e1 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:60
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d7c72b5f5c9a5f4 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:73
  process.env.DEBUG = 'test4:*:query-engine:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5bb786545d163bf1 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:74
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1de96d53acd85bd0 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:89
  process.env.DEBUG = 'test5:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4131aabcaf31672d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:90
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e3d027b5c5b44ff Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:106
  process.env.DEBUG = 'test6:client:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3317a38c7a702c9 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:107
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac49d48c87436f05 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:122
  process.env.DEBUG = 'test7:*:*,-test7:*:*:init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4564a6dc9a4cf2e7 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:123
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7523ab3f36c988e4 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:138
  process.env.DEBUG = 'test8:*:*,-test8:*:*:init,-test8:pool:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f93fd6284127f06d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:139
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2544d3b14584033 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:153
  process.env.DEBUG = 'test9:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c0d47708fe8ee51 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:154
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #04b877528ecb443f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:169
  process.env.DEBUG = 'test10:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aaebfa8600843c37 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:170
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f8cbe4b3b54f202c Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:195
  process.env.DEBUG = 'test11:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7c5b69d89663b32 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:196
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #85ffced1d509378f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:210
  process.env.DEBUG = 'test12:client*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a82d406ed99a5f89 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:211
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c26f949981401a33 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:228
  process.env.DEBUG = 'test13:client*init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #516eee983090b806 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:229
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f95161741a052e1a Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:249
  process.env.DEBUG = 'test14:*:query-engine:*,-*init,*:result'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5cd326541ef1b0eb Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:250
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0091de8e5ba162b4 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:271
  process.env.DEBUG = 'test15:\\w+'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #379dd659c10be20b Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:272
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29bb125e4d0cceef Environment-variable access.
repo/packages/debug/src/__tests__/env-disabled.test.ts:9
    process.env.DEBUG = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0ecac5bc31fd178 Environment-variable access.
repo/packages/debug/src/__tests__/env-enabled.test.ts:9
    process.env.DEBUG = 'my-namespace'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f472c2c0878ebc3 Environment-variable access.
repo/packages/engines/src/index.ts:26
  const binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75552f76d01b4442 Environment-variable access.
repo/packages/engines/src/index.ts:27
    ? (process.env.PRISMA_CLI_BINARY_TARGETS.split(',') as BinaryTarget[])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #417c49d700f4354c Filesystem access.
repo/packages/engines/src/scripts/localinstall.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #573e2c0b1054dcf0 Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29541769d35b15a4 Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:16
  if (fs.existsSync(lockFile) && parseInt(fs.readFileSync(lockFile, 'utf-8'), 10) > Date.now() - 20_000) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02eae005853a1a4a Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:21
    if (process.env.PRISMA_CLI_BINARY_TARGETS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #152a2f7f1fcff2da Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:22
      binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS.split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b9d78813d767778 Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:43
  fs.writeFileSync(lockFile, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c34441d1de70477 Environment-variable access.
repo/packages/fetch-engine/src/__tests__/download.test.ts:25
const usesCustomEngines = process.env.PRISMA_SCHEMA_ENGINE_BINARY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19ec3a6d679f96ca Environment-variable access.
repo/packages/fetch-engine/src/download.ts:119
  if (process.env.BINARY_DOWNLOAD_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02122cb3d3ab76cc Environment-variable access.
repo/packages/fetch-engine/src/download.ts:120
    debug(`process.env.BINARY_DOWNLOAD_VERSION is set to "${process.env.BINARY_DOWNLOAD_VERSION}"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4472cf716ead28b8 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:121
    opts.version = process.env.BINARY_DOWNLOAD_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5142d5500969eeff Filesystem access.
repo/packages/fetch-engine/src/download.ts:274
      const sha256File = await fs.promises.readFile(sha256FilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2a71f71d3a33b03 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:295
    } else if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e082e1922a24b638 Filesystem access.
repo/packages/fetch-engine/src/download.ts:441
      await fs.promises.writeFile(cachedSha256Path, sha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b45d31f7f5256a4c Filesystem access.
repo/packages/fetch-engine/src/download.ts:444
      await fs.promises.writeFile(cachedSha256ZippedPath, zippedSha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d7bfc45894f143a Filesystem access.
repo/packages/fetch-engine/src/download.ts:460
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d90875eb748258c Filesystem access.
repo/packages/fetch-engine/src/download.ts:461
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #366d8289bffb3a56 Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:32
      if (!process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bc8ac2fa34639be Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:49
    if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd7a044ebb35a702 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:27
  if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1cdd1ab19ff64293 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:28
    const envVarPath = path.resolve(process.cwd(), process.env[envVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64bc6e6a629d0ce6 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:31
        `Env var ${bold(envVar)} is provided but provided path ${underline(process.env[envVar]!)} can't be resolved.`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #155eca8eea778fff Environment-variable access.
repo/packages/fetch-engine/src/env.ts:36
        process.env[envVar]!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #185d82653e6b0f35 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:52
  if (deprecatedEnvVar && process.env[deprecatedEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #019c641602135d94 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:53
    if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0ded332b7cb5b52 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:54
  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f29e67a19568597 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:70
    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1284779868291e8 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df605723cee70cac Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:18
    if (process.env.APPDATA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7ffa62bb37e40de Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:19
      return path.join(process.env.APPDATA, 'Prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a131e0231df38961 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:23
  if (process.env.AWS_LAMBDA_FUNCTION_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #743fd10bac3e48cb Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:31
  return process.env.XDG_CACHE_HOME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87906092143bec11 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:32
    ? path.join(process.env.XDG_CACHE_HOME, 'prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b4209eded876788 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:68
    process.env.PRISMA_BINARIES_MIRROR || // TODO: remove this

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4954b26f5c92a63 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:69
    process.env.PRISMA_ENGINES_MIRROR ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb7942e755780557 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:32
    noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #660e3436e68d62a9 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:37
    if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11f5c228b9d5bfd7 Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:3
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c23653a8e99363dd Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:232
    const osReleaseInput = await fs.readFile(osReleaseFile, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f85a24482550be74 Environment-variable access.
repo/packages/get-platform/src/logger.ts:7
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #329a693d41c19400 Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:37
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5781cdd469eb825f Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:38
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81762d28e87e84eb Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:38
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff6295978913dc9d Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:39
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e4bbf6d1f3e80b3 Environment-variable access.
repo/packages/instrumentation/src/ActiveTracingHelper.ts:21
const showAllTraces = process.env.PRISMA_SHOW_ALL_TRACES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #69ada53262e47d9b Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mariadb/__database.ts:35
  const connectionString = process.env.TEST_MARIADB_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #047043c374fc3a2e Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mssql/__database.ts:34
  const serviceConnectionString = process.env.TEST_MSSQL_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #46729195c24ccab1 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mysql/__database.ts:34
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca1886d65067171e Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/postgresql/__database.ts:28
  return process.env.TEST_POSTGRES_URI + `?schema=${ctx.id}&connection_limit=1`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0bd09b5ea6b1bd4 Filesystem access.
repo/packages/internals/helpers/build.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c911e4a2be86e62d Filesystem access.
repo/packages/internals/src/WasmSchemaEngineLoader.ts:10
  const schemaEngineWasmFileBytes = await fs.readFile(schemaEngineWasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe46f4a986b23389 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/formatSchema.test.ts:12
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7868b04c0d1431b6 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getConfig.test.ts:64
    process.env.TEST_POSTGRES_URI_FOR_DATASOURCE = 'postgres://user:password@something:5432/db'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e07c80d5223784c8 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:13
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6f5dcb51a088efc Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:19
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ced5847046138829 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:21
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2400900a45d84a02 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:26
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5d6a67fb74dab291 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:41
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bacd6e9fe3bf1775 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:42
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba66f4c2c59883fd Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:43
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67bf40f53b92324a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:83
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66e802f4e66d8c0c Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:528
      const file = await fs.promises.readFile(path.join(fixturesPath, 'chinook.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d2b1112a7a3fcaa8 Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:537
      const file = await fs.promises.readFile(path.join(fixturesPath, 'odoo.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcecc65872819cee Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:546
      const file = await fs.promises.readFile(path.join(fixturesPath, 'bigschema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0946a5510c86f2b1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getEngineVersion.test.ts:9
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)('Schema Engine', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #232fdc4f128012d9 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:15
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d99572f05dc91c7 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:21
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3d3cb681ea13678 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:23
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0efc9dbfb78e94d2 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:29
  testTimeout: process.env.CI ? 60_000 : 10_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06002db81e76b0f1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:42
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d41b7838a40f196 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:43
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55a52cc234bca2d1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:44
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e561cf7e82282659 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:85
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa592940f1606eda Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:16
  testTimeout: process.env.CI ? 60_000 : 20_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9a58d16e96d7aa2 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:52
    delete process.env.BINARY_TARGETS_ENV_VAR_TEST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e85e4b3fc05efa35 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:212
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '"native"'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #544a578304c44c0a Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:295
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["native"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f758ba285ab45493 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:378
    process.env.BINARY_TARGETS_ENV_VAR_TEST =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abea2062f7c7a171 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:477
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["linux-musl"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc42412196c33f5c Environment-variable access.
repo/packages/internals/src/__tests__/getPackedPackage.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12eb2e8c14f3c8ec Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:9
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ea4799475f3d148 Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:15
process.env.npm_config_user_agent = 'yarn/1.22.4 npm/? node/v12.18.3 darwin x64'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #526c04ab20c5fe17 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:51
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c83793a59deb2bf Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:57
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1dc2caa7338ddca Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:59
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1425d0f23db61bca Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:76
    process.env.GITHUB_ACTIONS = 'true' // simulate CI environment

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9457dc0bd3eb405a Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:8
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef9556de6a330fd3 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:69
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c023c7ac9c03cdf2 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:85
    const uri = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9790951ab9524ee Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:105
    const uri = process.env.TEST_POSTGRES_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a6b93a9918b1018 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:113
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #acd7a86311dd5b11 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:124
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase-already-exists')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82003acbc24bb380 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:136
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - create database', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca86be674629f419 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:137
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #856b948cc538542c Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:140
    const connectionString = process.env.TEST_MSSQL_JDBC_URI.replace(/database=(.*?);/, 'database=can-create-a-db;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #274a486032702f5a Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:147
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - database already exists', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d86acaa5fd7dcd8c Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:148
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b4fbd5c16100d523 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:151
    const connectionString = process.env.TEST_MSSQL_JDBC_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f00f662fad0531e8 Filesystem access.
repo/packages/internals/src/cli/getSchema.ts:10
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e55398c4bfe4bfb Environment-variable access.
repo/packages/internals/src/engine-commands/formatSchema.ts:17
  if (process.env.FORCE_PANIC_PRISMA_SCHEMA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8152818135140be1 Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:78
        if (process.env.FORCE_PANIC_GET_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b0584834618b9b3 Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:172
    if (binaryTarget.fromEnvVar && process.env[binaryTarget.fromEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72b27c2ebe44c75a Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:173
      const value = JSON.parse(process.env[binaryTarget.fromEnvVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f781286988269467 Filesystem access.
repo/packages/internals/src/engine-commands/queryEngineCommons.ts:4
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41f368f8c3448eea Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:58
        if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #809fec450c98d31e Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:65
          noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #38d2b9336dd3af66 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/internals/src/errorReporting.ts:69
  return await fetch(url, {
    method: 'POST',
    agent: getProxyAgent(url),
    body,
    headers: {
      Accept: 'application/json',
      'Content-Type': 'application/json',
    },
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #63f2db5493cac5ea Environment-variable access.
repo/packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:46
    if (process.env.NETLIFY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36e05e67fe916def Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:2
import fs, { readFileSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bea1fdd17ba3ce5f Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:16
      const pkgJson = JSON.parse(readFileSync(pkgPath, { encoding: 'utf-8' }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb2ccf67720ed3aa Environment-variable access.
repo/packages/internals/src/logger.ts:10
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5443df3167eee7a Filesystem access.
repo/packages/internals/src/resolveBinary.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8388830727a343f Filesystem access.
repo/packages/internals/src/resolveBinary.ts:88
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd1fa1674dad451f Filesystem access.
repo/packages/internals/src/resolveBinary.ts:89
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dadfe09678466401 Filesystem access.
repo/packages/internals/src/resolveOutput.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2459e97a3cda8ca Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:188
          RUST_BACKTRACE: process.env.RUST_BACKTRACE ?? '1',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c3a77f007817af0 Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:189
          RUST_LOG: process.env.RUST_LOG ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c8b5412ff132ca7 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:11
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d1fb72df647af5a Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:17
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cbaab6a55659273b Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:19
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e34378b754bc95ef Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:36
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a4373f4be070efa Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:37
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #951d08397a55ae75 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:48
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9deec4f9e10434f9 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:49
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d1eb6dc07b1f132 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:54
      process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a61e4993d4573244 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:59
      process.env.GITHUB_ACTIONS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa55ffd0ee2c660c Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:10
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #633089deac5a3024 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:16
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e65f3c5b02b2032a Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:18
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce5d669402792c80 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:38
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a0fbe2374942f5d3 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:50
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ebb1215a8d64743 Filesystem access.
repo/packages/internals/src/utils/chmodPlusX.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b50fc06337f0da28 Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:4
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12ab1bba1bbc1380 Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:12
  TE.tryCatch(() => fsUtils.writeFile(params), createTaggedSystemError('fs-write-file', params))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62606e94d394dbfa Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:1
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40dce958a6676017 Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:21
  return fs.writeFile(path, content, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c95e47b820aa9576 Filesystem access.
repo/packages/internals/src/utils/isCurrentBinInstalledGlobally.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0900cd9c856a4dbe Environment-variable access.
repo/packages/internals/src/utils/isInContainer.ts:13
      process.env.KUBERNETES_SERVICE_HOST !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5015de73ddbad796 Environment-variable access.
repo/packages/internals/src/utils/isInNpmLifecycleHook.ts:5
  return process.env.npm_lifecycle_event !== undefined && process.env.npm_command !== 'run-script'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fe554a69090f9ec Environment-variable access.
repo/packages/internals/src/utils/isInteractive.ts:9
  return Boolean(stream && stream.isTTY && process.env.TERM !== 'dumb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a1c902acd7272d7 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:11
    process.env.GIT_EXEC_PATH !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44043587877f2837 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:12
    process.env.GIT_DIR !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3782e212dbab6a6 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:13
    process.env.GIT_INDEX_FILE !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50a03fbb85f4f1e5 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:14
    process.env.GIT_PREFIX !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a642941cc967b6ee Environment-variable access.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2
  const runtimeEnvVar = process.env.AWS_LAMBDA_JS_RUNTIME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #210d446ee570c604 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:13
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82127b94f06c46c0 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:39
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce2c83d57d61ab2f Environment-variable access.
repo/packages/migrate/src/SchemaEngineCLI.ts:514
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && request.method !== 'getDatabaseVersion') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c29d8090e07ab3f Environment-variable access.
repo/packages/migrate/src/SchemaEngineWasm.ts:86
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && command !== 'debugPanic') return this.debugPanic()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5908b94dada0f87f Environment-variable access.
repo/packages/migrate/src/__tests__/Baseline.test.ts:20
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0032ae2cf8699e94 Filesystem access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:124
    await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6dab4cce5d863b27 Environment-variable access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:159
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #05cbdaa5d9962a6d Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:37
      fs.writeFileSync('script.sql', '-- noop')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afa287e6d6fdacb8 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:85
      fs.writeFileSync('script.js', 'Something for MongoDB')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bfd872c47f799ce5 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:123
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #423f199c42ffbf46 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:131
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b78ae4f522b3d69b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:139
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58c9378a179cc323 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:156
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #570f74c004a5ffb0 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:165
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c31e6778c9873f37 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:174
        fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0c1ca88a3a86a83 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:185
        fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dac6617f975de6c2 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:203
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abbb1158d68feb99 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:216
      fs.writeFileSync('script.sql', 'DROP TABLE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c00929829af56b72 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:228
      fs.writeFileSync('script.sql', 'ThisisnotSQL,itshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa6e7e3a7037ef6a Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:239
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18f1668802c37d45 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:274
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #575f524447b48ef7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:282
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6ef872309cdb1f2 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:290
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #01744009992a8667 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:307
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #342e127a26f5f7ea Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:320
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0d1dee78693b728f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:339
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #292dd75e2682d7b9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:358
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6442e8ca23af275b Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:378
      if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c44efde476f17e8b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:382
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b2683a899c6edd24 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:403
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0cfb365a969594e5 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:420
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #292ce1706c84693d Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:431
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d97463b17bfe2fcd Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:436
    const connectionString = (process.env.TEST_COCKROACH_URI_MIGRATE || '').replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67bef1f978245826 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:474
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3350e33c84e59ba0 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:482
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df7f6a4c7936f36e Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:490
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ff46d73a4bd0894 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:507
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cfb7fd372e7f2884 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:518
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e3f4d1e7f1e8955 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:536
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #532be04047f3f58b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:555
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b243c8ef56ad141 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:574
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a83cef71a47d462 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:594
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39a4fb766794f10c Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:608
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #895b01cf18783df6 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:643
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2ce2147bc9d4fda Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:651
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0728b2bf137fe5b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:660
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4973f151efe8e603 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:672
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
START TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19af074d9a03e862 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:690
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc60e90f45b85061 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:708
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3e61e9078bfa7cc Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:727
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29a98cebfb70f118 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:747
      fs.writeFileSync('script.sql', 'DROP DATABASE `test-doesnotexists`;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b7a8637f1f969400 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:759
      fs.writeFileSync('script.sql', 'This is not SQL, it should fail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f60e8e4933fbb09f Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:770
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4b761999fed69c7 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:774
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2b9f06e65b9a45b Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:781
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #068951df54058acc Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:796
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb1ce329a2bf6bbe Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:817
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8969e39516e19324 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:825
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb110930572ea2ea Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:833
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0eb9de159a2e9bb Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:841
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

SELECT 1

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb95855a48f5d1f7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:860
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bddc3f6aa9ad27a2 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:882
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1de1b50ce293b614 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:903
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1a886cac273afc9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:922
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b9a143070fc25be Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:944
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #47d692f8d9061051 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:956
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #101e37cf11d00c16 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #26b5c022a0f1c3fa Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:16
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc9c9ad2b43c41d5 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:19
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4ad8d9212df8c4c Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mongodb.test.ts:5
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #099847dc7c1749da Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:9
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba30a2a2a17e8347 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:17
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests-migrate', 'tests-migrate-db-pull-mysql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8be8bdd06ab562b Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:20
    connectionString: process.env.TEST_MYSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2da90652d925d072 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5116854b75d79c2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:16
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d56671f9f2f56530 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:5
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a27298480634877 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:13
  const defaultConnectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56e702e93430d0f6 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0c62e54538804953 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:16
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7cf4f9d64a8bbcf1 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:10
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10bc6430f44fe147 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:19
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7c245a074e2a6c9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bee09d0d9ca07572 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:16
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4fa71e638735afcf Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/schema-folder.test.ts:4
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f4abe9af1dc03d32 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlite.test.ts:5
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6518d44fbf978dc2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:9
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f9b0e6732c5303e Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:33
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6fd4898aba65c107 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:36
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c71ff7fc146686e Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:42
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd8e9becfdf59358 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:58
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c820dcb64c79dc9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:59
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a076ea67cf4a4497 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:97
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86a3fc26052ec8de Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:104
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8b4f0ff2f316726 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:107
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59ca7dbfa745c178 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:114
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3da1cfeec646987d Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:131
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c3770a1a0919121 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:14
  const inDockerIt = process.env.TEST_NO_DOCKER ? it.skip : it

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #218b4029b5c8fccb Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:107
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68b15655dfdcb84f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:227
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #420d1a5a6ef81c14 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:273
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-push')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e0fbda133f51424 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:338
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b20eae972a8be2f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:388
  if (!process.env.TEST_SKIP_MONGODB && !process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0aabd0ff912f4ac2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:392
    connectionString: process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c47738ce7ef0b72b Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDeploy.test.ts:179
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-deploy')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c69eba049596867 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:32
  process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc02677eb56d8a4f Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:834
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #521460c4e9728213 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1181
  testIf(!process.env.CI || process.platform !== 'darwin')('external tables', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32ac7a32e78ac6a4 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1246
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9d10a002691424d Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1249
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5c3babea4207c30 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1414
  const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12359b6579ace55e Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1601
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0908bd70611e96b Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1610
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5b54b433f9e9488 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1625
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #597cdd6f7dbbf51c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1626
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6b42bbd4043e461b Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:490
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9905ea4b4b3bc6e2 Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:508
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f25c0c672b759a68 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:693
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1fbb54799d8bf92 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:696
    const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a27dd6be1b727cb Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:745
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e2ae0f20129d20f Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:804
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #181b82bc8e1058cc Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:854
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #393e413bff15fdd9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:858
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f83f7120ac5103ce Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:861
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75f1d0cbacf264f3 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:876
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25ba4111c5823cd3 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:90
  if (matrix.providers.cockroachdb && process.env.TEST_SKIP_COCKROACHDB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d4406f760a9ec4c Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:91
  if (matrix.providers.sqlserver && process.env.TEST_SKIP_MSSQL) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51514fbb11045605 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:92
  if (matrix.providers.mongodb && process.env.TEST_SKIP_MONGODB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec47409f8065c58e Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.introspect.test.ts:11
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe1d567a048219c1 Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.migrate.test.ts:17
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c00abe4bf34d052 Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1362660866bd0bf4 Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:14
  const schemaContent = await fs.promises.readFile(schemaPath, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #94c4cd388ded9404 Environment-variable access.
repo/packages/migrate/src/__tests__/rpc.test.ts:502
        url: process.env.TEST_POSTGRES_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb0ed8e579ac1d46 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:7
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71beed0a7d74a137 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:13
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2359a1dd7ce1552f Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:15
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #36540733eafbe20f Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:24
  process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b14564f941278415 Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:14
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beb27911e3e9b683 Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:118
        script = fs.readFileSync(path.resolve(args['--file']), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e723bdde4a26252 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:42
  if (process.env[userConsentEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f5908eecf23cc65 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:52
    'Claude Code': process.env.CLAUDECODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c10aa437094f556b Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:53
    'Gemini CLI or Qwen Code': process.env.GEMINI_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #689773250c258af9 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:54
    Cursor: process.env.CURSOR_AGENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a262b7ee6a3c43a Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:55
    Aider: process.env.OR_APP_NAME === 'Aider',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1320a380418d2bb Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:56
    Replit: process.env.REPLIT_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cac4fac7608d298f Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:57
    'Codex CLI': process.env.CODEX_SANDBOX === 'seatbelt',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #476bd8194eb37886 Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:36
  await fs.promises.writeFile(path.join(baseDir, migrationName, `migration.${extension}`), script, {
    encoding: 'utf-8',
  })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbfe64d85b44bfef Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:52
  await fs.promises.writeFile(path.join(baseDir, lockfile.path), lockfileContent, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #256c2dc4f5069dc8 Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:21
  const lockfileContent = await fs
    .readFile(path.join(migrationsDirectoryPath, lockfileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ed4227ab7ac2dfc Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:56
    const migrationFileContent = await fs
      .readFile(path.join(migrationPath, migrationFileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48f763272a332e6d Filesystem access.
repo/packages/migrate/src/utils/saveSchemaFiles.ts:6
  await Promise.all(schemas.files.map((file) => fs.writeFile(file.path, file.content, 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0af77b2d4fea9070 Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be7302d449afcb1a Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:28
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59a71fa278e2a85b Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cebf538614d88f8 Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:46
    schema += fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42ec27097eaac5e5 Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #182a148e9db96c20 Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:42
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6f7044a1a02a838 Filesystem access.
repo/packages/migrate/src/utils/setupPostgres.ts:29
    const migrationScript = await fs.readFile(path.join(dirname, 'setup.sql'), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7068b883ed9deae6 Environment-variable access.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12
  const result = await canConnectToDatabase(process.env.TEST_CONNECTION_STRING!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #268daede48996aed Environment-variable access.
repo/packages/query-plan-executor/examples/server.ts:12
  const databaseUrl = process.env.TEST_POSTGRES_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8621d4d05167ca00 Filesystem access.
repo/packages/schema-files-loader/src/resolver/realFsResolver.ts:26
    return fs.readFile(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf082295f02007a6 Filesystem access.
repo/packages/schema-files-loader/src/testUtils.ts:16
  return [filePath, fs.readFileSync(filePath, 'utf8')]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a993abf75b14e8d Environment-variable access.
repo/packages/type-benchmark-tests/huge-schema/prisma.config.ts:5
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ded3172ecf6315f Environment-variable access.
repo/packages/type-benchmark-tests/lots-of-relations/prisma.config.ts:5
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6752b9f7fb3dbdb Environment-variable access.
repo/sandbox/basic-postgres/index.ts:6
  const prisma = new PrismaClient({ adapter: new PrismaPg({ connectionString: process.env.TEST_POSTGRES_URI }) })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8a228c70bc8e76c Environment-variable access.
repo/sandbox/driver-adapters/src/neon.http.ts:5
  const connectionString = `${process.env.JS_NEON_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59537818eae9878c Environment-variable access.
repo/sandbox/driver-adapters/src/neon.ws.ts:12
  const connectionString = `${process.env.JS_NEON_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69db1e31d204ad83 Environment-variable access.
repo/sandbox/driver-adapters/src/pg.ts:6
  const connectionString = `${process.env.JS_PG_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2925340dba705640 Environment-variable access.
repo/sandbox/driver-adapters/src/planetscale.ts:5
  const connectionString = `${process.env.JS_PLANETSCALE_DATABASE_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7131128241782c09 Environment-variable access.
repo/sandbox/driver-adapters/src/ppg.ts:5
  const connectionString = `${process.env.JS_PPG_DATABASE_URL as string}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8982fc1a0092165 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:12
if (process.env.PROVIDER === 'postgres') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f111d19d005afd2 Filesystem access.
repo/sandbox/studio/prisma.config.ts:15
  const sql = await readFile(join(__dirname, 'postgres.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c996f4a26a932502 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:17
  const pool = postgres(process.env.DATABASE_URL_POSTGRES!, { max: 1 })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c53e271be11effb9 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:22
if (process.env.PROVIDER === 'mysql') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b39bb120608b0f1 Filesystem access.
repo/sandbox/studio/prisma.config.ts:25
  const sql = await readFile(join(__dirname, 'mysql.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86943a52c3693bc5 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:29
    uri: process.env.DATABASE_URL_MYSQL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0adeeb1fe45b7929 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:35
if (process.env.PROVIDER === 'sqlite') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #066b167d4ed9638a Filesystem access.
repo/sandbox/studio/prisma.config.ts:57
  const sql = await readFile(join(__dirname, 'sqlite.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cea68617ebe60fa0 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:70
        const url = new URL(process.env.DATABASE_URL_MYSQL!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fdd8b6d73ec73f5d Environment-variable access.
repo/sandbox/studio/prisma.config.ts:74
      postgres: () => process.env.DATABASE_URL_POSTGRES!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53dbc03f58b36d11 Environment-variable access.
repo/sandbox/studio/prisma.config.ts:76
    }[process.env.PROVIDER || 'postgres'](),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bdc105b898279142 Environment-variable access.
repo/scripts/ci/publish.ts:15
const onlyPackages = process.env.ONLY_PACKAGES ? process.env.ONLY_PACKAGES.split(',') : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0213132dbe56570d Environment-variable access.
repo/scripts/ci/publish.ts:16
const skipPackages = process.env.SKIP_PACKAGES ? process.env.SKIP_PACKAGES.split(',') : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7b13ef7c499d5ed Environment-variable access.
repo/scripts/ci/publish.ts:19
  if (process.env.GITHUB_CONTEXT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3600d2419de1c5ca Environment-variable access.
repo/scripts/ci/publish.ts:20
    const context = JSON.parse(process.env.GITHUB_CONTEXT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e87beab4cab722d2 Filesystem access.
repo/scripts/ci/publish.ts:94
      packageJson: JSON.parse(await fs.promises.readFile(p, 'utf-8')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce49a6e10a33c08f Environment-variable access.
repo/scripts/ci/publish.ts:468
  if (!process.env.GITHUB_REF_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b0ef58788bdda2d Environment-variable access.
repo/scripts/ci/publish.ts:472
  if (process.env.DRY_RUN === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c59eac03adc4ec6 Environment-variable access.
repo/scripts/ci/publish.ts:479
  if (args['--publish'] && process.env.RELEASE_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b439bfa51147224 Environment-variable access.
repo/scripts/ci/publish.ts:484
    console.log(`Setting --release to RELEASE_VERSION = ${process.env.RELEASE_VERSION}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37341f4327382066 Environment-variable access.
repo/scripts/ci/publish.ts:485
    args['--release'] = process.env.RELEASE_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2244e6bb4d5331f8 Environment-variable access.
repo/scripts/ci/publish.ts:490
  if (process.env.CUSTOM_DIST_TAG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ca9c69592bee0e9 Environment-variable access.
repo/scripts/ci/publish.ts:491
    args['--custom-dist-tag'] = process.env.CUSTOM_DIST_TAG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44a034cf8ac89ba5 Environment-variable access.
repo/scripts/ci/publish.ts:538
  if (branch && (process.env.FORCE_INTEGRATION_RELEASE === 'true' || branch.startsWith('integration/'))) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51b31fdb36e910c9 Environment-variable access.
repo/scripts/ci/publish.ts:573
  if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86057cf622a4f722 Environment-variable access.
repo/scripts/ci/publish.ts:574
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `patchBranch=${patchBranch}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4df03b91ec2c97ae Environment-variable access.
repo/scripts/ci/publish.ts:575
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `tag=${tag}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #510cf0c635268c52 Environment-variable access.
repo/scripts/ci/publish.ts:576
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `tagForEcosystemTestsCheck=${tagForEcosystemTestsCheck}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76ff336294b7f38e Environment-variable access.
repo/scripts/ci/publish.ts:577
    fs.appendFileSync(process.env.GITHUB_OUTPUT, `prismaVersion=${prismaVersion}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d522ae7eecfb12a9 Environment-variable access.
repo/scripts/ci/publish.ts:595
      if (!passing && process.env.SKIP_ECOSYSTEMTESTS_CHECK !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #957f13ecb62a496b Environment-variable access.
repo/scripts/ci/publish.ts:617
    if (typeof process.env.GITHUB_OUTPUT == 'string' && process.env.GITHUB_OUTPUT.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5e425076071cc58 Environment-variable access.
repo/scripts/ci/publish.ts:618
      fs.appendFileSync(process.env.GITHUB_OUTPUT, `enginesCommitHash=${enginesCommitHash}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff5e6f03bd4bf1fb Environment-variable access.
repo/scripts/ci/publish.ts:619
      fs.appendFileSync(process.env.GITHUB_OUTPUT, `prismaCommitHash=${prismaCommitHash}\n`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f54a2f3cd233a53 Filesystem access.
repo/scripts/ci/publish.ts:836
  const file = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98e69708f084cc3d Filesystem access.
repo/scripts/ci/publish.ts:845
    await fs.promises.writeFile(pkgJsonPath, JSON.stringify(packageJson, null, 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f5faf646a7a41bc Filesystem access.
repo/scripts/ci/publish.ts:851
  const file = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5be6519e0331bc0 Filesystem access.
repo/scripts/ci/publish.ts:857
    await fs.promises.writeFile(pkgJsonPath, JSON.stringify(packageJson, null, 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #800035e0e2d53ce6 Environment-variable access.
repo/scripts/ci/publish.ts:862
  if (process.env.GITHUB_REF_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93dcf172d4f084bf Environment-variable access.
repo/scripts/ci/publish.ts:863
    return process.env.GITHUB_REF_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22868eb980b0a13c Environment-variable access.
repo/scripts/ci/publish.ts:887
  if (process.env.GITHUB_REF_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54e1193d68bba86e Environment-variable access.
repo/scripts/ci/publish.ts:888
    const versions = getSemverFromPatchBranch(process.env.GITHUB_REF_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21f38046f6b1fa40 Environment-variable access.
repo/scripts/ci/publish.ts:892
      return process.env.GITHUB_REF_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6d61c524e0e8dcc Environment-variable access.
repo/scripts/ci/publish.ts:913
  const webhook = new IncomingWebhook(process.env.SLACK_RELEASE_FEED_WEBHOOK!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #89e956dc7a3eeb2c Filesystem access.
repo/scripts/graph-dependencies.ts:1
import { readdirSync, statSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93e38384a4cea724 Environment-variable access.
repo/scripts/only-allow-pnpm.js:6
  if (!process.env.npm_config_user_agent) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d903bead70cfd69 Environment-variable access.
repo/scripts/only-allow-pnpm.js:9
  return pmFromUserAgent(process.env.npm_config_user_agent)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2c80aa03e75bc74 Environment-variable access.
repo/scripts/run-studio.ts:20
  const url = process.env.STUDIO_DATABASE_URL ?? process.argv[2]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #645f2c359637114e Environment-variable access.
repo/scripts/run-studio.ts:21
  const port = process.env.STUDIO_PORT ?? process.argv[3] ?? '5555'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26579c7023eb3114 Environment-variable access.
repo/scripts/run-studio.ts:22
  const browser = process.env.STUDIO_BROWSER ?? process.argv[4] ?? 'none'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/cli

npm first-party
expand_more 222 low-confidence finding(s)
low env_fs production #7c2db5806dcf2390 Filesystem access.
repo/packages/cli/helpers/build.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #450a7b3a3270b3da Environment-variable access.
repo/packages/cli/helpers/build.ts:153
const optionalPlugins = process.env.DEV === 'true' ? [] : [cliTypesBuildConfig, cliConfigBuildConfig]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0670550fc4766c18 Environment-variable access.
repo/packages/cli/jest.setup.js:11
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b86a06394a9aa3e Environment-variable access.
repo/packages/cli/jest.setup.js:18
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bca0213bf509e141 Environment-variable access.
repo/packages/cli/src/DebugInfo.ts:66
      const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #547628370f01301a Filesystem access.
repo/packages/cli/src/Format.ts:106
      await fs.writeFile(filename, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1b6db1a1b73a7e8 Filesystem access.
repo/packages/cli/src/Generate.ts:23
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #11184e88ce9df5b0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/Init.ts:467
              await fetch(`https://prisma-generate-server.prisma.workers.dev/`, {
                method: 'POST',
                headers: {
                  'Content-Type': 'application/json',
                },
                body: JSON.stringify({
                  description: prompt,
                }),
              })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #b366a13c5df73379 Filesystem access.
repo/packages/cli/src/Init.ts:656
      const envFile = fs.readFileSync(envPath, { encoding: 'utf8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #509dfcd39dc9fa43 Environment-variable access.
repo/packages/cli/src/Studio.ts:320
        const browser = args['--browser'] || process.env.BROWSER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e36962a86d8941d Filesystem access.
repo/packages/cli/src/Studio.ts:644
      return await readFile(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #38723264218af927 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:3
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #537731392b90e250 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:15
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bec3b8e7524f0873 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:19
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #062604f4b29c2ce7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:22
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b02b58bff3246d77 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:48
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3da249aa42e5bd44 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:56
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7165388b8dfcc41 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:68
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #94351b7ed2550297 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:96
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0d5f90ce0d69bb3c Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:104
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44765af2fcaee9f0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:116
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73276d5212a7f8c0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:144
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #567fba212f5529dd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:152
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72f4ad8616601164 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:164
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ad3eb29e21ec66f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:179
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c45ac5e5180c17e9 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:187
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64eb7db225bbb138 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:199
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #771e1b69b059d14f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:209
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e3c9d9fc5e28f11d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:217
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bf6b9bbe1f138c13 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:229
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1858a971576c630a Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:239
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbc00b82fa04bf5d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:247
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b90e629ff82a9b42 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:259
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1549898df550ab84 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:271
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75f225c4ec069a70 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:279
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ae5463c87711dbd3 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:291
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aea1029451d972dd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:301
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #80a4db89da0c3aba Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:309
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4bb9eef67819e478 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:321
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7144b64af7187ae0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:336
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #52c4916a351bc5c8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:340
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3602f54144646a98 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:352
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f958356ad30c4a8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:356
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5e9fc0a5a5b65bd Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:368
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #93e2a8a54e86c0d4 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:372
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afad42be6cbaa300 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:387
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73af458758f76477 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:395
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #70c8d966982dcc1f Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:405
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5769478d40bd0ffc Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:413
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bebd8953015ebe5e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:425
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13b4fb975c71a464 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:433
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17643aefab2ae340 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:443
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8177a408e44e6f8 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:451
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d3dcaeb8b3374ccf Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:457
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `DATABASE_URL="postgres://dont:overwrite@me:5432/tests"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ecb6c3c322f0328d Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:461
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25258324ea9865c7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:465
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ae9c6cc2ba3c516e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:468
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82bc334bd8fedcc5 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:474
  fs.writeFileSync(join(ctx.tmpDir, '.env'), `SOMETHING="is here"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d7d25f420876ef0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:478
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #849b7e7cff44051e Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:482
  const env = fs.readFileSync(join(ctx.tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3253c81397dbe8d5 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:486
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6505bea2818d402c Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:494
  const gitignore = fs.readFileSync(join(ctx.tmpDir, '.gitignore'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e46e408130cd9c0 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:497
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #400c9843f0ada2b7 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:505
  fs.writeFileSync(gitignorePath, `# This should not be overridden`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #590e575b64e4a099 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:506
  fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc2aea95fc002981 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:508
  const gitignoreAfter = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f53026fd171da1ae Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:511
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f403a0a3ae644d5a Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:519
  const schema = fs.readFileSync(join(ctx.tmpDir, 'prisma', 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #15a9c455d20f2518 Filesystem access.
repo/packages/cli/src/__tests__/Init.vitest.ts:522
  const config = fs.readFileSync(join(ctx.tmpDir, 'prisma.config.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #378fc821863e551d Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:15
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cb77d761b87a9bf Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:21
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c954327f9e6ae9c4 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:23
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1df98363a7cb0531 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:44
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da161ce9451f0a28 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:74
    process.env.FORCE_PANIC_PRISMA_SCHEMA = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #476de1b15f7b8672 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:100
    process.env.FORCE_PANIC_GET_CONFIG = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3eade2c09a4084a3 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:126
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #96800f4e607fe00c Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:144
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68685aa4019f3376 Environment-variable access.
repo/packages/cli/src/__tests__/artificial-panic.test.ts:170
    process.env.FORCE_PANIC_GET_DMMF = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec3eaf049d18d150 Filesystem access.
repo/packages/cli/src/__tests__/commandState.test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75cbacaf79b9f87d Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:18
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ecb8042cbdf9398 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:24
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #05e54578aa461639 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:26
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #204d3cf2edea5287 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:70
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4428f700c9a6540 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:82
    Object.keys(envVars).map((key) => delete process.env[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #53add1b8d83e64e8 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:86
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9db04fc55a61a95 Environment-variable access.
repo/packages/cli/src/__tests__/commands/DebugInfo.test.ts:160
    process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c35bbb00af3516f Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:19
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bf1328d656be5493 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:25
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7474afca6d1f093a Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:27
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63c92be3c8dd0b7f Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:265
    expect(fs.readFileSync('schema.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6faca36406cae769 Filesystem access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:271
    expect(fs.readFileSync('missing-backrelation.prisma', { encoding: 'utf-8' })).toMatchSnapshot()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6970fe1d79865dc0 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Format.test.ts:312
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #61698b698627b23f Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:18
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77ac20cf083ca78d Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:24
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9a35ce6ad81a5390 Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:26
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #50b62ac5df17b51f Environment-variable access.
repo/packages/cli/src/__tests__/commands/Validate.test.ts:292
    process.env.PRISMA_DISABLE_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a76be79ead22f746 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:7
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb0d16c0a42ab8d7 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:63
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d68ba66956c6447c Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:140
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79e52b5c223308d0 Filesystem access.
repo/packages/cli/src/__tests__/incomplete-schemas.test.ts:241
      fs.writeFileSync('script.sql', dbExecuteSQLScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b35c9204607d928 Filesystem access.
repo/packages/cli/src/__tests__/nps.test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcd6cc85f3235e8e Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:20
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ed3ea033f49847e1 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:26
        delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #89d1a1f4e5699930 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:28
        process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff5f4fb2614c78b7 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:40
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1b13c537677fd427 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:65
    process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fb169ce45227939 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:134
    process.env.KUBERNETES_SERVICE_HOST = '10.96.0.1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b7d6154c57e9001f Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:155
    process.env.GIT_EXEC_PATH = '/nix/store/9z3jhc0rlj3zaw8nd1zka9vli6w0q11g-git-2.47.2/libexec/git-core'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7abc0ba302950148 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:176
    process.env.npm_command = 'install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3ecc8f1575594607 Environment-variable access.
repo/packages/cli/src/__tests__/nps.test.ts:177
    process.env.npm_lifecycle_event = 'prepare'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2094f6c9cedf345 Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:32
  originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9661b972ee9b839f Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:33
  delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #585b473cdcf2aeee Environment-variable access.
repo/packages/cli/src/__tests__/printUpdateMessage.test.ts:38
  process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e3b36852295e7552 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:11
    originalPrismaHideUpdateMessageEnv = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b93a1ead1368f58f Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:12
    delete process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c905c851a5bb134f Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:16
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = originalPrismaHideUpdateMessageEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #727ef2dd3564e8f7 Environment-variable access.
repo/packages/cli/src/__tests__/update-message.test.ts:144
    process.env.PRISMA_HIDE_UPDATE_MESSAGE = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3570cc332944fd Filesystem access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:288
          const envContent = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d129a388b2e58e92 Environment-variable access.
repo/packages/cli/src/bootstrap/Bootstrap.ts:294
        process.env.DATABASE_URL = databaseUrl

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee4e8ee1f005ce8f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:160
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ae4e67b545793dd Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:206
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0a42afc4b8989ef Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:234
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3b02982d2c1a231 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:266
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), 'datasource db { provider = "postgresql" }', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb9a28c19bb5460e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:293
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }
model User { id Int @id }
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7544fc538fec5901 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:324
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0273743afc076675 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:327
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79805d3e4a172dd3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:363
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3d4ac18a0ddbbcc Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:366
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e87f10dc84f44a38 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:396
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1203a2920155d93b Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:399
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03c15ca1d70c1338 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:430
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #328a8bb524892ea2 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:437
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c054768f547cab71 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:464
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e5ccca7ed428bd3 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:471
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1e2eb8d34c2e6307 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:503
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ade9a638b5eac6e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:510
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #45c3126b3013736d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:542
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      '{"name":"test","prisma":{"seed":"npx tsx prisma/seed.ts"}}',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f923033116838f1 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:549
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      'datasource db { provider = "postgresql" }\nmodel User { id Int @id }',
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cd5ce1b9c1d0b2b Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/Bootstrap.vitest.ts:582
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"name":"test"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #57d2159859261897 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:32
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f791d8e770bff96 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:41
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad00d3373f37aa20 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:49
    fs.writeFileSync(path.join(tmpDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8aa718141d94ca34 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:58
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url = env("DATABASE_URL")
}

model User {
  id   Int    @id @default(autoincrement())
  name String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f85abc280691a16 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:79
    fs.writeFileSync(path.join(tmpDir, 'prisma.config.ts'), 'export default {}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #30724ecf9dad69fc Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:86
    fs.writeFileSync(path.join(tmpDir, '.env'), 'DATABASE_URL=test', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4da3171e22201801 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:93
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d514b2c1cb05f68 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:104
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ prisma: { seed: '' } }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c6338b6155b3fe8e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:111
    fs.writeFileSync(path.join(tmpDir, 'package.json'), JSON.stringify({ name: 'test' }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b77a0d697ef75174 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:118
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `import { defineConfig } from 'prisma/config'\nexport default defineConfig({ migrations: { seed: 'tsx ./prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8751163824e2bb74 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:129
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({\n  migrations: {\n    seed: "npx tsx prisma/seed.ts",\n  },\n})`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #33aad788c6c8bf48 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:140
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { path: 'prisma/migrations' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8d19d8c528375339 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:159
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db { provider = "postgresql" }

model User {
  id   Int    @id
  name String
  posts Post[]
}

model Post {
  id     Int    @id
  title  String
  author User   @relation(fields: [authorId], references: [id])
  authorId Int
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ac27682cfa6b77e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:186
    fs.writeFileSync(path.join(prismaDir, 'schema.prisma'), `datasource db { provider = "postgresql" }`, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5914517da28758e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:198
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32eca81b31d59291 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:208
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c54d21f26143fa54 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:218
    fs.writeFileSync(
      path.join(tmpDir, 'package.json'),
      JSON.stringify({ prisma: { seed: 'ts-node prisma/seed.ts' } }),
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f8a82bbbbbab3de Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/project-state.vitest.ts:223
    fs.writeFileSync(
      path.join(tmpDir, 'prisma.config.ts'),
      `export default defineConfig({ migrations: { seed: 'npx tsx prisma/seed.ts' } })`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e1a558a5e3fbc3d Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:36
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18ea9fd7e6217cc5 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:41
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1337bbbe9820656e Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:50
    fs.writeFileSync(path.join(tmpDir, 'pnpm-lock.yaml'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb1287dc58f1c351 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:51
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3d13e5970aa7d9a Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:56
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fcc6366c9a2d0fcc Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:61
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b2ed42b913e7f44f Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:66
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5feac2f591383d9 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:71
    fs.writeFileSync(path.join(tmpDir, 'yarn.lock'), '', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6efb55cdec94d416 Filesystem access.
repo/packages/cli/src/bootstrap/__tests__/template-scaffold.vitest.ts:72
    fs.writeFileSync(path.join(tmpDir, 'package.json'), '{"packageManager":"[email protected]"}', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76638b66afd5d0b7 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:34
    const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2dc52f16e7391f9 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:48
    const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #564f9a1393b4801b Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:59
    const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f75a837c56560503 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:71
      const pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fd4e7050fc322c1 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:81
      const content = fs.readFileSync(configPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #522c0f99d60843e3 Filesystem access.
repo/packages/cli/src/bootstrap/project-state.ts:97
      const content = fs.readFileSync(schemaPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d083e4ca975f580 Environment-variable access.
repo/packages/cli/src/bootstrap/telemetry.ts:6
  return Boolean(process.env.CHECKPOINT_DISABLE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e5c105815b368ed8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/bootstrap/template-scaffold.ts:54
  const response = await fetch(PRISMA_EXAMPLES_TARBALL_URL, {
    headers: { Accept: 'application/vnd.github+json', 'User-Agent': 'prisma-cli' },
    redirect: 'follow',
    signal: AbortSignal.timeout(120_000),
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #42aad8c8c4d7bb75 Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:82
        fs.writeFileSync(destPath, tarBuffer.subarray(offset, offset + header.size))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28d39ed46de06ec4 Filesystem access.
repo/packages/cli/src/bootstrap/template-scaffold.ts:161
      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cebe3124b179039 Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:4
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a427e3a48e539d2 Filesystem access.
repo/packages/cli/src/generate/introspectSql.ts:39
    const source = await fs.readFile(path.join(typedSqlDirPath, fileName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #149c59a1e4fc73f1 Filesystem access.
repo/packages/cli/src/init/file-writer.ts:17
    fs.writeFileSync(absPath, content, options)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6cc2c18622aea6f Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:43
  return process.env.PRISMA_MANAGEMENT_API_URL ?? DEFAULT_MANAGEMENT_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d6f0cb73e0e3810 Environment-variable access.
repo/packages/cli/src/postgres/link/Link.ts:182
    const apiKey = explicitApiKey ?? (databaseId ? process.env.PRISMA_API_KEY : undefined)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4fde4dd2c1580d96 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:119
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3317b0f7dda9585 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:139
    fs.writeFileSync(
      path.join(prismaDir, 'schema.prisma'),
      `
datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model User {
  id    Int    @id @default(autoincrement())
  name  String
}
`,
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea9359338d81443d Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:198
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #422708fc212edb96 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/Link.vitest.ts:216
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b38179a44f81c205 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:31
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82502b4504d742ed Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:37
    fs.writeFileSync(envPath, 'EXISTING_VAR="hello"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #666834e0becdacbe Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:47
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc9643b3f4f32df4 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:53
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5ae1d469ad2a6eb1 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:63
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faaee20b0e557670 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:69
    fs.writeFileSync(envPath, 'DATABASE_URL="old-value"\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #358c43667bf4efc8 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:79
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1836a09f4d3fe664 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:90
    const content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #121b4d53f07d06b9 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:101
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\n.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10243641c191cf8a Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:106
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), '/.env\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #01df3e63ecd35152 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:111
    fs.writeFileSync(path.join(tmpDir, '.gitignore'), 'node_modules\ndist\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #282200f792d44750 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:126
    const envContent = fs.readFileSync(path.join(tmpDir, '.env'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d5069a8fb81a846 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:137
    fs.writeFileSync(path.join(tmpDir, '.env'), "DATABASE_URL='postgres://localhost:5432/mydb'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a101a38339f55121 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:142
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc3f056c6a5240c2 Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:151
    fs.writeFileSync(
      path.join(tmpDir, '.env'),
      "DATABASE_URL='postgres://user:[email protected]:5432/postgres'\n",
      'utf-8',
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c39b7999f0be422b Filesystem access.
repo/packages/cli/src/postgres/link/__tests__/local-setup.vitest.ts:160
    fs.writeFileSync(path.join(tmpDir, '.env'), "OTHER_VAR='value'\n", 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f449fc81a955375c Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:22
    fs.writeFileSync(envPath, lines.join('\n') + '\n', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd08dbe4bbfb2fa8 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:28
  let content = fs.readFileSync(envPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24ad9722b6d169ef Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:46
  fs.writeFileSync(envPath, content, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae2d3b7c1007b895 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:61
  const content = fs.readFileSync(gitignorePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2b48287af0caf86 Filesystem access.
repo/packages/cli/src/postgres/link/local-setup.ts:87
  const parsed = dotenv.parse(fs.readFileSync(envPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #d820dd14a8077650 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/status-page.ts:156
    const response = await fetch(SUMMARY_API_URL, { signal: AbortSignal.timeout(10_000) })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4596e0738f93cb45 Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:37
  if (process.env['CHECKPOINT_DISABLE']) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8834901538d72fa Environment-variable access.
repo/packages/cli/src/utils/checkpoint.ts:94
      information: args['--telemetry-information'] || process.env.PRISMA_TELEMETRY_INFORMATION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caca570d91ca28cc Filesystem access.
repo/packages/cli/src/utils/commandState.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab55e47eb629e81a Filesystem access.
repo/packages/cli/src/utils/commandState.ts:19
  const data = await fs.promises
    .readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f523530c428d5117 Filesystem access.
repo/packages/cli/src/utils/commandState.ts:25
    await fs.promises.writeFile(filePath, JSON.stringify(state))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #566a24696e878799 Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #398a8ebffed6e39e Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:23
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ecedf7d91d0b07d Filesystem access.
repo/packages/cli/src/utils/getClientVersion.ts:47
    const pkgJsonString = await fs.promises.readFile(pkgJsonPath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #fcd1bfe9638539cb Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/capture.ts:11
const posthogCaptureUrl = new URL('https://proxyhog.prisma-data.net/capture')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #490da6a41d88ce40 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/utils/nps/status.ts:14
const npsStatusUrl = new URL('https://pub-833f4cf4b3dc4d17a6db4981affc9fbb.r2.dev/timeframe.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #c70b4917748ec2d7 Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d66d154e10f3af2 Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:165
  const data = await fs.promises
    .readFile(getConfigPath(), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ad39cb71cfa14fa Filesystem access.
repo/packages/cli/src/utils/nps/survey.ts:187
  await fs.promises.writeFile(configPath, JSON.stringify(config))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b661efad70e1d890 Environment-variable access.
repo/packages/cli/src/utils/printUpdateMessage.ts:8
  const shouldHide = process.env.PRISMA_HIDE_UPDATE_MESSAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b4fd5eef25df210 Filesystem access.
repo/packages/cli/src/utils/prompt/utils/isDirEmpty.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/client

npm first-party
expand_more 99 low-confidence finding(s)
low env_fs production #0006bd3d375a9b89 Filesystem access.
repo/packages/client/helpers/build.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f852da8ae72f4721 Environment-variable access.
repo/packages/client/helpers/build.ts:31
const shouldMinify = !process.env.DEV && process.env.MINIFY !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18ed96c03b31868e Filesystem access.
repo/packages/client/helpers/build.ts:178
                  const wasmBuffer = fs.readFileSync(wasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ab504055126bda3 Filesystem access.
repo/packages/client/helpers/build.ts:185
                    fs.writeFileSync(base64FilePath, base64Content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5812c9a8883b370a Filesystem access.
repo/packages/client/helpers/build.ts:211
  fs.writeFileSync(path.join(runtimeDir, fileName), 'export * from "./client"\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49f42cb8af483cc4 Environment-variable access.
repo/packages/client/helpers/jestSetup.js:1
process.env.PRISMA_HIDE_PREVIEW_FLAG_WARNINGS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4d015960b1bd9af Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:2
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9aa545535fe8e15 Filesystem access.
repo/packages/client/helpers/new-test/new-test.ts:116
  await fs.writeFile(at, template(relImport))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28e87849b50b94ea Environment-variable access.
repo/packages/client/scripts/colors.js:14
    colors.enabled = process.env.FORCE_COLOR !== '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #617266856d0c6df4 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:3
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #229f8523a34c755e Filesystem access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/builder.ts:10
  fs.writeFileSync(location, data, {})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2939ac336be844b0 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/huge-schema/huge-schema.bench.ts:26
if (!process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #598f61f7068b5020 Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:1
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44c064e8f07bb08e Filesystem access.
repo/packages/client/src/__tests__/benchmarks/lots-of-relations/builder.ts:39
  await fs.writeFile('schema.prisma', str)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8cf363c1e895088e Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/caching.bench.ts:18
const BENCHMARK_DATAMODEL = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2f7285fa8c9fa08 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:16
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #170c714da50427c9 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:17
          runtimePath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2031600de8dce2d5 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:25
        if (process.env.LOCAL_QC_BUILD_DIRECTORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7881f98832252bf2 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:26
          const wasmPath = path.join(process.env.LOCAL_QC_BUILD_DIRECTORY, provider, 'query_compiler_fast_bg.wasm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f50e775a787d93ff Filesystem access.
repo/packages/client/src/__tests__/benchmarks/query-performance/qc-loader.ts:27
          moduleBytes = await fs.promises.readFile(wasmPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7ad206d31388339 Environment-variable access.
repo/packages/client/src/__tests__/benchmarks/query-performance/query-performance.bench.ts:257
  if (process.env.CODSPEED_BENCHMARK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0b699f46ebd6a10 Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee09788f3308ab2e Filesystem access.
repo/packages/client/src/__tests__/dmmfTypes.test.ts:33
  fs.writeFileSync(target, file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #852d259d20474aa2 Environment-variable access.
repo/packages/client/src/__tests__/integration/__helpers__/migrateDb.ts:10
  const databaseUrl = process.env.DATABASE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d22cec6d9e14a2d3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:11
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-execute-raw-alter')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6cb76c00dcd6dfb3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/executeRaw-alter-postgres/test.ts:12
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d3e320c70c41596 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/int-errors/test.ts:12
    let connectionString = process.env.TEST_MYSQL_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0700adbd4b49463 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:18
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-multischema')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f25d7b5e85890c74 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:19
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #445de2e80cad6cac Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/multi-schema/test.ts:21
      connectionString: process.env.DATABASE_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee3e74fd71f41b05 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #90e5e307bee16c53 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-mysql/test.ts:12
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd2e216972822391 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b85a26a79a550a06 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-postgresql/test.ts:15
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f97b933553b271c Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:10
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions-onDelete-default-foreign-key-error(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb7e52522b83cb9e Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:12
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24bb050e6054a9bd Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/referentialActions-onDelete-default-foreign-key-error-sqlserver/test.ts:15
    process.env.DATABASE_URL = process.env.TEST_MSSQL_JDBC_URI.replace('master', 'referentialActions-onDelete-default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a0569124d38a91e3 Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:11
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-wrong-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d91428d80006c36a Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-mysql/test.ts:12
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #846194a4ce7669fd Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:11
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-wrong-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4299067707104a1b Environment-variable access.
repo/packages/client/src/__tests__/integration/errors/wrong-native-types-postgres/test.ts:12
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31680daa9eb6c65d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql-feature-flag/test.ts:7
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql-feature-flag')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fab091ad6af3e46 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/insensitive-postgresql/test.ts:7
  const connectionString = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-insensitive-postgresql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a17ea505dd289bac Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:13
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c439d2af091c4cdf Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-mysql/test.ts:14
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #343a996408c5feb2 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:12
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a60351d8266d98a Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:19
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-filtering')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1f8362ca9e21582 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/json-filtering-postgres/test.ts:20
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #416a9c032b8cdc01 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:8
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-mysql-binary-id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c6f289b10fdf78e1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/mysql-binary-id/test.ts:9
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6305ca1f85cb803a Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:9
  process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-native-types')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27f8ee60f3e98099 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-mysql/test.ts:10
  await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1aac4537cef5f652 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:9
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-native-types-tests')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0acbdf35224f610 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/native-types-postgres/test.ts:10
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #81c0e456d19f3a7e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd4e1868264c00f3 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:6
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b25cc8c4bff927e8 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:20
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #21470fb9aa00c462 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/common.ts:21
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d50affc7100eeb5e Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fedf457d8caaa876 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:17
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f59627414a6a31a4 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema-mongo/dmmf-types.test.ts:21
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7e1081b6386df7e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be997bbfe7b26dba Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:6
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #994bc3b794a58528 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:20
  const generatedTypeScript = fs.readFileSync(path.join(clientDir, './node_modules/.prisma/client/index.d.ts'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c4bdbbd032a7388 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/common.ts:21
  const generatedBrowserJS = fs.readFileSync(
    path.join(clientDir, './node_modules/.prisma/client/index-browser.js'),
    'utf-8',
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b5e74ecaff8ad9df Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3593bbe7f26f99a2 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:17
  const datamodel = fs.readFileSync(path.join(__dirname, 'schema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #843ccd431c09234e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/not-so-exhaustive-schema/dmmf-types.test.ts:21
  fs.writeFileSync(
    dmmfFile,
    `import type * as DMMF from '@prisma/dmmf'

  const dmmf: DMMF.Document = ${JSON.stringify(dmmf, null, 2)}`,
  )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ddb8384c32fd3783 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:8
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-json-postgres')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78beebdf911952f9 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/postgres-json-list/test.ts:9
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f37b1161b396bf18 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-referentialActions-onDelete-Cascade')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbce4c2d6c5d250c Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-mysql/test.ts:12
    await tearDownMysql(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #daaf3c84d7c50940 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:11
    process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27d5207d684b7071 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-postgresql/test.ts:15
    await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06413b7c901b0e0d Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:9
describeIf(!process.env.TEST_SKIP_MSSQL)('referentialActions(sqlserver)', () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ead74232e1a6bb1 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/referentialActions-onDelete-cascade-sqlserver/test.ts:11
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3064580fca8b997f Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:8
  process.env.DATABASE_URL = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-scalar-list-test')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0227763627aebd0 Environment-variable access.
repo/packages/client/src/__tests__/integration/happy/scalar-list/test.ts:9
  await tearDownPostgres(process.env.DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b26b3f4cfff3d16e Filesystem access.
repo/packages/client/src/__tests__/integration/happy/sqlite-variable-limit/test.ts:5
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42353d4157afe31d Filesystem access.
repo/packages/client/src/__tests__/integration/happy/transaction/test.ts:3
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #793b2dc43b4b0742 Filesystem access.
repo/packages/client/src/__tests__/integration/happy/uncheckedScalarInputs/test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #544c724091100d7f Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ad99a90bda14ef8 Filesystem access.
repo/packages/client/src/__tests__/typeDeclaration.test.ts:10
      const dtsContents = fs.readFileSync(path.join(runtimeDir, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fbb36676f7cb2c6e Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:15
    globalEngineTypeOverride = process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #651c34c6e486bae8 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:16
    delete process.env.PRISMA_CLIENT_ENGINE_TYPE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #857165e1fa66a6b9 Environment-variable access.
repo/packages/client/src/__tests__/validatePrismaClientOptions.test.ts:21
      process.env.PRISMA_CLIENT_ENGINE_TYPE = globalEngineTypeOverride

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b96a568d676e1666 Environment-variable access.
repo/packages/client/src/runtime/RequestHandler.ts:171
    if (process.env.PRISMA_CLIENT_GET_TIME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26819c0d5d2f84f8 Environment-variable access.
repo/packages/client/src/runtime/core/engines/accelerate/getUrlAndApiKey.ts:52
  if (process.env.TEST_CLIENT_ENGINE_REMOTE_EXECUTOR && url.searchParams.has('use_http')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a289c26269e28626 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:463
        } else if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec188594730a5ef8 Environment-variable access.
repo/packages/client/src/runtime/getPrismaClient.ts:465
        } else if (process.env.NO_COLOR) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb6cb1a880ade58a Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c423e3ac43afad59 Filesystem access.
repo/packages/client/src/runtime/utils/SourceFileSlice.ts:22
      content = fs.readFileSync(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a220b0647b043b88 Environment-variable access.
repo/packages/client/src/runtime/utils/createErrorMessageWithContext.ts:86
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #919d5097186bab4f Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74666bd7dcaad464 Filesystem access.
repo/packages/client/src/utils/setupMSSQL.ts:30
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9624ecfe180efe0c Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79a4540d810f2dfc Filesystem access.
repo/packages/client/src/utils/setupMysql.ts:14
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0968ca3700a689f5 Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ffbf7b5ea3e93e3e Filesystem access.
repo/packages/client/src/utils/setupPostgres.ts:14
  const schema = fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/client-generator-js

npm first-party
expand_more 9 low-confidence finding(s)
low env_fs production #3f0746df9fc17577 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:13
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df858d3d3234387f Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:378
  await fs.writeFile(schemaTargetPath, datamodel, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfbcca6249bda6f3 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:393
    await fs.writeFile(path.join(outputDir, `${filename}.wasm`), Buffer.from(wasmBase64, 'base64'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55b4baac38c5ed2d Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:403
    await fs.writeFile(signalsPath, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ec6556512894be3 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:416
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3baee3b4e6ad5424 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:559
    content = await fs.readFile(path.join(directory, 'package.json'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #486122048d8337c1 Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:633
        const content = await fs.readFile(sourcePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20b2183999bb2cef Filesystem access.
repo/packages/client-generator-js/src/generateClient.ts:634
        await fs.writeFile(targetPath, addPreamble(content))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72c29f155bdef266 Environment-variable access.
repo/packages/client-generator-js/src/generator.ts:80
      copyRuntimeSourceMaps: Boolean(process.env.PRISMA_COPY_RUNTIME_SOURCEMAPS),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/client-generator-ts

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #f296c38ac63e02f6 Environment-variable access.
repo/packages/client-generator-ts/src/file-extensions.ts:15
  if (!recommended.includes(extension) && !process.env.PRISMA_DISABLE_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71b242cee5da479d Filesystem access.
repo/packages/client-generator-ts/src/generateClient.ts:245
        await fs.writeFile(absolutePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #802e092399157373 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:125
    return fs.readFileSync(bundledLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82bb2c5c7a886e47 Filesystem access.
repo/packages/client-generator-ts/src/utils/wasm.ts:129
    return fs.readFileSync(sourceLocation)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/config

npm first-party
expand_more 15 low-confidence finding(s)
low env_fs test-only #5c73bd833d8385fd Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:6
const originalValue = process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f11b6b9a4079a368 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:10
    delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d0d0c55618a85dd Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:15
      delete process.env[VAR_NAME]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #109f3ca81aa4eff1 Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:17
      process.env[VAR_NAME] = originalValue

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #577af9873488512f Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:22
    process.env[VAR_NAME] = 'postgresql://example'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #159e74a1cc29a10b Environment-variable access.
repo/packages/config/src/__tests__/env.test.ts:34
    process.env[VAR_NAME] = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a61830e2177b093 Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/datasource-url-undefined/prisma.config.ts:5
    url: process.env['UNDEFINED_VARIABLE'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8506b5f0793964fb Filesystem access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:7
const env = await fs.readFile('.env', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68fd619443bb5f6b Environment-variable access.
repo/packages/config/src/__tests__/fixtures/loadConfigFromFile/env-load-esm/prisma.config.ts:21
  process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34019f361b62a345 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:742
      expect(process.env.TEST_CONNECTION_STRING).toBeUndefined()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fda300ce92f20346 Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:753
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-cjs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5cf60ac26755701b Environment-variable access.
repo/packages/config/src/__tests__/loadConfigFromFile.test.ts:765
      expect(process.env.TEST_CONNECTION_STRING).toEqual('postgres://test-connection-string-from-env-esm')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1639f056b836085f Environment-variable access.
repo/packages/config/src/env.ts:15
  const value = process.env[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca57328047617909 Environment-variable access.
repo/packages/config/vitest.setup.ts:13
  process.env['JITI_ALIAS'] = JSON.stringify({

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ba2c537cef20920 Environment-variable access.
repo/packages/config/vitest.setup.ts:19
  delete process.env['JITI_ALIAS']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/credentials-store

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #707902cb5f662567 Filesystem access.
repo/packages/credentials-store/src/index.ts:1
import { chmod, mkdir, readFile, writeFile } from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b989ba4e07a08bf5 Environment-variable access.
repo/packages/credentials-store/src/index.ts:31
      process.env.PRISMA_PLATFORM_AUTH_FILE ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba176b1844f8a215 Filesystem access.
repo/packages/credentials-store/src/index.ts:38
      const content = await readFile(this.authFilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77197d233c7ff415 Filesystem access.
repo/packages/credentials-store/src/index.ts:82
    await writeFile(this.authFilePath, JSON.stringify(data, null, 2), { mode: 0o600 })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/debug

npm first-party
expand_more 35 low-confidence finding(s)
low env_fs test-only #7dfbea3663fa18d7 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:13
  delete process.env.DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8435a6bdac7e6357 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:14
  delete process.env.DEBUG_COLORS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d5ea9b9bb7c1e73 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:29
  process.env.DEBUG = 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f30b77f70afd2a6 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:30
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #acd6c332a0dd8e6b Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:43
  process.env.DEBUG = 'test2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84bbfa76d47331db Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:44
  process.env.FORCE_COLOR = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb0fd04dde9821e5 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:45
  process.env.DEBUG_COLORS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6971dd6ab3f38c1d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:59
  process.env.DEBUG = 'test3:*:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0df8653ddc0f71e1 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:60
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d7c72b5f5c9a5f4 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:73
  process.env.DEBUG = 'test4:*:query-engine:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5bb786545d163bf1 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:74
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1de96d53acd85bd0 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:89
  process.env.DEBUG = 'test5:*:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4131aabcaf31672d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:90
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e3d027b5c5b44ff Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:106
  process.env.DEBUG = 'test6:client:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3317a38c7a702c9 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:107
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac49d48c87436f05 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:122
  process.env.DEBUG = 'test7:*:*,-test7:*:*:init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4564a6dc9a4cf2e7 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:123
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7523ab3f36c988e4 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:138
  process.env.DEBUG = 'test8:*:*,-test8:*:*:init,-test8:pool:*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f93fd6284127f06d Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:139
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2544d3b14584033 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:153
  process.env.DEBUG = 'test9:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c0d47708fe8ee51 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:154
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #04b877528ecb443f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:169
  process.env.DEBUG = 'test10:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aaebfa8600843c37 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:170
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f8cbe4b3b54f202c Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:195
  process.env.DEBUG = 'test11:client'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7c5b69d89663b32 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:196
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #85ffced1d509378f Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:210
  process.env.DEBUG = 'test12:client*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a82d406ed99a5f89 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:211
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c26f949981401a33 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:228
  process.env.DEBUG = 'test13:client*init'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #516eee983090b806 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:229
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f95161741a052e1a Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:249
  process.env.DEBUG = 'test14:*:query-engine:*,-*init,*:result'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5cd326541ef1b0eb Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:250
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0091de8e5ba162b4 Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:271
  process.env.DEBUG = 'test15:\\w+'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #379dd659c10be20b Environment-variable access.
repo/packages/debug/src/__tests__/debug.extended.test.ts:272
  process.env.DEBUG_COLORS = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29bb125e4d0cceef Environment-variable access.
repo/packages/debug/src/__tests__/env-disabled.test.ts:9
    process.env.DEBUG = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0ecac5bc31fd178 Environment-variable access.
repo/packages/debug/src/__tests__/env-enabled.test.ts:9
    process.env.DEBUG = 'my-namespace'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/engines

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #8f472c2c0878ebc3 Environment-variable access.
repo/packages/engines/src/index.ts:26
  const binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75552f76d01b4442 Environment-variable access.
repo/packages/engines/src/index.ts:27
    ? (process.env.PRISMA_CLI_BINARY_TARGETS.split(',') as BinaryTarget[])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #417c49d700f4354c Filesystem access.
repo/packages/engines/src/scripts/localinstall.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #573e2c0b1054dcf0 Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29541769d35b15a4 Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:16
  if (fs.existsSync(lockFile) && parseInt(fs.readFileSync(lockFile, 'utf-8'), 10) > Date.now() - 20_000) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02eae005853a1a4a Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:21
    if (process.env.PRISMA_CLI_BINARY_TARGETS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #152a2f7f1fcff2da Environment-variable access.
repo/packages/engines/src/scripts/postinstall.ts:22
      binaryTargets = process.env.PRISMA_CLI_BINARY_TARGETS.split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b9d78813d767778 Filesystem access.
repo/packages/engines/src/scripts/postinstall.ts:43
  fs.writeFileSync(lockFile, Date.now().toString())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/fetch-engine

npm first-party
expand_more 28 low-confidence finding(s)
low env_fs test-only #3c34441d1de70477 Environment-variable access.
repo/packages/fetch-engine/src/__tests__/download.test.ts:25
const usesCustomEngines = process.env.PRISMA_SCHEMA_ENGINE_BINARY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19ec3a6d679f96ca Environment-variable access.
repo/packages/fetch-engine/src/download.ts:119
  if (process.env.BINARY_DOWNLOAD_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02122cb3d3ab76cc Environment-variable access.
repo/packages/fetch-engine/src/download.ts:120
    debug(`process.env.BINARY_DOWNLOAD_VERSION is set to "${process.env.BINARY_DOWNLOAD_VERSION}"`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4472cf716ead28b8 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:121
    opts.version = process.env.BINARY_DOWNLOAD_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5142d5500969eeff Filesystem access.
repo/packages/fetch-engine/src/download.ts:274
      const sha256File = await fs.promises.readFile(sha256FilePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2a71f71d3a33b03 Environment-variable access.
repo/packages/fetch-engine/src/download.ts:295
    } else if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e082e1922a24b638 Filesystem access.
repo/packages/fetch-engine/src/download.ts:441
      await fs.promises.writeFile(cachedSha256Path, sha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b45d31f7f5256a4c Filesystem access.
repo/packages/fetch-engine/src/download.ts:444
      await fs.promises.writeFile(cachedSha256ZippedPath, zippedSha256)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d7bfc45894f143a Filesystem access.
repo/packages/fetch-engine/src/download.ts:460
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d90875eb748258c Filesystem access.
repo/packages/fetch-engine/src/download.ts:461
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #366d8289bffb3a56 Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:32
      if (!process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bc8ac2fa34639be Environment-variable access.
repo/packages/fetch-engine/src/downloadZip.ts:49
    if (process.env.PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd7a044ebb35a702 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:27
  if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1cdd1ab19ff64293 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:28
    const envVarPath = path.resolve(process.cwd(), process.env[envVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64bc6e6a629d0ce6 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:31
        `Env var ${bold(envVar)} is provided but provided path ${underline(process.env[envVar]!)} can't be resolved.`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #155eca8eea778fff Environment-variable access.
repo/packages/fetch-engine/src/env.ts:36
        process.env[envVar]!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #185d82653e6b0f35 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:52
  if (deprecatedEnvVar && process.env[deprecatedEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #019c641602135d94 Environment-variable access.
repo/packages/fetch-engine/src/env.ts:53
    if (process.env[envVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0ded332b7cb5b52 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:54
  const noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f29e67a19568597 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:70
    const httpProxy = process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1284779868291e8 Environment-variable access.
repo/packages/fetch-engine/src/getProxyAgent.ts:77
      process.env.HTTPS_PROXY || process.env.https_proxy || process.env.HTTP_PROXY || process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df605723cee70cac Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:18
    if (process.env.APPDATA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7ffa62bb37e40de Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:19
      return path.join(process.env.APPDATA, 'Prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a131e0231df38961 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:23
  if (process.env.AWS_LAMBDA_FUNCTION_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #743fd10bac3e48cb Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:31
  return process.env.XDG_CACHE_HOME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87906092143bec11 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:32
    ? path.join(process.env.XDG_CACHE_HOME, 'prisma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b4209eded876788 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:68
    process.env.PRISMA_BINARIES_MIRROR || // TODO: remove this

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4954b26f5c92a63 Environment-variable access.
repo/packages/fetch-engine/src/utils.ts:69
    process.env.PRISMA_ENGINES_MIRROR ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/get-dmmf

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #bb7942e755780557 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:32
    noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #660e3436e68d62a9 Environment-variable access.
repo/packages/get-dmmf/src/index.ts:37
    if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/get-platform

npm first-party
expand_more 7 low-confidence finding(s)
low env_fs production #11f5c228b9d5bfd7 Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:3
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c23653a8e99363dd Filesystem access.
repo/packages/get-platform/src/getPlatform.ts:232
    const osReleaseInput = await fs.readFile(osReleaseFile, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f85a24482550be74 Environment-variable access.
repo/packages/get-platform/src/logger.ts:7
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #329a693d41c19400 Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:37
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5781cdd469eb825f Environment-variable access.
repo/packages/get-platform/src/test-utils/jestSnapshotSerializer.js:38
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81762d28e87e84eb Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:38
  if (process.env.TEMP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff6295978913dc9d Environment-variable access.
repo/packages/get-platform/src/test-utils/vitest-snapshot-serializer.ts:39
    const escapedPath = process.env.TEMP.replaceAll('\\', '\\\\')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/instrumentation

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #9e4bbf6d1f3e80b3 Environment-variable access.
repo/packages/instrumentation/src/ActiveTracingHelper.ts:21
const showAllTraces = process.env.PRISMA_SHOW_ALL_TRACES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/integration-tests

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs test-only #69ada53262e47d9b Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mariadb/__database.ts:35
  const connectionString = process.env.TEST_MARIADB_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #047043c374fc3a2e Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mssql/__database.ts:34
  const serviceConnectionString = process.env.TEST_MSSQL_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #46729195c24ccab1 Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/mysql/__database.ts:34
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests', ctx.id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca1886d65067171e Environment-variable access.
repo/packages/integration-tests/src/__tests__/integration/postgresql/__database.ts:28
  return process.env.TEST_POSTGRES_URI + `?schema=${ctx.id}&connection_limit=1`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/internals

npm first-party
expand_more 98 low-confidence finding(s)
low env_fs production #e0bd09b5ea6b1bd4 Filesystem access.
repo/packages/internals/helpers/build.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c911e4a2be86e62d Filesystem access.
repo/packages/internals/src/WasmSchemaEngineLoader.ts:10
  const schemaEngineWasmFileBytes = await fs.readFile(schemaEngineWasmFilePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe46f4a986b23389 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/formatSchema.test.ts:12
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7868b04c0d1431b6 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getConfig.test.ts:64
    process.env.TEST_POSTGRES_URI_FOR_DATASOURCE = 'postgres://user:password@something:5432/db'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e07c80d5223784c8 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:13
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6f5dcb51a088efc Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:19
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ced5847046138829 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:21
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2400900a45d84a02 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:26
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5d6a67fb74dab291 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:41
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bacd6e9fe3bf1775 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:42
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba66f4c2c59883fd Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:43
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67bf40f53b92324a Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:83
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66e802f4e66d8c0c Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:528
      const file = await fs.promises.readFile(path.join(fixturesPath, 'chinook.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d2b1112a7a3fcaa8 Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:537
      const file = await fs.promises.readFile(path.join(fixturesPath, 'odoo.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcecc65872819cee Filesystem access.
repo/packages/internals/src/__tests__/engine-commands/getDmmf.test.ts:546
      const file = await fs.promises.readFile(path.join(fixturesPath, 'bigschema.prisma'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0946a5510c86f2b1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/getEngineVersion.test.ts:9
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)('Schema Engine', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #232fdc4f128012d9 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:15
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d99572f05dc91c7 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:21
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3d3cb681ea13678 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:23
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0efc9dbfb78e94d2 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:29
  testTimeout: process.env.CI ? 60_000 : 10_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06002db81e76b0f1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:42
      delete process.env.NO_COLOR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d41b7838a40f196 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:43
      process.env.FORCE_COLOR = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55a52cc234bca2d1 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:44
      process.env.CI = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e561cf7e82282659 Environment-variable access.
repo/packages/internals/src/__tests__/engine-commands/validate.test.ts:85
      process.env.NO_COLOR = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa592940f1606eda Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:16
  testTimeout: process.env.CI ? 60_000 : 20_000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9a58d16e96d7aa2 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:52
    delete process.env.BINARY_TARGETS_ENV_VAR_TEST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e85e4b3fc05efa35 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:212
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '"native"'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #544a578304c44c0a Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:295
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["native"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f758ba285ab45493 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:378
    process.env.BINARY_TARGETS_ENV_VAR_TEST =

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abea2062f7c7a171 Environment-variable access.
repo/packages/internals/src/__tests__/getGenerators/getGenerators.test.ts:477
    process.env.BINARY_TARGETS_ENV_VAR_TEST = '["linux-musl"]'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc42412196c33f5c Environment-variable access.
repo/packages/internals/src/__tests__/getPackedPackage.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12eb2e8c14f3c8ec Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:9
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ea4799475f3d148 Environment-variable access.
repo/packages/internals/src/__tests__/getSchema.test.ts:15
process.env.npm_config_user_agent = 'yarn/1.22.4 npm/? node/v12.18.3 darwin x64'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #526c04ab20c5fe17 Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:51
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c83793a59deb2bf Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:57
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1dc2caa7338ddca Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:59
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1425d0f23db61bca Environment-variable access.
repo/packages/internals/src/__tests__/handlePanic.test.ts:76
    process.env.GITHUB_ACTIONS = 'true' // simulate CI environment

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9457dc0bd3eb405a Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:8
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef9556de6a330fd3 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:69
  testIf(!process.env.PRISMA_SCHEMA_ENGINE_BINARY)(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c023c7ac9c03cdf2 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:85
    const uri = process.env.TEST_POSTGRES_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9790951ab9524ee Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:105
    const uri = process.env.TEST_POSTGRES_URI!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a6b93a9918b1018 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:113
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #acd7a86311dd5b11 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:124
    const uri = process.env.TEST_MYSQL_URI!.replace('tests', 'tests-createDatabase-already-exists')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82003acbc24bb380 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:136
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - create database', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca86be674629f419 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:137
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #856b948cc538542c Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:140
    const connectionString = process.env.TEST_MSSQL_JDBC_URI.replace(/database=(.*?);/, 'database=can-create-a-db;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #274a486032702f5a Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:147
  testIf(!process.env.TEST_SKIP_MSSQL)('sqlserver - database already exists', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d86acaa5fd7dcd8c Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:148
    if (!process.env.TEST_MSSQL_JDBC_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b4fbd5c16100d523 Environment-variable access.
repo/packages/internals/src/__tests__/schemaEngineCommands.test.ts:151
    const connectionString = process.env.TEST_MSSQL_JDBC_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f00f662fad0531e8 Filesystem access.
repo/packages/internals/src/cli/getSchema.ts:10
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e55398c4bfe4bfb Environment-variable access.
repo/packages/internals/src/engine-commands/formatSchema.ts:17
  if (process.env.FORCE_PANIC_PRISMA_SCHEMA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8152818135140be1 Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:78
        if (process.env.FORCE_PANIC_GET_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b0584834618b9b3 Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:172
    if (binaryTarget.fromEnvVar && process.env[binaryTarget.fromEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72b27c2ebe44c75a Environment-variable access.
repo/packages/internals/src/engine-commands/getConfig.ts:173
      const value = JSON.parse(process.env[binaryTarget.fromEnvVar]!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f781286988269467 Filesystem access.
repo/packages/internals/src/engine-commands/queryEngineCommons.ts:4
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41f368f8c3448eea Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:58
        if (process.env.FORCE_PANIC_GET_DMMF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #809fec450c98d31e Environment-variable access.
repo/packages/internals/src/engine-commands/validate.ts:65
          noColor: Boolean(process.env.NO_COLOR),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #38d2b9336dd3af66 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/internals/src/errorReporting.ts:69
  return await fetch(url, {
    method: 'POST',
    agent: getProxyAgent(url),
    body,
    headers: {
      Accept: 'application/json',
      'Content-Type': 'application/json',
    },
  })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #63f2db5493cac5ea Environment-variable access.
repo/packages/internals/src/get-generators/utils/getBinaryPathsByVersion.ts:46
    if (process.env.NETLIFY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36e05e67fe916def Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:2
import fs, { readFileSync } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bea1fdd17ba3ce5f Filesystem access.
repo/packages/internals/src/getPackedPackage.ts:16
      const pkgJson = JSON.parse(readFileSync(pkgPath, { encoding: 'utf-8' }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb2ccf67720ed3aa Environment-variable access.
repo/packages/internals/src/logger.ts:10
  warn: () => !process.env.PRISMA_DISABLE_WARNINGS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5443df3167eee7a Filesystem access.
repo/packages/internals/src/resolveBinary.ts:5
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8388830727a343f Filesystem access.
repo/packages/internals/src/resolveBinary.ts:88
    const data = await fs.promises.readFile(file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd1fa1674dad451f Filesystem access.
repo/packages/internals/src/resolveBinary.ts:89
    await fs.promises.writeFile(target, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dadfe09678466401 Filesystem access.
repo/packages/internals/src/resolveOutput.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2459e97a3cda8ca Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:188
          RUST_BACKTRACE: process.env.RUST_BACKTRACE ?? '1',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c3a77f007817af0 Environment-variable access.
repo/packages/internals/src/schemaEngineCommands.ts:189
          RUST_LOG: process.env.RUST_LOG ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c8b5412ff132ca7 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:11
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d1fb72df647af5a Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:17
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cbaab6a55659273b Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:19
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e34378b754bc95ef Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:36
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a4373f4be070efa Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:37
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #951d08397a55ae75 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:48
      delete process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9deec4f9e10434f9 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:49
      delete process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d1eb6dc07b1f132 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:54
      process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a61e4993d4573244 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isCi.test.ts:59
      process.env.GITHUB_ACTIONS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa55ffd0ee2c660c Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:10
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #633089deac5a3024 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:16
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e65f3c5b02b2032a Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:18
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce5d669402792c80 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:38
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a0fbe2374942f5d3 Environment-variable access.
repo/packages/internals/src/utils/__tests__/isInteractive.test.ts:50
      process.env.TERM = 'dumb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ebb1215a8d64743 Filesystem access.
repo/packages/internals/src/utils/chmodPlusX.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b50fc06337f0da28 Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:4
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12ab1bba1bbc1380 Filesystem access.
repo/packages/internals/src/utils/fs-functional.ts:12
  TE.tryCatch(() => fsUtils.writeFile(params), createTaggedSystemError('fs-write-file', params))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62606e94d394dbfa Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:1
import fs from 'fs/promises'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40dce958a6676017 Filesystem access.
repo/packages/internals/src/utils/fs-utils.ts:21
  return fs.writeFile(path, content, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c95e47b820aa9576 Filesystem access.
repo/packages/internals/src/utils/isCurrentBinInstalledGlobally.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0900cd9c856a4dbe Environment-variable access.
repo/packages/internals/src/utils/isInContainer.ts:13
      process.env.KUBERNETES_SERVICE_HOST !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5015de73ddbad796 Environment-variable access.
repo/packages/internals/src/utils/isInNpmLifecycleHook.ts:5
  return process.env.npm_lifecycle_event !== undefined && process.env.npm_command !== 'run-script'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fe554a69090f9ec Environment-variable access.
repo/packages/internals/src/utils/isInteractive.ts:9
  return Boolean(stream && stream.isTTY && process.env.TERM !== 'dumb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a1c902acd7272d7 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:11
    process.env.GIT_EXEC_PATH !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44043587877f2837 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:12
    process.env.GIT_DIR !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3782e212dbab6a6 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:13
    process.env.GIT_INDEX_FILE !== undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50a03fbb85f4f1e5 Environment-variable access.
repo/packages/internals/src/utils/maybeInGitHook.ts:14
    process.env.GIT_PREFIX !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a642941cc967b6ee Environment-variable access.
repo/packages/internals/src/utils/parseAWSNodejsRuntimeEnvVarVersion.ts:2
  const runtimeEnvVar = process.env.AWS_LAMBDA_JS_RUNTIME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #210d446ee570c604 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:13
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82127b94f06c46c0 Environment-variable access.
repo/packages/internals/src/utils/parseEnvValue.ts:39
    const value = process.env[object.fromEnvVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/migrate

npm first-party
expand_more 156 low-confidence finding(s)
low env_fs production #ce2c83d57d61ab2f Environment-variable access.
repo/packages/migrate/src/SchemaEngineCLI.ts:514
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && request.method !== 'getDatabaseVersion') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c29d8090e07ab3f Environment-variable access.
repo/packages/migrate/src/SchemaEngineWasm.ts:86
    if (process.env.FORCE_PANIC_SCHEMA_ENGINE && command !== 'debugPanic') return this.debugPanic()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5908b94dada0f87f Environment-variable access.
repo/packages/migrate/src/__tests__/Baseline.test.ts:20
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0032ae2cf8699e94 Filesystem access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:124
    await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6dab4cce5d863b27 Environment-variable access.
repo/packages/migrate/src/__tests__/DbDrop.test.ts:159
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #05cbdaa5d9962a6d Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:37
      fs.writeFileSync('script.sql', '-- noop')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afa287e6d6fdacb8 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:85
      fs.writeFileSync('script.js', 'Something for MongoDB')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bfd872c47f799ce5 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:123
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #423f199c42ffbf46 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:131
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b78ae4f522b3d69b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:139
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58c9378a179cc323 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:156
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #570f74c004a5ffb0 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:165
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c31e6778c9873f37 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:174
        fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0c1ca88a3a86a83 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:185
        fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dac6617f975de6c2 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:203
        fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abbb1158d68feb99 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:216
      fs.writeFileSync('script.sql', 'DROP TABLE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c00929829af56b72 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:228
      fs.writeFileSync('script.sql', 'ThisisnotSQL,itshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa6e7e3a7037ef6a Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:239
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18f1668802c37d45 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:274
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #575f524447b48ef7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:282
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6ef872309cdb1f2 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:290
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #01744009992a8667 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:307
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #342e127a26f5f7ea Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:320
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0d1dee78693b728f Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:339
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #292dd75e2682d7b9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:358
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6442e8ca23af275b Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:378
      if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c44efde476f17e8b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:382
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b2683a899c6edd24 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:403
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0cfb365a969594e5 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:420
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #292ce1706c84693d Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:431
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d97463b17bfe2fcd Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:436
    const connectionString = (process.env.TEST_COCKROACH_URI_MIGRATE || '').replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67bef1f978245826 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:474
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3350e33c84e59ba0 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:482
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df7f6a4c7936f36e Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:490
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ff46d73a4bd0894 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:507
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cfb7fd372e7f2884 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:518
      fs.writeFileSync(
        'script.sql',
        `-- Drop & Create & Drop
      DROP DATABASE IF EXISTS "test-dbexecute";
      CREATE DATABASE "test-dbexecute";
      DROP DATABASE "test-dbexecute";`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e3f4d1e7f1e8955 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:536
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #532be04047f3f58b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:555
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b243c8ef56ad141 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:574
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a83cef71a47d462 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:594
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #39a4fb766794f10c Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:608
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-execute')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #895b01cf18783df6 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:643
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2ce2147bc9d4fda Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:651
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0728b2bf137fe5b Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:660
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4973f151efe8e603 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:672
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
START TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19af074d9a03e862 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:690
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc60e90f45b85061 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:708
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3e61e9078bfa7cc Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:727
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29a98cebfb70f118 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:747
      fs.writeFileSync('script.sql', 'DROP DATABASE `test-doesnotexists`;')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b7a8637f1f969400 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:759
      fs.writeFileSync('script.sql', 'This is not SQL, it should fail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f60e8e4933fbb09f Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:770
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4b761999fed69c7 Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:774
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2b9f06e65b9a45b Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:781
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #068951df54058acc Environment-variable access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:796
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb1ce329a2bf6bbe Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:817
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8969e39516e19324 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:825
      fs.writeFileSync('script.sql', sqlScript)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb110930572ea2ea Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:833
      fs.writeFileSync('script.sql', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0eb9de159a2e9bb Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:841
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

SELECT 1

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb95855a48f5d1f7 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:860
      fs.writeFileSync(
        'script.sql',
        `-- start a transaction
BEGIN TRANSACTION;

${sqlScript}

-- commit changes
COMMIT;`,
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bddc3f6aa9ad27a2 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:882
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1de1b50ce293b614 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:903
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1a886cac273afc9 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:922
      fs.writeFileSync('script.sql', '-- empty')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b9a143070fc25be Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:944
      fs.writeFileSync('script.sql', 'DROP DATABASE "test-doesnotexists";')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #47d692f8d9061051 Filesystem access.
repo/packages/migrate/src/__tests__/DbExecute.test.ts:956
      fs.writeFileSync('script.sql', 'ThisisnotSQLitshouldfail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #101e37cf11d00c16 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #26b5c022a0f1c3fa Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:16
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc9c9ad2b43c41d5 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/cockroachdb.test.ts:19
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4ad8d9212df8c4c Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mongodb.test.ts:5
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #099847dc7c1749da Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:9
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ba30a2a2a17e8347 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:17
  const connectionString = process.env.TEST_MYSQL_URI!.replace('tests-migrate', 'tests-migrate-db-pull-mysql')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8be8bdd06ab562b Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/mysql.test.ts:20
    connectionString: process.env.TEST_MYSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2da90652d925d072 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5116854b75d79c2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-extensions.test.ts:16
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d56671f9f2f56530 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:5
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a27298480634877 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-missing-database.test.ts:13
  const defaultConnectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #56e702e93430d0f6 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0c62e54538804953 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-multischema.test.ts:16
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7cf4f9d64a8bbcf1 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:10
if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10bc6430f44fe147 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql-views.test.ts:19
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7c245a074e2a6c9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:8
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bee09d0d9ca07572 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/postgresql.test.ts:16
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4fa71e638735afcf Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/schema-folder.test.ts:4
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f4abe9af1dc03d32 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlite.test.ts:5
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6518d44fbf978dc2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:9
const isMacOrWindowsCI = Boolean(process.env.CI) && ['darwin', 'win32'].includes(process.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f9b0e6732c5303e Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:33
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6fd4898aba65c107 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:36
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c71ff7fc146686e Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:42
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd8e9becfdf59358 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:58
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c820dcb64c79dc9 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:59
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a076ea67cf4a4497 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:97
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86a3fc26052ec8de Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:104
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_URI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8b4f0ff2f316726 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:107
  if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59ca7dbfa745c178 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:114
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3da1cfeec646987d Environment-variable access.
repo/packages/migrate/src/__tests__/DbPull/sqlserver.test.ts:131
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c3770a1a0919121 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:14
  const inDockerIt = process.env.TEST_NO_DOCKER ? it.skip : it

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #218b4029b5c8fccb Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:107
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68b15655dfdcb84f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:227
    process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #420d1a5a6ef81c14 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:273
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-db-push')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e0fbda133f51424 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:338
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b20eae972a8be2f Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:388
  if (!process.env.TEST_SKIP_MONGODB && !process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0aabd0ff912f4ac2 Environment-variable access.
repo/packages/migrate/src/__tests__/DbPush.test.ts:392
    connectionString: process.env.TEST_MONGO_URI_MIGRATE_EXISTING_DB!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c47738ce7ef0b72b Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDeploy.test.ts:179
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-deploy')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c69eba049596867 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:32
  process.env.GITHUB_ACTIONS = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc02677eb56d8a4f Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:834
  const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #521460c4e9728213 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1181
  testIf(!process.env.CI || process.platform !== 'darwin')('external tables', async () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32ac7a32e78ac6a4 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1246
  if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9d10a002691424d Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1249
  const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c5c3babea4207c30 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1414
  const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!.replace('tests-migrate', 'tests-migrate-dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12359b6579ace55e Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1601
  if (process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0908bd70611e96b Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1610
    connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5b54b433f9e9488 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1625
    const url = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!.replace('tests-migrate', databaseName)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #597cdd6f7dbbf51c Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDev.test.ts:1626
    const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6b42bbd4043e461b Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:490
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9905ea4b4b3bc6e2 Filesystem access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:508
        await fs.writeFile(path.join(ctx.configDir(), 'dev.db'), '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f25c0c672b759a68 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:693
    if (!process.env.TEST_SKIP_COCKROACHDB && !process.env.TEST_COCKROACH_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1fbb54799d8bf92 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:696
    const connectionString = process.env.TEST_COCKROACH_URI_MIGRATE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a27dd6be1b727cb Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:745
    const connectionString = process.env.TEST_POSTGRES_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e2ae0f20129d20f Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:804
    const connectionString = process.env.TEST_MYSQL_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #181b82bc8e1058cc Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:854
    if (!process.env.TEST_SKIP_MSSQL && !process.env.TEST_MSSQL_JDBC_URI_MIGRATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #393e413bff15fdd9 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:858
    const jdbcConnectionString = process.env.TEST_MSSQL_JDBC_URI_MIGRATE!

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f83f7120ac5103ce Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:861
      connectionString: process.env.TEST_MSSQL_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75f1d0cbacf264f3 Environment-variable access.
repo/packages/migrate/src/__tests__/MigrateDiff.test.ts:876
      const shadowDatabaseUrl = process.env.TEST_MSSQL_SHADOWDB_JDBC_URI_MIGRATE?.replace(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #25ba4111c5823cd3 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:90
  if (matrix.providers.cockroachdb && process.env.TEST_SKIP_COCKROACHDB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d4406f760a9ec4c Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:91
  if (matrix.providers.sqlserver && process.env.TEST_SKIP_MSSQL) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51514fbb11045605 Environment-variable access.
repo/packages/migrate/src/__tests__/__helpers__/conditionalTests.ts:92
  if (matrix.providers.mongodb && process.env.TEST_SKIP_MONGODB) return skip(name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec47409f8065c58e Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.introspect.test.ts:11
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe1d567a048219c1 Environment-variable access.
repo/packages/migrate/src/__tests__/handlePanic.migrate.test.ts:17
    process.env.FORCE_PANIC_SCHEMA_ENGINE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c00abe4bf34d052 Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1362660866bd0bf4 Filesystem access.
repo/packages/migrate/src/__tests__/introspection/introspection.test.ts:14
  const schemaContent = await fs.promises.readFile(schemaPath, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #94c4cd388ded9404 Environment-variable access.
repo/packages/migrate/src/__tests__/rpc.test.ts:502
        url: process.env.TEST_POSTGRES_URI!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb0ed8e579ac1d46 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:7
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71beed0a7d74a137 Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:13
      delete process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2359a1dd7ce1552f Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:15
      process.env[key] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #36540733eafbe20f Environment-variable access.
repo/packages/migrate/src/__tests__/setup.ts:24
  process.env.CI = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b14564f941278415 Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:14
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beb27911e3e9b683 Filesystem access.
repo/packages/migrate/src/commands/DbExecute.ts:118
        script = fs.readFileSync(path.resolve(args['--file']), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e723bdde4a26252 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:42
  if (process.env[userConsentEnvVar]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f5908eecf23cc65 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:52
    'Claude Code': process.env.CLAUDECODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c10aa437094f556b Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:53
    'Gemini CLI or Qwen Code': process.env.GEMINI_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #689773250c258af9 Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:54
    Cursor: process.env.CURSOR_AGENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a262b7ee6a3c43a Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:55
    Aider: process.env.OR_APP_NAME === 'Aider',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1320a380418d2bb Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:56
    Replit: process.env.REPLIT_CLI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cac4fac7608d298f Environment-variable access.
repo/packages/migrate/src/utils/ai-safety.ts:57
    'Codex CLI': process.env.CODEX_SANDBOX === 'seatbelt',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #476bd8194eb37886 Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:36
  await fs.promises.writeFile(path.join(baseDir, migrationName, `migration.${extension}`), script, {
    encoding: 'utf-8',
  })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbfe64d85b44bfef Filesystem access.
repo/packages/migrate/src/utils/createMigration.ts:52
  await fs.promises.writeFile(path.join(baseDir, lockfile.path), lockfileContent, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #256c2dc4f5069dc8 Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:21
  const lockfileContent = await fs
    .readFile(path.join(migrationsDirectoryPath, lockfileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ed4227ab7ac2dfc Filesystem access.
repo/packages/migrate/src/utils/listMigrations.ts:56
    const migrationFileContent = await fs
      .readFile(path.join(migrationPath, migrationFileName), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48f763272a332e6d Filesystem access.
repo/packages/migrate/src/utils/saveSchemaFiles.ts:6
  await Promise.all(schemas.files.map((file) => fs.writeFile(file.path, file.content, 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0af77b2d4fea9070 Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be7302d449afcb1a Filesystem access.
repo/packages/migrate/src/utils/setupCockroach.ts:28
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59a71fa278e2a85b Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cebf538614d88f8 Filesystem access.
repo/packages/migrate/src/utils/setupMSSQL.ts:46
    schema += fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42ec27097eaac5e5 Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #182a148e9db96c20 Filesystem access.
repo/packages/migrate/src/utils/setupMysql.ts:42
    await db.query(fs.readFileSync(path.join(dirname, 'setup.sql'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6f7044a1a02a838 Filesystem access.
repo/packages/migrate/src/utils/setupPostgres.ts:29
    const migrationScript = await fs.readFile(path.join(dirname, 'setup.sql'), { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7068b883ed9deae6 Environment-variable access.
repo/packages/migrate/src/utils/test-SchemaEngineCommands.ts:12
  const result = await canConnectToDatabase(process.env.TEST_CONNECTION_STRING!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/query-plan-executor

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #268daede48996aed Environment-variable access.
repo/packages/query-plan-executor/examples/server.ts:12
  const databaseUrl = process.env.TEST_POSTGRES_URI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/schema-files-loader

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #8621d4d05167ca00 Filesystem access.
repo/packages/schema-files-loader/src/resolver/realFsResolver.ts:26
    return fs.readFile(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf082295f02007a6 Filesystem access.
repo/packages/schema-files-loader/src/testUtils.ts:16
  return [filePath, fs.readFileSync(filePath, 'utf8')]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/type-benchmark-tests

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #2a993abf75b14e8d Environment-variable access.
repo/packages/type-benchmark-tests/huge-schema/prisma.config.ts:5
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ded3172ecf6315f Environment-variable access.
repo/packages/type-benchmark-tests/lots-of-relations/prisma.config.ts:5
    url: process.env.DATABASE_URL!,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

wrangler

npm dependency
high pii_flow dependency Excluded from app score #bb9b5d5b0d2cb509 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:306 · flow /tmp/closeopen-uqq8klfa/pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:293 → /tmp/closeopen-uqq8klfa/pkgs/npm/[email protected]/templates/startDevWorker/InspectorProxyWorker.ts:306
		const upgrade = await fetch(runtimeWebSocketUrl, {
			headers: {
				...this.proxyData.headers,
				Upgrade: "websocket",
			},
			signal: this.runtimeAbortController.signal,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #bc25899708c4db3a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:223 · flow /tmp/closeopen-uqq8klfa/pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:215 → /tmp/closeopen-uqq8klfa/pkgs/npm/[email protected]/wrangler-dist/InspectorProxyWorker.js:223
    const upgrade = await fetch(runtimeWebSocketUrl, {
      headers: {
        ...this.proxyData.headers,
        Upgrade: "websocket"
      },
      signal: this.runtimeAbortController.signal
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

@eslint/eslintrc

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #697a635935c3843e Filesystem access.
pkgs/npm/@[email protected]/lib/config-array-factory.js:154
    return fs.readFileSync(filePath, "utf8").replace(/^\ufeff/u, "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@microsoft/api-extractor

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #b87f40e49daa260a Filesystem access.
pkgs/npm/@[email protected]/lib/analyzer/PackageMetadataManager.js:199
        node_core_library_1.FileSystem.writeFile(tsdocMetadataPath, fileContent, {
            convertLineEndings: newlineKind,
            ensureFolderExists: true
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffdbdb3b8082c67a Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:233
        node_core_library_1.FileSystem.writeFile(actualApiReportPath, actualApiReportContent, {
            ensureFolderExists: true,
            convertLineEndings: extractorConfig.newlineKind
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #520caad029ba50c1 Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:239
            const expectedApiReportContent = node_core_library_1.FileSystem.readFile(expectedApiReportPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #214ee0e120e7afae Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:252
                    node_core_library_1.FileSystem.writeFile(expectedApiReportPath, actualApiReportContent, {
                        ensureFolderExists: true,
                        convertLineEndings: extractorConfig.newlineKind
                    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf68ca767aa9bfc3 Filesystem access.
pkgs/npm/@[email protected]/lib/api/Extractor.js:283
                    node_core_library_1.FileSystem.writeFile(expectedApiReportPath, actualApiReportContent, {
                        convertLineEndings: extractorConfig.newlineKind
                    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4786d8c70cda8d9 Filesystem access.
pkgs/npm/@[email protected]/lib/collector/SourceMapper.js:91
                originalFileInfo.maxColumnForLine = node_core_library_1.FileSystem.readFile(mappedFilePath, {
                    convertLineEndings: node_core_library_1.NewlineKind.Lf
                })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5f31cba1b8cca77 Filesystem access.
pkgs/npm/@[email protected]/lib/generators/DtsRollupGenerator.js:90
        node_core_library_1.FileSystem.writeFile(dtsFilename, writer.toString(), {
            convertLineEndings: newlineKind,
            ensureFolderExists: true
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@neondatabase/serverless

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #594f559d379de82d Filesystem access.
pkgs/npm/@[email protected]/index.js:857
(t.ssl.cert=gr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=gr.readFileSync(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42ae737edd2021aa Filesystem access.
pkgs/npm/@[email protected]/index.js:857
(t.ssl.cert=gr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=gr.readFileSync(
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=gr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #626186d261a90dfb Filesystem access.
pkgs/npm/@[email protected]/index.js:858
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=gr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e61bbefd3384d22 Filesystem access.
pkgs/npm/@[email protected]/index.mjs:857
(t.ssl.cert=mr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=mr.readFileSync(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d82bef8b6cf609e Filesystem access.
pkgs/npm/@[email protected]/index.mjs:857
(t.ssl.cert=mr.readFileSync(t.sslcert).toString()),t.sslkey&&(t.ssl.key=mr.readFileSync(
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=mr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db53c3e1804a6724 Filesystem access.
pkgs/npm/@[email protected]/index.mjs:858
t.sslkey).toString()),t.sslrootcert&&(t.ssl.ca=mr.readFileSync(t.sslrootcert).toString()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@prisma/prisma-schema-wasm

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #66a9f05afccb2349 Filesystem access.
pkgs/npm/@prisma__prisma-schema-wasm@7.8.0-6.3c6e192761c0362d496ed980de936e2f3cebcd3a/src/prisma_schema_build.js:535
const wasmBytes = require('fs').readFileSync(wasmPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@swc/core

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #c8c1ef8c5059bafd Filesystem access.
pkgs/npm/@[email protected]/binding.js:5
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaf222fc7f4b03c9 Filesystem access.
pkgs/npm/@[email protected]/binding.js:28
    return readFileSync('/usr/bin/ldd', 'utf-8').includes('musl')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44c1776f52493aaa Environment-variable access.
pkgs/npm/@[email protected]/binding.js:304
if (!nativeBinding || process.env.NAPI_RS_FORCE_WASI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45e740b4f9c17921 Environment-variable access.
pkgs/npm/@[email protected]/binding.js:308
    if (process.env.NAPI_RS_FORCE_WASI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58e573da7a0bad0d Environment-variable access.
pkgs/npm/@[email protected]/binding.js:316
      if (process.env.NAPI_RS_FORCE_WASI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08611b706dcdf431 Environment-variable access.
pkgs/npm/@[email protected]/index.js:54
const bindingsOverride = process.env["SWC_BINARY_PATH"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bef2fb239c82cc55 Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:41
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c12178f6ff2c51b Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:45
const fs = __importStar(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63e1cfb8eb3c554d Environment-variable access.
pkgs/npm/@[email protected]/postinstall.js:69
        const { name } = require(path.resolve(process.env.INIT_CWD, "package.json"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f30d502beeacdf74 Environment-variable access.
pkgs/npm/@[email protected]/postinstall.js:100
    if (!!process.env["SWC_BINARY_PATH"]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fc3ed4e6a9d8f2d Filesystem access.
pkgs/npm/@[email protected]/postinstall.js:122
        fs.writeFileSync(path.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #976b2f3567be9882 Environment-variable access.
pkgs/npm/@[email protected]/postinstall.js:128
        fs.renameSync(installedBinPath, path.resolve(process.env.INIT_CWD, "node_modules", `@swc/wasm`));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@swc/jest

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #d2929ad1064e4e0c Filesystem access.
pkgs/npm/@[email protected]/index.js:55
var fs = __importStar(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #726952ffb776a7b2 Filesystem access.
pkgs/npm/@[email protected]/index.js:106
        var options = (0, jsonc_parser_1.parse)(fs.readFileSync(swcrc, "utf-8"), errors);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/fs-extra

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #5592ba63933cac8a Filesystem access.
pkgs/npm/@[email protected]/index.d.ts:3
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chokidar

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #4b27f9a1a156111c Filesystem access.
pkgs/npm/[email protected]/esm/handler.d.ts:1
import type { WatchEventType, Stats, FSWatcher as NativeFsWatcher } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bddc864ce4a34ecf Filesystem access.
pkgs/npm/[email protected]/esm/handler.js:1
import { watchFile, unwatchFile, watch as fs_watch } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03ad54fa75e6f355 Filesystem access.
pkgs/npm/[email protected]/esm/handler.js:2
import { open, stat, lstat, realpath as fsrealpath } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28b36093a7b6bdb3 Filesystem access.
pkgs/npm/[email protected]/esm/index.d.ts:2
import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecef70e32866975b Filesystem access.
pkgs/npm/[email protected]/esm/index.js:2
import { stat as statcb } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18ae628b6f967b1b Filesystem access.
pkgs/npm/[email protected]/esm/index.js:3
import { stat, readdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d51138435bb7b5a9 Environment-variable access.
pkgs/npm/[email protected]/esm/index.js:260
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2543db551f2c9486 Environment-variable access.
pkgs/npm/[email protected]/esm/index.js:270
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44e41c4dcd9edf62 Filesystem access.
pkgs/npm/[email protected]/handler.d.ts:1
import type { WatchEventType, Stats, FSWatcher as NativeFsWatcher } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58e13cce8eaf8511 Filesystem access.
pkgs/npm/[email protected]/handler.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb85655a2472df6c Filesystem access.
pkgs/npm/[email protected]/index.d.ts:2
import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c0323bb7e6ceb5b Filesystem access.
pkgs/npm/[email protected]/index.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a943bb7cfc71426a Environment-variable access.
pkgs/npm/[email protected]/index.js:265
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac9d10459487dc83 Environment-variable access.
pkgs/npm/[email protected]/index.js:275
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #28e566b02a52af6d Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:4
if (process.env.DOTENV_CONFIG_ENCODING != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #770ca1a2115b96f0 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:5
  options.encoding = process.env.DOTENV_CONFIG_ENCODING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80461f72959c3baf Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:8
if (process.env.DOTENV_CONFIG_PATH != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07bc842d63320f00 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:9
  options.path = process.env.DOTENV_CONFIG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e033429e8b2ab83 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:12
if (process.env.DOTENV_CONFIG_QUIET != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #576960bade814940 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:13
  options.quiet = process.env.DOTENV_CONFIG_QUIET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5433458de917d4e7 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:16
if (process.env.DOTENV_CONFIG_DEBUG != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b06f0e1d2aa2652c Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:17
  options.debug = process.env.DOTENV_CONFIG_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #961741b03b4fbdeb Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:20
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4911bca65f8946fc Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:21
  options.override = process.env.DOTENV_CONFIG_OVERRIDE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65328e4bc764932b Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:24
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe97a076ebcb444c Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:25
  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8248b616e9b4d3a Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #597edffa619cbec5 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:152
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #204876406548f48b Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:153
    return process.env.DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efb4822a14457183 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:232
  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a2cdb91770e622b Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:233
  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a396da3a2bddedb Filesystem access.
pkgs/npm/[email protected]/lib/main.js:288
      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv-cli

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #331a0663aadd9411 Environment-variable access.
pkgs/npm/[email protected]/cli.js:96
  let value = process.env[argv.p]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

esbuild

npm dependency
expand_more 21 low-confidence finding(s)
low env_fs dependency Excluded from app score #db52457b154aba82 Filesystem access.
pkgs/npm/[email protected]/install.js:26
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18c1a7c08f465afe Environment-variable access.
pkgs/npm/[email protected]/install.js:29
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df5dd14937f9e18a Filesystem access.
pkgs/npm/[email protected]/install.js:88
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #487e41db3c7ffd61 Filesystem access.
pkgs/npm/[email protected]/install.js:184
    fs2.writeFileSync(path2.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #120643af4ef175fb Filesystem access.
pkgs/npm/[email protected]/install.js:214
  fs2.writeFileSync(toPath, `#!/usr/bin/env node
require('child_process').execFileSync(${pathString}, process.argv.slice(2), { stdio: 'inherit' });
`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae1e6dee4de49da5 Filesystem access.
pkgs/npm/[email protected]/install.js:218
  const code = fs2.readFileSync(libMain, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4e2c7a7041835aa Filesystem access.
pkgs/npm/[email protected]/install.js:219
  fs2.writeFileSync(libMain, `var ESBUILD_BINARY_PATH = ${pathString};
${code}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a77927e9e695805 Filesystem access.
pkgs/npm/[email protected]/install.js:238
    fs2.writeFileSync(binPath, extractFileFromTarGzip(await fetch(url), subpath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c0504722013fce4 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:737
            fs3.readFile(response.code, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.code = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #995b7c7f8b21bd06 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:748
            fs3.readFile(response.map, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.map = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77c5da1f5c4c4a79 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:774
      start = () => fs3.writeFile(input, next);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22e6c7c280dbe90a Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1429
            contents = streamIn.readFileSync(match[1], "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #654c47e21f978264 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1592
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44332b7a0c6c431f Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1595
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce5ec0fb5189e9ae Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1785
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2d78a354117d445 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1789
if (process.env.ESBUILD_WORKER_THREADS !== "0") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bad4cc3250ea58b2 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1827
      let contents = fs2.readFileSync(tempFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ce8be909433fd92 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1840
      fs2.writeFileSync(tempFile, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e707e145e911be0 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1850
      fs2.readFile(tempFile, "utf8", (err, contents) => {
        try {
          fs2.unlink(tempFile, () => callback(err, contents));
        } catch {
          callback(err, contents);
        }
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #356d965ebe4371b9 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1864
      fs2.writeFile(tempFile, contents, (err) => err !== null ? callback(null) : callback(tempFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b23a844531783f3 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2085
    maxBuffer: +process.env.ESBUILD_MAX_BUFFER || 16 * 1024 * 1024

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #60d2f87bfab2227c Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/cli-engine.js:736
            fs.writeFileSync(result.filePath, result.output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a99e09ed9b105f2 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/cli-engine.js:846
                text: fs.readFileSync(filePath, "utf8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97ca988a029b9342 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:149
            results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a02646b3e5cc1f3 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:560
                .map(r => fs.writeFile(r.filePath, r.output))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd4874ab221e4178 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:806
                return retrier.retry(() => fs.readFile(filePath, { encoding: "utf8", signal: controller.signal })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9b0487de429db52 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:1113
    return (process.env.ESLINT_USE_FLAT_CONFIG !== "false");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e95293b9a9bc0cc Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36d106ad6f77113e Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
    if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a276e7df72ebbd0 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
    if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f010db9d7b2d622 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
    const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-config-prettier

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #e011b0e113f396f9 Environment-variable access.
pkgs/npm/[email protected]/bin/cli.js:45
      switch (process.env.ESLINT_USE_FLAT_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e79dd57f0135cf0 Environment-variable access.
pkgs/npm/[email protected]/index.js:3
const includeDeprecated = !process.env.ESLINT_CONFIG_PRETTIER_NO_DEPRECATED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-import-x

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #2f73a8d3ecbf4a01 Filesystem access.
pkgs/npm/[email protected]/lib/rules/no-extraneous-dependencies.js:18
        return JSON.parse(node_fs_1.default.readFileSync(jsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d8a54a286dc6639 Filesystem access.
pkgs/npm/[email protected]/lib/utils/export-map.js:58
        const content = node_fs_1.default.readFileSync(filepath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f80438e981052d7 Filesystem access.
pkgs/npm/[email protected]/lib/utils/read-pkg-up.js:17
            pkg: JSON.parse(stripBOM(node_fs_1.default.readFileSync(fp, { encoding: 'utf8' }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-jest

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #7a8cdbfc9832d087 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:3
var _fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

execa

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #a548f72676dbf532 Filesystem access.
pkgs/npm/[email protected]/lib/stream.js:19
	return readFileSync(inputFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fast-glob

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #f5952c9e483253fd Filesystem access.
pkgs/npm/[email protected]/out/readers/reader.d.ts:2
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1169f1fd3836e74d Filesystem access.
pkgs/npm/[email protected]/out/settings.js:4
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f2e303eabdc92db Filesystem access.
pkgs/npm/[email protected]/out/utils/fs.d.ts:2
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-extra

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #b7662d52ab14d716 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:24
      await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e9674b619f8ab5d Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:32
    await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42fc237fc27e7274 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:60
  fs.writeFileSync(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #592f2a02bbcd052e Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:16
  return fs.writeFile(file, data, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c673817e7ae1a894 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:25
  fs.writeFileSync(file, ...args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-jetpack

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #69c4d2b591c7a360 Filesystem access.
pkgs/npm/[email protected]/lib/copy.js:100
  const data = fs.readFileSync(srcPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20d3818f60ec4d4c Filesystem access.
pkgs/npm/[email protected]/lib/copy.js:102
    fs.writeFileSync(destPath, data, { mode, flag: "wx" });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea180e48fc4dbfd6 Filesystem access.
pkgs/npm/[email protected]/lib/copy.js:108
        fs.writeFileSync(destPath, data, { mode });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63b73f4e6f635e1a Filesystem access.
pkgs/npm/[email protected]/lib/inspect.js:88
  const data = fs.readFileSync(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc43e8c0fcda6150 Filesystem access.
pkgs/npm/[email protected]/lib/read.js:60
    data = fs.readFileSync(path, { encoding });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0725c5272565e13f Filesystem access.
pkgs/npm/[email protected]/lib/read.js:95
    fs.readFile(path, { encoding })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45ef94d718331e26 Filesystem access.
pkgs/npm/[email protected]/lib/streams.js:3
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3eb3ca446fe44a06 Filesystem access.
pkgs/npm/[email protected]/lib/utils/fs.js:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2798c414ab080f3a Filesystem access.
pkgs/npm/[email protected]/lib/utils/tree_walker.js:3
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #950b87a39aa13104 Filesystem access.
pkgs/npm/[email protected]/lib/write.js:46
    fs.writeFileSync(path, data, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a06c1c02e65c613 Filesystem access.
pkgs/npm/[email protected]/lib/write.js:51
      fs.writeFileSync(path, data, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08ca273c7cc9cc4a Filesystem access.
pkgs/npm/[email protected]/lib/write.js:84
    fs.writeFile(path, data, options)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c29d2ec7d5c1502 Filesystem access.
pkgs/npm/[email protected]/lib/write.js:94
              return fs.writeFile(path, data, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d63ef4ea949e74c1 Filesystem access.
pkgs/npm/[email protected]/types.d.ts:5
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

globby

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #2cdc649e2e112b46 Filesystem access.
pkgs/npm/[email protected]/gitignore.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b66c9dddd984a746 Filesystem access.
pkgs/npm/[email protected]/gitignore.js:78
	const content = fs.readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7935f10d1d0871a Filesystem access.
pkgs/npm/[email protected]/index.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

graphviz-mit

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #cc27798648f6b24a Filesystem access.
pkgs/npm/[email protected]/lib/deps/core_ext/fs-ext.js:1
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72ae43d46346ccac Filesystem access.
pkgs/npm/[email protected]/lib/graphviz.js:4
var path = require('path'),
  spawn = require('child_process').spawn,
  temp = require('temp'),
  which = require('which'),
  fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64c9e75f9854eb02 Filesystem access.
pkgs/npm/[email protected]/lib/graphviz.js:8
  fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

husky

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #8851b5313f984ff5 Filesystem access.
pkgs/npm/[email protected]/bin.js:2
import f, { writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23f9633b6a832f2e Filesystem access.
pkgs/npm/[email protected]/bin.js:12
	s = f.readFileSync(n)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e95e6a6dcd4e1bf4 Filesystem access.
pkgs/npm/[email protected]/bin.js:15
	w(n, JSON.stringify(o, 0, /\t/.test(s) ? '\t' : 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5475b94e4408dc9a Filesystem access.
pkgs/npm/[email protected]/bin.js:18
	w('.husky/pre-commit', (p.env.npm_config_user_agent?.split('/')[0] ?? 'npm') + ' test\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c76ad372d0aa945b Filesystem access.
pkgs/npm/[email protected]/index.js:2
import f, { readdir, writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8443574fd76e7075 Environment-variable access.
pkgs/npm/[email protected]/index.js:9
	if (process.env.HUSKY === '0') return 'HUSKY=0 skip install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #502af11589b463d4 Filesystem access.
pkgs/npm/[email protected]/index.js:20
	w(_('.gitignore'), '*')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #678ae29aeb08f76c Filesystem access.
pkgs/npm/[email protected]/index.js:22
	l.forEach(h => w(_(h), `#!/usr/bin/env sh\n. "\$(dirname "\$0")/h"`, { mode: 0o755 }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f42cce472aa1bb86 Filesystem access.
pkgs/npm/[email protected]/index.js:23
	w(_('husky.sh'), msg)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

jest-junit

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #7da40e9b2dff7ee9 Filesystem access.
pkgs/npm/[email protected]/index.js:5
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c19ed8c929acc85 Filesystem access.
pkgs/npm/[email protected]/index.js:38
  fs.writeFileSync(outputPath, xml(jsonResults, { indent: '  ', declaration: true }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9019f4a545707948 Filesystem access.
pkgs/npm/[email protected]/utils/buildJsonResults.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02e3a233fbaf23ff Filesystem access.
pkgs/npm/[email protected]/utils/getOptions.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f84083890e4d10f Environment-variable access.
pkgs/npm/[email protected]/utils/getOptions.js:15
    if (process.env[name]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dba9377339f8c58 Environment-variable access.
pkgs/npm/[email protected]/utils/getOptions.js:16
      options[constants.ENVIRONMENT_CONFIG_MAP[name]] = process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lint-staged

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #ab1de35eb5c3bfe7 Environment-variable access.
pkgs/npm/[email protected]/bin/lint-staged.js:16
  process.env.FORCE_COLOR = supportsColor.level.toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca8320c06a048c7c Filesystem access.
pkgs/npm/[email protected]/lib/file.js:16
    return await fs.readFile(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #566f8391741d724a Filesystem access.
pkgs/npm/[email protected]/lib/file.js:52
  await fs.writeFile(filename, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #745d0f7a4e3191d5 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:134
      readFile(this.mergeHeadFilename).then((buffer) => (this.mergeHeadBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f3b1227033dd93a Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:135
      readFile(this.mergeModeFilename).then((buffer) => (this.mergeModeBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1978d471d72b781 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:136
      readFile(this.mergeMsgFilename).then((buffer) => (this.mergeMsgBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b271155a29ee81aa Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:148
        this.mergeHeadBuffer && writeFile(this.mergeHeadFilename, this.mergeHeadBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64520d3415750416 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:149
        this.mergeModeBuffer && writeFile(this.mergeModeFilename, this.mergeModeBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f113c5837896a750 Filesystem access.
pkgs/npm/[email protected]/lib/gitWorkflow.js:150
        this.mergeMsgBuffer && writeFile(this.mergeMsgFilename, this.mergeMsgBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4f4c1560002d2be Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:124
  debugLog('Unset GIT_LITERAL_PATHSPECS (was `%s`)', process.env.GIT_LITERAL_PATHSPECS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5720d327f9c2397 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:125
  delete process.env.GIT_LITERAL_PATHSPECS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56b7ca65223eebd8 Filesystem access.
pkgs/npm/[email protected]/lib/loadConfig.js:74
  return fs.readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c691642082ff016c Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:48
    debugLog('Unset GIT_DIR (was `%s`)', process.env.GIT_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #071a3aeb64e88099 Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:49
    delete process.env.GIT_DIR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49d9ab9d78c04b98 Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:50
    debugLog('Unset GIT_WORK_TREE (was `%s`)', process.env.GIT_WORK_TREE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f09d3bb7d8d7ad49 Environment-variable access.
pkgs/npm/[email protected]/lib/resolveGitRepo.js:51
    delete process.env.GIT_WORK_TREE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #871aa903b8a0a7dd Filesystem access.
pkgs/npm/[email protected]/lib/version.js:4
  const packageJson = JSON.parse(await fs.readFile(new URL('../package.json', import.meta.url)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mariadb

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #77d92eba4729bac8 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/caching-sha2-password-auth.js:5
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f3e94712fb0705a Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/caching-sha2-password-auth.js:75
                  key = fs.readFileSync(key, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff4e31471bfb7034 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/sha256-password-auth.js:5
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73f048b568240920 Filesystem access.
pkgs/npm/[email protected]/lib/cmd/handshake/auth/sha256-password-auth.js:52
              key = fs.readFileSync(key, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d6988849db18a7c Filesystem access.
pkgs/npm/[email protected]/lib/cmd/parser.js:10
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a63f08ec832177f6 Environment-variable access.
pkgs/npm/[email protected]/lib/config/connection-options.js:30
    this.user = opts.user || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee467ac58482e060 Filesystem access.
pkgs/npm/[email protected]/lib/connection.js:35
const fsPromises = require('fs').promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mysql2

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #51f07d19c4bb16c2 Environment-variable access.
pkgs/npm/[email protected]/lib/packets/index.js:58
  if (process.env.NODE_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pg

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #155f1e7aba56407b Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:15
    envVar = process.env['PG' + key.toUpperCase()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe1f5dc31dddbf71 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:19
    envVar = process.env[envVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f69c0befa764db2e Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:26
  switch (process.env.PGSSLMODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f67fe53d2d521452 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:127
      this.connect_timeout = process.env.PGCONNECT_TIMEOUT || 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eebcf9fe292dafde Environment-variable access.
pkgs/npm/[email protected]/lib/defaults.js:5
  user = process.platform === 'win32' ? process.env.USERNAME : process.env.USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28a29854a6ed7c26 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:41
  forceNative = !!process.env.NODE_PG_FORCE_NATIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postgres

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #e3c7e58939857035 Filesystem access.
pkgs/npm/[email protected]/cf/src/index.js:133
        fs.readFile(path, 'utf8', (err, string) => {
          if (err)
            return query.reject(err)

          query.strings = [string]
          handler(query)
        })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97c7c46a5797681f Environment-variable access.
pkgs/npm/[email protected]/cf/src/index.js:565
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a80f329c246c74fe Filesystem access.
pkgs/npm/[email protected]/cjs/src/index.js:2
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5eca507945b50867 Filesystem access.
pkgs/npm/[email protected]/cjs/src/index.js:132
        fs.readFile(path, 'utf8', (err, string) => {
          if (err)
            return query.reject(err)

          query.strings = [string]
          handler(query)
        })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df4113b381d7d857 Environment-variable access.
pkgs/npm/[email protected]/cjs/src/index.js:564
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ffdad20b02888d4 Filesystem access.
pkgs/npm/[email protected]/src/index.js:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a44e922ab8f33cd Filesystem access.
pkgs/npm/[email protected]/src/index.js:132
        fs.readFile(path, 'utf8', (err, string) => {
          if (err)
            return query.reject(err)

          query.strings = [string]
          handler(query)
        })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53cc4a0a88b75b30 Environment-variable access.
pkgs/npm/[email protected]/src/index.js:564
    return process.env.USERNAME || process.env.USER || process.env.LOGNAME  // eslint-disable-line

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency
expand_more 72 low-confidence finding(s)
low env_fs dependency Excluded from app score #8904bbc785af48e3 Environment-variable access.
pkgs/npm/[email protected]/bin/prettier.cjs:66
if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e43b459652a3698c Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5619
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a886e55f591a0e0 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6165
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #736a3a31eaa9ffbb Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6166
      process.env.TEST_PSEUDOMAP = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be04f2f03f17c525 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6167
    if (typeof Map === "function" && !process.env.TEST_PSEUDOMAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a89835ba00e2fcd Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6509
    var hasSymbol = typeof Symbol === "function" && process.env._nodeLRUCacheForceNoSymbol !== "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b689cb3c606a389 Filesystem access.
pkgs/npm/[email protected]/index.mjs:7644
            fs4.readFile(file, "utf8", function(err, data) {
              if (err) {
                reject(err);
                return;
              }
              resolve3(parseString2(data));
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #427df1133db53ca7 Filesystem access.
pkgs/npm/[email protected]/index.mjs:7657
      return parseString2(fs4.readFileSync(file, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2893e35419f3f69 Filesystem access.
pkgs/npm/[email protected]/index.mjs:7993
              fs4.readFile(name, "utf8", function(err, data) {
                resolve3({
                  name,
                  contents: err ? "" : data
                });
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #618eb55cd63eb8b9 Filesystem access.
pkgs/npm/[email protected]/index.mjs:8009
          file = fs4.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3be92324015d2d01 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:8284
      return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : picocolors5.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a2c474194f7c52b Filesystem access.
pkgs/npm/[email protected]/index.mjs:10300
import * as fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b9a78400600a682 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12225
import fs2 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fbd958dca5a9e29 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12231
    return await fs2.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3b9fb30a79bd841 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12382
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c22d2963e169a7aa Filesystem access.
pkgs/npm/[email protected]/index.mjs:12392
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48689b14b3b767d2 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12744
    string = fs3.readFileSync(path6.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc55119d86bf0295 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:16787
      if (process.env.PRETTIER_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e0699ffe1646f8b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:12
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9a2f64de5d805db Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:395
  return dist_default.retry.readFile(timeout)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94608318365e8fa2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:510
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a9556251f2479ef Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:520
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11eb259a38eba674 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:872
    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ada2799456089ce Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1848
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ce79e3b920e329d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1925
          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af7b63f05e0487c3 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1931
          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8875562e86e3c92c Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:55
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96458376a4f48350 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:97
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dfea37549858fe2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:108
      const buffer2 = attempt(() => fs2.readFileSync(path17), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0a757ef08321d37 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:117
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73c779522b9a0221 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:615
import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23bb75c49d3411af Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:630
              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fedf77e36a0c07d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:636
              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f68d0bdf8c410948 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2563
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93bab15dfff6d7b5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2573
    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #408abe75ef34458a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2761
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac4bf537dd3c1452 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:3621
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c63c63a85e8268e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:4668
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37d721873070af10 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5612
import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f57a83dfdc91f089 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5638
          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a35b889b1cdca66 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5653
          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #511bf663abc3b599 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5669
          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ab666c4b8139687 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6237
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb6b473b96a76ad8 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6251
        return fs9.readFile(filePath, "utf8").then(parse_default).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4b13ca6a4e955d1 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6574
import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e4c8b30aabc7b1d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6586
      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa22d9321a002f6e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11280
import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3b0a1eb41778c16 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11302
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #655028fd90ce63c5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11307
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f44b27b44f6b3a4 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11313
        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cface45337ae6df Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11329
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2784e22098969810 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11335
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f24ea1b05a57fc7c Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12191
import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5506162404b66d43 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12388
  return dist_default36.retry.readFile(timeout)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37ba7968258f3c90 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:13152
import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8674146ec8a69c6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:13220
  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c63f21186c916ca6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:13225
  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e28241c20caed647 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1190
import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fedbee2557a344ed Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1481
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a777b6889c2b060 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1690
import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b2afe40e24ed715 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1698
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd57cc28600a4b68 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1706
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03c71fb6d44ccacc Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1800
    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e64cc4a54d6a50dd Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1818
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #226448d3e6859e33 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1822
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8dc4720835af3b5 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1827
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66675537598231bf Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:2921
      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35bad0e4dba41f58 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3061
        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dab944f7613fb192 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3391
        const buffer = fs6.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5a5361d868ccad3 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3635
import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1c9c0eadda74ee2 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:3897
  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02a9a6a8edda5784 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4253
      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

resolve

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #8bf4db29589a6ad0 Filesystem access.
pkgs/npm/[email protected]/lib/async.js:1
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0194dd6544221ad3 Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:8
    var home = process.env.HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15def32df6e5fc3d Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:9
    var user = process.env.LOGNAME || process.env.USER || process.env.LNAME || process.env.USERNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f87f6d5a568e66fc Environment-variable access.
pkgs/npm/[email protected]/lib/homedir.js:12
        return process.env.USERPROFILE || process.env.HOMEDRIVE + process.env.HOMEPATH || home || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f234d707a6045f67 Filesystem access.
pkgs/npm/[email protected]/lib/sync.js:2
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

semver

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #9afa1ddcb34118e2 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:4
  process.env.NODE_DEBUG &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4b0714e5b53fd2a Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:5
  /\bsemver\b/i.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

size-limit

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #e0a0cde94001eee6 Filesystem access.
pkgs/npm/[email protected]/process-import.js:24
  await writeFile(entry, loader)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c364b142cbfc859e Filesystem access.
pkgs/npm/[email protected]/read-pkg-up.js:7
  return JSON.parse(await readFile(filePath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

staged-git-files

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #6157e0f0367b42a4 Filesystem access.
pkgs/npm/[email protected]/index.js:2
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #673bf543c857e312 Filesystem access.
pkgs/npm/[email protected]/index.js:91
    fs.readFile(sgf.cwd + "/" + filename, options, callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7015932383e7ea75 Filesystem access.
pkgs/npm/[email protected]/index.js:182
                    result.content = fs.readFileSync(sgf.cwd + "/" + result.filename, {
                        encoding: "utf8"
                    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tempy

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #abf24864c8ea00db Filesystem access.
pkgs/npm/[email protected]/index.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13a9a165265fa1ff Filesystem access.
pkgs/npm/[email protected]/index.js:66
	fs.writeFileSync(filename, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-node

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #f2301c88d5d896c3 Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79e2bbf653e8829f Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:39
const {
  realpathSync,
  statSync,
  Stats,
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3729f8ffaba1addf Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:43
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0834292ad2dc9b97 Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa75d0124cdb5d55 Filesystem access.
pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:13
    string = fs.readFileSync(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9da1cc99dbcf3396 Environment-variable access.
pkgs/npm/[email protected]/dist-raw/node-options.js:48
  const envArgv = ParseNodeOptionsEnvVar(process.env.NODE_OPTIONS || '', errors);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fad2772a7776ab4a Environment-variable access.
pkgs/npm/[email protected]/dist-raw/node-options.js:99
  if(process.env.NODE_PENDING_DEPRECATION === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #1101021619705ffa Filesystem access.
pkgs/npm/[email protected]/lib/cancellationToken.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #058ec1cf9bfafb91 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

undici

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #a58d2d564dfeb8f3 Environment-variable access.
pkgs/npm/[email protected]/lib/core/connect.js:21
if (global.FinalizationRegistry && !(process.env.NODE_V8_COVERAGE || process.env.UNDICI_NO_FG)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54fca504ec48321a Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:64
  const llhttpWasmData = process.env.JEST_WORKER_ID ? require('../llhttp/llhttp-wasm.js') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b2bd313f5d5b044 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c58617a69a961b98 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #188e3c59cf0f578f Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:147
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a624230b2c275c2e Environment-variable access.
pkgs/npm/[email protected]/lib/mock/pending-interceptors-formatter.js:23
        colors: !disableColors && !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c00edeb9cc45d3f Environment-variable access.
pkgs/npm/[email protected]/lib/web/fetch/dispatcher-weakref.js:38
  if (process.env.NODE_V8_COVERAGE && process.version.startsWith('v18')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c4a6fb53f60b3fcc Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:7
  ? transcode(readFileSync('./undici-fetch.js'), 'utf8', 'latin1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7e9f17c83dbf2b86 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:8
  : readFileSync('./undici-fetch.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b5d02660adc37b44 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:10
writeFileSync('./undici-fetch.js', buffer.toString('latin1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @prisma/debug prod — dist-only: no readable source
  • @prisma/driver-adapter-utils prod — dist-only: no readable source
  • c12 prod — dist-only: no readable source
  • deepmerge-ts prod — dist-only: no readable source
  • @prisma/dmmf prod — dist-only: no readable source
  • @planetscale/database prod — dist-only: no readable source
  • @prisma/client-common prod — dist-only: no readable source
  • @prisma/fetch-engine prod — dist-only: no readable source
  • @prisma/generator prod — dist-only: no readable source
  • @prisma/internals prod — dist-only: no readable source
  • @prisma/param-graph-builder prod — dist-only: no readable source
  • @prisma/ts-builders prod — dist-only: no readable source
  • get-tsconfig prod — dist-only: no readable source
  • ts-pattern prod — dist-only: no readable source
  • xdg-app-paths prod — dist-only: no readable source
  • @prisma/config prod — dist-only: no readable source
  • @prisma/dev prod — dist-only: no readable source
  • @prisma/studio-core prod — dist-only: no readable source
  • mssql prod — scan budget exceeded
  • pg-types prod — scan budget exceeded
  • @prisma/ppg prod — scan budget exceeded
  • @bugsnag/cuid prod — scan budget exceeded
  • @paralleldrive/cuid2 prod — scan budget exceeded
  • @prisma/client-runtime-utils prod — scan budget exceeded
  • @prisma/sqlcommenter prod — scan budget exceeded
  • @prisma/param-graph prod — scan budget exceeded
  • @prisma/json-protocol prod — scan budget exceeded
  • nanoid prod — scan budget exceeded
  • ulid prod — scan budget exceeded
  • uuid prod — scan budget exceeded
  • @ark/attest prod — scan budget exceeded
  • @prisma/adapter-d1 prod — scan budget exceeded
  • @prisma/adapter-neon prod — scan budget exceeded
  • @prisma/adapter-planetscale prod — scan budget exceeded
  • prisma prod — scan budget exceeded
  • @opentelemetry/instrumentation prod — scan budget exceeded
  • @prisma/client-generator-js prod — scan budget exceeded
  • @prisma/client-generator-ts prod — scan budget exceeded

Development

  • @slack/webhook dev — dist-only: no readable source
  • @typescript-eslint/parser dev — dist-only: no readable source
  • @typescript-eslint/utils dev — dist-only: no readable source
  • @vitest/coverage-v8 dev — dist-only: no readable source
  • batching-toposort dev — dist-only: no readable source
  • prettier2 dev — registry 404
  • spdx-exceptions dev — no javascript source
  • spdx-license-ids dev — no javascript source
  • tsx dev — dist-only: no readable source
  • turbo dev — no javascript source
  • @prisma/get-platform dev — dist-only: no readable source
  • @hono/node-server dev — dist-only: no readable source
  • @hono/zod-validator dev — dist-only: no readable source
  • @prisma/adapter-pg dev — dist-only: no readable source
  • @prisma/adapter-mariadb dev — dist-only: no readable source
  • @prisma/adapter-mssql dev — dist-only: no readable source
  • hono dev — dist-only: no readable source
  • @prisma/client-engine-runtime dev — dist-only: no readable source
  • @codspeed/benchmark.js-plugin dev — dist-only: no readable source
  • @inquirer/prompts dev — dist-only: no readable source
  • @modelcontextprotocol/sdk dev — dist-only: no readable source
  • @prisma/adapter-libsql dev — dist-only: no readable source
  • @prisma/client dev — tarball exceeds byte cap
  • @prisma/credentials-store dev — scan budget exceeded
  • @prisma/management-api-sdk dev — scan budget exceeded
  • @prisma/migrate dev — scan budget exceeded
  • @types/better-sqlite3 dev — scan budget exceeded
  • @types/react dev — scan budget exceeded
  • @types/react-dom dev — scan budget exceeded
  • async-listen dev — scan budget exceeded
  • better-sqlite3 dev — scan budget exceeded
  • checkpoint-client dev — scan budget exceeded
  • get-port-please dev — scan budget exceeded
  • jest dev — scan budget exceeded
  • line-replace dev — scan budget exceeded
  • log-update dev — scan budget exceeded
  • node-fetch dev — scan budget exceeded
  • npm-packlist dev — scan budget exceeded
  • ohash dev — scan budget exceeded
  • open dev — scan budget exceeded
  • openapi-fetch dev — scan budget exceeded
  • openapi-typescript dev — scan budget exceeded
  • ora dev — scan budget exceeded
  • pathe dev — scan budget exceeded
  • react dev — scan budget exceeded
  • react-dom dev — scan budget exceeded
  • resolve-pkg dev — scan budget exceeded
  • std-env dev — scan budget exceeded
  • strip-ansi dev — scan budget exceeded
  • webpack dev — scan budget exceeded
  • @types/mssql dev — scan budget exceeded
  • @prisma/get-dmmf dev — scan budget exceeded
  • @swc-node/register dev — scan budget exceeded
  • @types/cross-spawn dev — scan budget exceeded
  • cross-spawn dev — scan budget exceeded
  • fast-check dev — scan budget exceeded
  • @prisma/instrumentation-contract dev — scan budget exceeded
  • @faker-js/faker dev — scan budget exceeded
  • @fast-check/jest dev — scan budget exceeded
  • @jest/create-cache-key-function dev — scan budget exceeded
  • @jest/globals dev — scan budget exceeded
  • @jest/test-sequencer dev — scan budget exceeded
  • @opentelemetry/resources dev — scan budget exceeded
  • @opentelemetry/semantic-conventions dev — scan budget exceeded
  • @prisma/adapter-better-sqlite3 dev — scan budget exceeded
  • @prisma/generator-helper dev — scan budget exceeded
  • @prisma/client-generator-registry dev — dist-only: no readable source