Close Open Privacy Scan

bolt Snapshot: commit 2e254ac
science engine v1.5
schedule 2026-07-14T08:23:55.501526+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

smart_toy MCP server detected: @ai-sdk/anthropic, @ai-sdk/openai, @modelcontextprotocol/sdk, ai — detected in dependencies, not a safety judgment.

App Privacy Score

22 /100
High privacy risk — application leak confirmed

High risk · 464 finding(s)

Dependency score: 2 (High risk)

bar_chart Score Breakdown

pii_flow −60
egress −15
env_fs −3

list Scan Summary

66 high 2 medium 396 low
First-party packages: 1
Dependency packages: 16
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: aistudio.google.comapi-inference.huggingface.coapi.anthropic.comapi.bitbucket.orgapi.cerebras.aiapi.cohere.comapi.deepseek.comapi.fireworks.aiapi.github.comapi.groq.comapi.hyperbolic.xyzapi.mistral.aiapi.moonshot.aiapi.netlify.comapi.openai.comapi.perplexity.aiapi.supabase.comapi.together.xyzapi.vercel.comapi.x.aiapi.z.aiapp.hyperbolic.xyzapp.netlify.comapp.supabase.combitcoin.orgcdn.jsdelivr.netcdn.simpleicons.orgcircumicons.comcloud.cerebras.aiconsole.anthropic.comconsole.aws.amazon.comconsole.groq.comconsole.mistral.aicreativecommons.orgdashboard.cohere.comdate-fns.orgdeveloper.mozilla.orgdocs.x.aierikflowers.github.iofeathericons.comfireworks.aifontawesome.comfonts.googleapis.comfonts.gstatic.comgame-icons.netgenerativelanguage.googleapis.comgithub.comgitlab.comgoogle.github.iohuggingface.coicons.radix-ui.comicons8.comionicons.comjson-schema.orglmstudio.ailocalai.iolucide.devmcp.deepwiki.commodelcontextprotocol.iomodels.github.aimy-bucket.s3.amazonaws.comocticons.github.comollama.comopen.bigmodel.cnopenrouter.aiopensource.orgplatform.deepseek.complatform.moonshot.aiplatform.openai.comraw.githubusercontent.comreact-dnd.github.ioreact.devreactjs.orgs-ings.comscripts.sil.orgsimpleicons.orgstackblitz-labs.github.iostackblitz.comstuk.github.iosupabase.comsupport.bolt.newtest.openrouter.aithesabbir.github.iounpkg.comupload.wikimedia.orgvercel.comvorillaz.github.iowww.apache.orgwww.perplexity.aiwww.w3.orgwww.youtube.comyour-gitlab-instance.com

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:51 repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:72 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:111 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:137 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:159 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:197 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:211 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:246 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:275 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:288 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:323 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:337 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:379 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:412 repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:81 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:107 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:129 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:163 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:177 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:208 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:233 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:246 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:277 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:291 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:331 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:364 repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:68 repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:150 repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:214 repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:79 repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:32 repo/app/components/chat/VercelDeploymentLink.client.tsx:30
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:32 repo/app/components/chat/VercelDeploymentLink.client.tsx:53
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:32 repo/app/components/chat/VercelDeploymentLink.client.tsx:83
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:153 repo/app/components/deploy/NetlifyDeploy.client.tsx:177
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:78 repo/app/lib/hooks/useGitHubConnection.ts:75
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:226 repo/app/lib/hooks/useGitHubConnection.ts:223
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:95 repo/app/lib/hooks/useGitLabConnection.ts:92
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:216 repo/app/lib/hooks/useGitLabConnection.ts:213
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:54 repo/app/lib/services/githubApiService.ts:51
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:140 repo/app/lib/services/githubApiService.ts:137
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:168 repo/app/lib/services/githubApiService.ts:165
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:196 repo/app/lib/services/githubApiService.ts:193
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:32 repo/app/routes/api.github-branches.ts:71
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:32 repo/app/routes/api.github-branches.ts:95
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:18 repo/app/routes/api.github-stats.ts:26
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:18 repo/app/routes/api.github-stats.ts:50
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:18 repo/app/routes/api.github-stats.ts:79
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:17 repo/app/routes/api.github-user.ts:25
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:107 repo/app/routes/api.github-user.ts:116
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:107 repo/app/routes/api.github-user.ts:165
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:107 repo/app/routes/api.github-user.ts:211
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:15 repo/app/routes/api.netlify-user.ts:22
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:82 repo/app/routes/api.netlify-user.ts:90
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:15 repo/app/routes/api.supabase-user.ts:22
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:97 repo/app/routes/api.supabase-user.ts:105
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:97 repo/app/routes/api.supabase-user.ts:159
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:119
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:145
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:160
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:228
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:85 repo/app/routes/api.system.git-info.ts:274
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:15 repo/app/routes/api.vercel-user.ts:31
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:93 repo/app/routes/api.vercel-user.ts:110
hub Dependency data flows (3)
high @modelcontextprotocol/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215 pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:245
high @modelcontextprotocol/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621 pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:643
high @openrouter/ai-sdk-provider dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:18 pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:16

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #9ec4fe42204420a2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:51 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/gitlab/components/GitLabRepositorySelector.tsx:45
      const response = await fetch('/api/gitlab-projects', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          token: connection.token,
          gitlabUrl: connection.gitlabUrl || 'https://gitlab.com',
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1e307962a459fa74 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:72 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d4df4b91b3f84d3c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:111 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:109
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f304ec068eb06fd2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:137 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:134
            const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                clear_cache: true,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #463ee61f9b88a32d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:159 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:156
          const cacheResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/purge_cache`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #bf2b43dfc3146e1e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:197 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:195
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e67946dd5f7e4f28 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:211 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:209
          const envResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/env`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fd30226c032fcc38 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:246 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:243
          const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
              'Content-Type': 'application/json',
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6498babcebee861b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:275 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:273
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c963e0ff9cda8b2a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:288 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:286
          const functionsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/functions`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d860a76ca46c6c1e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:323 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:321
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6da8f40b4bbb8da3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:337 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:335
          const analyticsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/traffic`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e4bb28b83c8c939d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:379 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:376
          const response = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            method: 'DELETE',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7bd44c79f0edc02a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:412 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:409
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f83b6521795ff8de User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:81 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:79
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f244f4b851c7fe1d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:107 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:104
            const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                clear_cache: true,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #811e08c247ec9d5f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:129 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:126
          const cacheResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/purge_cache`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fe69e2b149e80ae6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:163 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:161
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5d2c28f275a86425 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:177 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:175
          const envResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/env`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5a94fad060ccc4b9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:208 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:205
          const buildResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/builds`, {
            method: 'POST',
            headers: {
              Authorization: `Bearer ${connection.token}`,
              'Content-Type': 'application/json',
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #94364c7b5cb03170 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:233 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:231
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9c9e8e8fb3b0cc39 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:246 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:244
          const functionsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/functions`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e54709997e2c25e0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:277 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:275
          const siteResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c7bf8654b7728103 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:291 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:289
          const analyticsResponse = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}/traffic`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #95ef278c80eae2a6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:331 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:328
          const response = await fetch(`https://api.netlify.com/api/v1/sites/${siteId}`, {
            method: 'DELETE',
            headers: {
              Authorization: `Bearer ${connection.token}`,
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3ace804b790b4c07 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:364 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:361
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #20bc44dbc87409d1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:68 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65
            const response = await fetch(`https://api.vercel.com/v1/deployments`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                name: projectId,
                target: 'production',
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3fae51005d3d54a0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:150 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:147
            const response = await fetch(`https://api.vercel.com/v1/projects/${projectId}`, {
              method: 'DELETE',
              headers: {
                Authorization: `Bearer ${connection.token}`,
              },
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #abd23cd3dd51f5a8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:214 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221
      const testResponse = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${token}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #32491d19e48b9b4d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:79 → /tmp/closeopen-ah3m8ulv/repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77
      const response = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
          'Content-Type': 'application/json',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a395e6b38e815af4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:30 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:30
        const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
          headers: {
            Authorization: `Bearer ${connection.token}`,
            'Content-Type': 'application/json',
          },
          cache: 'no-store',
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #66fb2268cb8ec73e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:53 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:53
          const projectDetailsResponse = await fetch(`https://api.vercel.com/v9/projects/${project.id}`, {
            headers: {
              Authorization: `Bearer ${connection.token}`,
              'Content-Type': 'application/json',
            },
            cache: 'no-store',
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #07441057db5c2e07 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:83 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:32 → /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:83
          const deploymentsResponse = await fetch(
            `https://api.vercel.com/v6/deployments?projectId=${project.id}&limit=1`,
            {
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              cache: 'no-store',
            },
          );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #570bf72de58596fe User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:177 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/deploy/NetlifyDeploy.client.tsx:153 → /tmp/closeopen-ah3m8ulv/repo/app/components/deploy/NetlifyDeploy.client.tsx:177
          const statusResponse = await fetch(
            `https://api.netlify.com/api/v1/sites/${data.site.id}/deploys/${data.deploy.id}`,
            {
              headers: {
                Authorization: `Bearer ${netlifyConn.token}`,
              },
            },
          );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #14488bb86bd49173 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:75 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitHubConnection.ts:78 → /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitHubConnection.ts:75
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f6559da2679d7764 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitHubConnection.ts:223 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitHubConnection.ts:226 → /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitHubConnection.ts:223
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #79194386113c2a0d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:92 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitLabConnection.ts:95 → /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitLabConnection.ts:92
      const response = await fetch(`${baseUrl}/api/v4/user`, {
        headers: {
          'Content-Type': 'application/json',
          'PRIVATE-TOKEN': connection.token,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ef2befae588abfaa User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/hooks/useGitLabConnection.ts:213 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitLabConnection.ts:216 → /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useGitLabConnection.ts:213
      const response = await fetch(`${baseUrl}/api/v4/user`, {
        headers: {
          'Content-Type': 'application/json',
          'PRIVATE-TOKEN': connection.token,
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e98a1c46012fd6be User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:51 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:54 → /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:51
    const response = await fetch(`${this._baseURL}${endpoint}`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
        ...options.headers,
      },
      ...options,
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8d623245f00c7fa3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:137 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:140 → /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:137
    const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/contributors?per_page=1`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d61399cd4735daae User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:165 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:168 → /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:165
    const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/issues?state=all&per_page=1`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #98ba3b2f4ce5408a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/lib/services/githubApiService.ts:193 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:196 → /tmp/closeopen-ah3m8ulv/repo/app/lib/services/githubApiService.ts:193
    const response = await fetch(`${this._baseURL}/repos/${owner}/${repo}/pulls?state=all&per_page=1`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `${this._config.tokenType === 'classic' ? 'token' : 'Bearer'} ${this._config.token}`,
        'User-Agent': 'Bolt.diy',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #78b0f50fb35b7077 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:71 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-branches.ts:32 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-branches.ts:71
    const repoResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #080fe0a13b1d1cab User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-branches.ts:95 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-branches.ts:32 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-branches.ts:95
    const branchesResponse = await fetch(`https://api.github.com/repos/${owner}/${repo}/branches?per_page=100`, {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3cd6d1765238d5ce User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:26 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-stats.ts:18 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-stats.ts:26
    const userResponse = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #42d4b07aa15f4a14 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:50 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-stats.ts:18 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-stats.ts:50
      const repoResponse = await fetch(
        `https://api.github.com/user/repos?sort=updated&per_page=100&page=${page}&affiliation=owner,organization_member`,
        {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${githubToken}`,
            'User-Agent': 'bolt.diy-app',
          },
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #83d51deae1090c48 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-stats.ts:79 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-stats.ts:18 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-stats.ts:79
          const branchesResponse = await fetch(`https://api.github.com/repos/${repo.full_name}/branches?per_page=1`, {
            headers: {
              Accept: 'application/vnd.github.v3+json',
              Authorization: `Bearer ${githubToken}`,
              'User-Agent': 'bolt.diy-app',
            },
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #366025f5739bfafe User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:25 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:17 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:25
    const response = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0d3017f4d3c257f6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:116 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:107 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:116
      const response = await fetch('https://api.github.com/user/repos?sort=updated&per_page=100', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `Bearer ${githubToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #602f801c74373e71 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:165 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:107 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:165
      const response = await fetch(`https://api.github.com/repos/${repoFullName}/branches`, {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `Bearer ${githubToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0e2c22f19afe0802 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.github-user.ts:211 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:107 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.github-user.ts:211
      const response = await fetch(
        `https://api.github.com/search/repositories?q=${encodeURIComponent(searchQuery)}&per_page=${perPage}&sort=updated`,
        {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${githubToken}`,
            'User-Agent': 'bolt.diy-app',
          },
        },
      );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8614289c8c11eff7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:22 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.netlify-user.ts:15 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.netlify-user.ts:22
    const response = await fetch('https://api.netlify.com/api/v1/user', {
      headers: {
        Authorization: `Bearer ${netlifyToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0566997f06a9a8e8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.netlify-user.ts:90 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.netlify-user.ts:82 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.netlify-user.ts:90
      const response = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${netlifyToken}`,
          'Content-Type': 'application/json',
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #509c89a89a424a2a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:22 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.supabase-user.ts:15 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.supabase-user.ts:22
    const response = await fetch('https://api.supabase.com/v1/projects', {
      headers: {
        Authorization: `Bearer ${supabaseToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #90a5daed54dd4a12 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:105 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.supabase-user.ts:97 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.supabase-user.ts:105
      const response = await fetch('https://api.supabase.com/v1/projects', {
        headers: {
          Authorization: `Bearer ${supabaseToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c71c788497d7ce0e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.supabase-user.ts:159 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.supabase-user.ts:97 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.supabase-user.ts:159
      const response = await fetch(`https://api.supabase.com/v1/projects/${projectId}/api-keys`, {
        headers: {
          Authorization: `Bearer ${supabaseToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9bc5c8e4fc09c846 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:119 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:119
        const response = await fetch('https://api.github.com/user', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #776ad79fd53ef8e3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:145 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:145
        const reposResponse = await fetch('https://api.github.com/user/repos?per_page=100&sort=updated', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d909bdefbcd9beda User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:160 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:160
        const gistsResponse = await fetch('https://api.github.com/gists', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e28dabe27aebdbb1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:228 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:228
        const response = await fetch('https://api.github.com/user/orgs', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1fd6cba982e6dd71 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.system.git-info.ts:274 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:85 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.system.git-info.ts:274
        const response = await fetch(`https://api.github.com/users/${username}/events?per_page=30`, {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #319253f6c35873aa User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:31 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.vercel-user.ts:15 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.vercel-user.ts:31
    const response = await fetch('https://api.vercel.com/v2/user', {
      headers: {
        Authorization: `Bearer ${vercelToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f144730a8ecebf61 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/app/routes/api.vercel-user.ts:110 · flow /tmp/closeopen-ah3m8ulv/repo/app/routes/api.vercel-user.ts:93 → /tmp/closeopen-ah3m8ulv/repo/app/routes/api.vercel-user.ts:110
      const response = await fetch('https://api.vercel.com/v13/projects', {
        headers: {
          Authorization: `Bearer ${vercelToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 115 low-confidence finding(s)
low egress production #a22ce0b1e2ff44f7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:70
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #a7cf76adc04771fa Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:459
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${tokenInput}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #de286f34e4c9b536 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/NetlifyTab.tsx:508
      const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${token}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #2d5639e4946fab0b Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:414
      const response = await fetch('https://api.netlify.com/api/v1/user', {
        headers: {
          Authorization: `Bearer ${tokenInput}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #b2523847aa81621d Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/netlify/components/NetlifyConnection.tsx:462
      const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${token}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #fe9f443c0b7ea55e Environment-variable access.
repo/app/components/@settings/tabs/providers/local/ErrorBoundary.tsx:54
          {process.env.NODE_ENV === 'development' && this.state.error && (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #cdfe7c203466bdeb Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:65
            const response = await fetch(`https://api.vercel.com/v1/deployments`, {
              method: 'POST',
              headers: {
                Authorization: `Bearer ${connection.token}`,
                'Content-Type': 'application/json',
              },
              body: JSON.stringify({
                name: projectId,
                target: 'production',
              }),
            });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #6c2ab601f8e2d297 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/vercel/VercelTab.tsx:221
      const testResponse = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${token}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ad53f4cc58f9dd26 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/@settings/tabs/vercel/components/VercelConnection.tsx:77
      const response = await fetch('https://api.vercel.com/v2/user', {
        headers: {
          Authorization: `Bearer ${connection.token}`,
          'Content-Type': 'application/json',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low pii_flow production #4104cbc543bf4123 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/app/components/chat/SupabaseAlert.tsx:47 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/chat/SupabaseAlert.tsx:51 → /tmp/closeopen-ah3m8ulv/repo/app/components/chat/SupabaseAlert.tsx:47
      const response = await fetch('/api/supabase/query', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
          Authorization: `Bearer ${connection.token}`,
        },
        body: JSON.stringify({
          projectId: connection.selectedProjectId,
          query: sql,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low egress production #b4d2939476437363 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/components/chat/VercelDeploymentLink.client.tsx:30
        const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
          headers: {
            Authorization: `Bearer ${connection.token}`,
            'Content-Type': 'application/json',
          },
          cache: 'no-store',
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low pii_flow production #b38d698fbe42ab80 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/app/components/chat/VercelDeploymentLink.client.tsx:105 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:105 → /tmp/closeopen-ah3m8ulv/repo/app/components/chat/VercelDeploymentLink.client.tsx:105
        const fallbackResponse = await fetch(`/api/vercel-deploy?projectId=${projectId}&token=${connection.token}`, {
          method: 'GET',
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs production #16d64006fcfae236 Filesystem access.
repo/app/components/deploy/GitHubDeploy.client.tsx:119
              const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4ddf283a26343e9 Filesystem access.
repo/app/components/deploy/GitLabDeploy.client.tsx:119
              const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #949048cc1bccc60f Filesystem access.
repo/app/components/deploy/NetlifyDeploy.client.tsx:126
            const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow production #337dded7b71127b1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/app/components/deploy/NetlifyDeploy.client.tsx:145 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/deploy/NetlifyDeploy.client.tsx:153 → /tmp/closeopen-ah3m8ulv/repo/app/components/deploy/NetlifyDeploy.client.tsx:145
      const response = await fetch('/api/netlify-deploy', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          siteId: existingSiteId || undefined,
          files: fileContents,
          token: netlifyConn.token,
          chatId: currentChatId,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs production #d0a9232fccf11f52 Filesystem access.
repo/app/components/deploy/VercelDeploy.client.tsx:122
            const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a3ed53bf1dc987e Filesystem access.
repo/app/components/deploy/VercelDeploy.client.tsx:149
              const content = await container.fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow production #b071ecbaaddccfbd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/app/components/deploy/VercelDeploy.client.tsx:182 · flow /tmp/closeopen-ah3m8ulv/repo/app/components/deploy/VercelDeploy.client.tsx:191 → /tmp/closeopen-ah3m8ulv/repo/app/components/deploy/VercelDeploy.client.tsx:182
      const response = await fetch('/api/vercel-deploy', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          projectId: existingProjectId || undefined,
          files: fileContents,
          sourceFiles: allProjectFiles,
          token: vercelConn.token,
          chatId: currentChatId,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low egress production #c55716997e65051c Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/api/updates.ts:58
    const latestPackageResponse = await fetch(
      'https://raw.githubusercontent.com/stackblitz-labs/bolt.diy/main/package.json',
    );

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #9720602610b65629 Filesystem access.
repo/app/lib/hooks/useGit.ts:194
        const result = await webcontainer.fs.readFile(relativePath, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63be8be420b7a738 Filesystem access.
repo/app/lib/hooks/useGit.ts:212
          const result = await webcontainer.fs.writeFile(relativePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #764e5eea69a6afab Filesystem access.
repo/app/lib/hooks/useGit.ts:217
          const result = await webcontainer.fs.writeFile(relativePath, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #0b1a7d504bdf2d9c Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/hooks/useGitHubConnection.ts:75
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #34e74c586c2ef25e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/hooks/useGitHubConnection.ts:118
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${tokenType === 'classic' ? 'token' : 'Bearer'} ${token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #8c022e308ec993c4 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/hooks/useGitHubConnection.ts:223
      const response = await fetch('https://api.github.com/user', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `${connection.tokenType === 'classic' ? 'token' : 'Bearer'} ${connection.token}`,
          'User-Agent': 'Bolt.diy',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low pii_flow production #bc70f7e664d8bd13 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/app/lib/hooks/useSupabaseConnection.ts:70 · flow /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useSupabaseConnection.ts:68 → /tmp/closeopen-ah3m8ulv/repo/app/lib/hooks/useSupabaseConnection.ts:70
      const response = await fetch('/api/supabase', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          token: cleanToken,
        }),
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low egress production #319543c7deb7497a Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/anthropic.ts:64
    const response = await fetch(`https://api.anthropic.com/v1/models`, {
      headers: {
        'x-api-key': `${apiKey}`,
        'anthropic-version': '2023-06-01',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #745f524dacf9f48f Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/cerebras.ts:78
      const response = await fetch('https://api.cerebras.ai/v1/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #2100bebd38030efb Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/deepseek.ts:71
      const response = await fetch('https://api.deepseek.com/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #5f90386b61d95558 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/fireworks.ts:85
      const response = await fetch('https://api.fireworks.ai/v1/accounts/fireworks/models?page_size=100', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #e36fef59f48aacd6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/github.ts:91
      const response = await fetch('https://models.github.ai/v1/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #b4d66380b569f19d Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/groq.ts:55
    const response = await fetch(`https://api.groq.com/openai/v1/models`, {
      headers: {
        Authorization: `Bearer ${apiKey}`,
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #4487270ae8c866c9 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/moonshot.ts:62
      const response = await fetch('https://api.moonshot.ai/v1/models', {
        headers: {
          Authorization: `Bearer ${apiKey}`,
        },
        signal: this.createTimeoutSignal(5000),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #5abc12d481c902af Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/open-router.ts:56
      const response = await fetch('https://openrouter.ai/api/v1/models', {
        headers: {
          'Content-Type': 'application/json',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #0dd5042e2539e4a8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/modules/llm/providers/openai.ts:70
    const response = await fetch(`https://api.openai.com/v1/models`, {
      headers: {
        Authorization: `Bearer ${apiKey}`,
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #607dc7e4dce1d7e6 Filesystem access.
repo/app/lib/persistence/useChatHistory.ts:250
        await container.fs.writeFile(key, value.content, { encoding: value.isBinary ? undefined : 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64e2376d9b621e7e Filesystem access.
repo/app/lib/runtime/action-runner.ts:334
      await webcontainer.fs.writeFile(relativePath, action.content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b4e6e5b0c614b05 Filesystem access.
repo/app/lib/runtime/action-runner.ts:351
      const content = await webcontainer.fs.readFile(historyPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc603debb10db620 Filesystem access.
repo/app/lib/runtime/action-runner.ts:602
              await webcontainer.fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe8faffcdcec96c1 Filesystem access.
repo/app/lib/runtime/action-runner.ts:659
          await webcontainer.fs.readFile(sourceFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6d2b6140f19d42f Environment-variable access.
repo/app/lib/security.ts:115
    ...(process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49317d771a5c46eb Environment-variable access.
repo/app/lib/security.ts:228
      const errorMessage = sanitizeErrorMessage(error, process.env.NODE_ENV === 'development');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fce693c19b8cd96d Environment-variable access.
repo/app/lib/services/importExportService.ts:171
          appVersion: process.env.NEXT_PUBLIC_VERSION || 'unknown',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a6ca852f1949852 Filesystem access.
repo/app/lib/stores/files.ts:566
      await webcontainer.fs.writeFile(relativePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #587720c575ed5d19 Filesystem access.
repo/app/lib/stores/files.ts:789
        await webcontainer.fs.writeFile(relativePath, Buffer.from(content));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #266c7e2b598c9c6e Filesystem access.
repo/app/lib/stores/files.ts:802
        await webcontainer.fs.writeFile(relativePath, contentToWrite);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #ecea26831d8b1e22 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/netlify.ts:39
    const response = await fetch('https://api.netlify.com/api/v1/user', {
      headers: {
        Authorization: `Bearer ${envToken}`,
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #891a6bd0d486a582 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/netlify.ts:88
    const sitesResponse = await fetch('https://api.netlify.com/api/v1/sites', {
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #b0a2c3336f419340 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/vercel.ts:80
    const response = await fetch('https://api.vercel.com/v2/user', {
      headers: {
        Authorization: `Bearer ${envToken}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #a4ae1758acd29e28 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/lib/stores/vercel.ts:148
    const projectsResponse = await fetch('https://api.vercel.com/v9/projects', {
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4319729be55122cd Environment-variable access.
repo/app/routes/api.bug-report.ts:195
      (context?.cloudflare?.env as any)?.GITHUB_BUG_REPORT_TOKEN || process.env.GITHUB_BUG_REPORT_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0641b990fa1dc69d Environment-variable access.
repo/app/routes/api.bug-report.ts:197
      (context?.cloudflare?.env as any)?.BUG_REPORT_REPO || process.env.BUG_REPORT_REPO || 'stackblitz-labs/bolt.diy';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a275de444d162a8c Environment-variable access.
repo/app/routes/api.check-env-key.ts:36
    process.env[envVarName] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4add68f12a77952e Environment-variable access.
repo/app/routes/api.configured-providers.ts:41
          const processEnv = process.env[baseUrlEnvVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95a6b79bb19d4fb9 Environment-variable access.
repo/app/routes/api.configured-providers.ts:69
            process.env[apiTokenEnvVar] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c493204761deea37 Environment-variable access.
repo/app/routes/api.export-api-keys.ts:35
      process.env[envVarName] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8fec2e4573e601e Filesystem access.
repo/app/routes/api.git-info.ts:3
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4840f1bae527864 Environment-variable access.
repo/app/routes/api.github-branches.ts:61
        process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3408e959ac045cbb Environment-variable access.
repo/app/routes/api.github-branches.ts:62
        process.env.VITE_GITHUB_ACCESS_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95ef1718f08ea298 Environment-variable access.
repo/app/routes/api.github-stats.ts:18
      process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68e5afc65aae6113 Environment-variable access.
repo/app/routes/api.github-stats.ts:19
      process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #76d20ad47a876c3b Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.github-stats.ts:26
    const userResponse = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #f2fb98da44f89969 Environment-variable access.
repo/app/routes/api.github-template.ts:7
  const isProduction = process.env.NODE_ENV === 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c58005f9ee9da6c Environment-variable access.
repo/app/routes/api.github-template.ts:215
      context?.cloudflare?.env?.GITHUB_TOKEN || process.env.GITHUB_TOKEN || process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59dd765c19a7bc11 Environment-variable access.
repo/app/routes/api.github-user.ts:17
      process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c996334c9006eb29 Environment-variable access.
repo/app/routes/api.github-user.ts:18
      process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #7e80870fc19e24b7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.github-user.ts:25
    const response = await fetch('https://api.github.com/user', {
      headers: {
        Accept: 'application/vnd.github.v3+json',
        Authorization: `Bearer ${githubToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #735445b4abc69d80 Environment-variable access.
repo/app/routes/api.github-user.ts:107
      process.env.GITHUB_TOKEN ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59d650cf108ecfff Environment-variable access.
repo/app/routes/api.github-user.ts:108
      process.env.VITE_GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #496a02339fffc2b3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.github-user.ts:116
      const response = await fetch('https://api.github.com/user/repos?sort=updated&per_page=100', {
        headers: {
          Accept: 'application/vnd.github.v3+json',
          Authorization: `Bearer ${githubToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #579127eaf4d1d729 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-deploy.ts:42
      const createSiteResponse = await fetch('https://api.netlify.com/api/v1/sites', {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${token}`,
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          name: siteName,
          custom_domain: null,
        }),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #02bea0c979e33888 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-deploy.ts:95
        const createSiteResponse = await fetch('https://api.netlify.com/api/v1/sites', {
          method: 'POST',
          headers: {
            Authorization: `Bearer ${token}`,
            'Content-Type': 'application/json',
          },
          body: JSON.stringify({
            name: siteName,
            custom_domain: null,
          }),
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #65611afe7015fba8 Environment-variable access.
repo/app/routes/api.netlify-user.ts:15
      process.env.VITE_NETLIFY_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #c277e0bceeacca48 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-user.ts:22
    const response = await fetch('https://api.netlify.com/api/v1/user', {
      headers: {
        Authorization: `Bearer ${netlifyToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #421ef461c086e82e Environment-variable access.
repo/app/routes/api.netlify-user.ts:82
      process.env.VITE_NETLIFY_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #753438cc7497cedf Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.netlify-user.ts:90
      const response = await fetch('https://api.netlify.com/api/v1/sites', {
        headers: {
          Authorization: `Bearer ${netlifyToken}`,
          'Content-Type': 'application/json',
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #005d376c7948c3e6 Environment-variable access.
repo/app/routes/api.supabase-user.ts:15
      process.env.VITE_SUPABASE_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #d8646319f2ba19f3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.supabase-user.ts:22
    const response = await fetch('https://api.supabase.com/v1/projects', {
      headers: {
        Authorization: `Bearer ${supabaseToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #b1f5ad15724cd094 Environment-variable access.
repo/app/routes/api.supabase-user.ts:97
      process.env.VITE_SUPABASE_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #242f33f25692e92e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.supabase-user.ts:105
      const response = await fetch('https://api.supabase.com/v1/projects', {
        headers: {
          Authorization: `Bearer ${supabaseToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #272d46a7286bbf6e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.supabase.ts:12
    const projectsResponse = await fetch('https://api.supabase.com/v1/projects', {
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8b951e08e72926d5 Environment-variable access.
repo/app/routes/api.system.diagnostics.ts:17
    hasGithubToken: Boolean(process.env.GITHUB_ACCESS_TOKEN || context.env?.GITHUB_ACCESS_TOKEN),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f010a8956aaaf6a4 Environment-variable access.
repo/app/routes/api.system.diagnostics.ts:18
    hasNetlifyToken: Boolean(process.env.NETLIFY_TOKEN || context.env?.NETLIFY_TOKEN),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b365fec4c914f227 Environment-variable access.
repo/app/routes/api.system.diagnostics.ts:19
    nodeEnv: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #af56786246cba3ac Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.diagnostics.ts:70
    const githubResponse = await fetch('https://api.github.com/zen', {
      method: 'GET',
      headers: {
        Accept: 'application/vnd.github.v3+json',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #089178ae716e4b02 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.diagnostics.ts:93
    const netlifyResponse = await fetch('https://api.netlify.com/api/v1/', {
      method: 'GET',
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #6000087a37ea6d5e Environment-variable access.
repo/app/routes/api.system.disk-info.ts:20
const isDevelopment = process.env.NODE_ENV === 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4dcbc0c54f5a9023 Environment-variable access.
repo/app/routes/api.system.git-info.ts:85
    const serverGithubToken = process.env.GITHUB_ACCESS_TOKEN || context.env?.GITHUB_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e9add9b96826df8e Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:119
        const response = await fetch('https://api.github.com/user', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c0da3483581b978b Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:145
        const reposResponse = await fetch('https://api.github.com/user/repos?per_page=100&sort=updated', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #83605cd3b0ce09bf Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:160
        const gistsResponse = await fetch('https://api.github.com/gists', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #2f81cc7e905745b5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.system.git-info.ts:228
        const response = await fetch('https://api.github.com/user/orgs', {
          headers: {
            Accept: 'application/vnd.github.v3+json',
            Authorization: `Bearer ${token}`,
          },
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #adc4fad3103822fa Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-deploy.ts:267
      const createProjectResponse = await fetch('https://api.vercel.com/v9/projects', {
        method: 'POST',
        headers: {
          Authorization: `Bearer ${token}`,
          'Content-Type': 'application/json',
        },
        body: JSON.stringify({
          name: projectName,
          framework: detectedFramework || null,
        }),
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ba38422038d3bab4 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-deploy.ts:314
        const createProjectResponse = await fetch('https://api.vercel.com/v9/projects', {
          method: 'POST',
          headers: {
            Authorization: `Bearer ${token}`,
            'Content-Type': 'application/json',
          },
          body: JSON.stringify({
            name: projectName,
            framework: detectedFramework || null,
          }),
        });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #4bc8d7b33244acc9 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-deploy.ts:417
    const deployResponse = await fetch(`https://api.vercel.com/v13/deployments`, {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${token}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(deploymentConfig),
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ffd1dcdfea6ee496 Environment-variable access.
repo/app/routes/api.vercel-user.ts:15
      process.env.VITE_VERCEL_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #859b5a93eddb07f8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-user.ts:31
    const response = await fetch('https://api.vercel.com/v2/user', {
      headers: {
        Authorization: `Bearer ${vercelToken}`,
        'User-Agent': 'bolt.diy-app',
      },
    });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #e9f8507e574c83db Environment-variable access.
repo/app/routes/api.vercel-user.ts:93
      process.env.VITE_VERCEL_ACCESS_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #8e0f4fc8a6477ef5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/app/routes/api.vercel-user.ts:110
      const response = await fetch('https://api.vercel.com/v13/projects', {
        headers: {
          Authorization: `Bearer ${vercelToken}`,
          'User-Agent': 'bolt.diy-app',
        },
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #dac996ec1f97a659 Environment-variable access.
repo/notarize.cjs:24
      teamId: process.env.APPLE_TEAM_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55265cfee420cdaf Environment-variable access.
repo/playwright.config.preview.ts:11
  forbidOnly: !!process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c715c3a75c607c6a Environment-variable access.
repo/playwright.config.preview.ts:12
  retries: process.env.CI ? 2 : 0,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97f00c902013c9a3 Environment-variable access.
repo/playwright.config.preview.ts:13
  workers: process.env.CI ? 1 : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69d47249f63d0d88 Environment-variable access.
repo/playwright.config.preview.ts:17
    baseURL: process.env.PREVIEW_URL || 'http://localhost:5173',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53e5c630ca3195b5 Environment-variable access.
repo/playwright.config.preview.ts:30
  webServer: process.env.CI ? undefined : {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #775c561c935c398c Environment-variable access.
repo/playwright.config.preview.ts:33
    reuseExistingServer: !process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05e9ea831a5424e7 Environment-variable access.
repo/pre-start.cjs:14
  version: JSON.stringify(process.env.npm_package_version),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fc9efe9ebc122b0 Filesystem access.
repo/scripts/clean.js:1
import { rm, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3155afbce3b3adce Environment-variable access.
repo/scripts/electron-dev.mjs:26
process.env.NODE_ENV = 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b806e57870de3ada Environment-variable access.
repo/scripts/electron-dev.mjs:29
console.log('🔧 Environment:', process.env.NODE_ENV);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e008aa7c90fe75e3 Filesystem access.
repo/uno.config.ts:15
    acc[collectionName][iconName] = async () => fs.readFile(iconPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb3035efe8f911bd Environment-variable access.
repo/vite-electron.config.ts:23
      __APP_VERSION: JSON.stringify(process.env.npm_package_version),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1e2f278d0bfacc5 Environment-variable access.
repo/vite.config.ts:17
      'process.env.NODE_ENV': JSON.stringify(process.env.NODE_ENV),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5b2fa93802dd122 Environment-variable access.
repo/vite.config.ts.timestamp-1770328346417-a90f095482a09.mjs:15
      "process.env.NODE_ENV": JSON.stringify(process.env.NODE_ENV)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@modelcontextprotocol/sdk

npm dependency
high pii_flow tooling Excluded from app score unknown #13441956e5e40487 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:245 · flow /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215 → /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:245
        const response = await fetch(endpoint, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded'
            },
            body: new URLSearchParams({
                token: token
            }).toString()
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #d83ecdcaef1a60c7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:643 · flow /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621 → /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:643
            const response = await fetch(endpoint, {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                body: new URLSearchParams({
                    token: token
                }).toString()
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 18 low-confidence finding(s)
low egress tooling Excluded from app score unknown #ae2771c1c9f705ee Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/scripts/fetch-spec-types.ts:16
    const response = await fetch(url);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unknown #7c669226de7848db Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/fetch-spec-types.ts:77
        writeFileSync(outputPath, fullContent, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dd15888d89dc307 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/client/stdio.ts:71
        const value = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a85e140668ca4eb5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:26
const DEFAULT_SERVER_URL = process.env.MCP_SERVER_URL || 'http://localhost:3000/mcp';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d260805b603f29a2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:29
    const clientId = process.env.MCP_CLIENT_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #21f0e6d04291e125 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:36
    const privateKeyPem = process.env.MCP_CLIENT_PRIVATE_KEY_PEM;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b2918fafea881834 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:38
        const algorithm = process.env.MCP_CLIENT_ALGORITHM || 'RS256';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #6ab257387a3fbe5c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:48
    const clientSecret = process.env.MCP_CLIENT_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fbccf1f3d208057a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationFormExample.ts:350
    const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #38cc33b749f9a3d1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215
const MCP_PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #517d27e6d91b1701 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:216
const AUTH_PORT = process.env.MCP_AUTH_PORT ? parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow tooling Excluded from app score unknown #af73c08c99d03a0c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:681 · flow /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215 → /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:681
app.post('/mcp', authMiddleware, mcpPostHandler);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs tooling Excluded from app score unknown #2bd77fd59e5f280d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/honoWebStandardStreamableHttp.ts:69
const PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e4826f15b80f7036 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621
const MCP_PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #923bee87556ee667 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:622
const AUTH_PORT = process.env.MCP_AUTH_PORT ? parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow tooling Excluded from app score unknown #18aee5afb91a03d2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:778 · flow /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621 → /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:778
    app.post('/mcp', authMiddleware, mcpPostHandler);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs tooling Excluded from app score unknown #609efd59b0b7f242 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleTaskInteractive.ts:448
const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : 8000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0479798a42e0ba7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/server/auth/router.ts:12
    process.env.MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL === 'true' || process.env.MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@openrouter/ai-sdk-provider

npm dependency
high pii_flow dependency Excluded from app score #1f8cb69177997a5a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:16 · flow /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:18 → /tmp/closeopen-ah3m8ulv/pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:16
    const response = await fetch(url, {
      headers: {
        Authorization: `Bearer ${process.env.OPENROUTER_API_KEY}`,
      },
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 130 low-confidence finding(s)
low env_fs dependency Excluded from app score #8f097ab8cbffba22 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/cache-control.test.ts:38
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfd6eb1fa710b56f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/cache-control.test.ts:39
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c223d92457c28b1f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/embeddings/index.test.ts:8
  apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bedcc5899818e84 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/embeddings/index.test.ts:9
  baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #079e23c873be5b10 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/gemini/reasoning-multiturn.test.ts:38
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #861452f86d2f2d9f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/gemini/reasoning-multiturn.test.ts:39
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc5abd33eb25e2f2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/gemini/reasoning-multiturn.test.ts:132
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a71f2dc7129dae2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/gemini/reasoning-multiturn.test.ts:133
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14dc8556a8b4ba9f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-160-toolcallid-uniqueness.test.ts:25
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc16e8616b15f253 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-160-toolcallid-uniqueness.test.ts:26
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26720e74eea1cba6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-166-finish-reason-null.test.ts:38
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9fbae47b54d3fdc Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-166-finish-reason-null.test.ts:39
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04475eefc1c323f8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-171-cache-tool-key-ordering.test.ts:27
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6987c0ee71e0fcfb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-171-cache-tool-key-ordering.test.ts:28
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #23a1de66a1ddcf54 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-181-tool-response-image.test.ts:87
                    url: new URL('https://example.com/generated-image.png'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #f59852b7c0ed056b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-190-streamobject-flush-error.test.ts:26
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ea00e6610bb268e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-190-streamobject-flush-error.test.ts:27
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e1de1cadd3d5721 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-194-grok-invalid-json.test.ts:21
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5dd82ce4e97ec132 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-194-grok-invalid-json.test.ts:22
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62953cf57ec5bc06 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-196-anthropic-1h-cache-ttl.test.ts:21
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13e3e1bd78e71a09 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-196-anthropic-1h-cache-ttl.test.ts:22
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #463c0a1d6be1449b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-199-openai-pdf-processing.test.ts:29
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c26a28b98dce7503 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-199-openai-pdf-processing.test.ts:30
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #e940e9a319424a11 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-199-openai-pdf-processing.test.ts:35
    const pdfBlob = await fetch('https://bitcoin.org/bitcoin.pdf').then((res) =>

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #6fe0677181528272 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-212-anthropic-web-search-online.test.ts:34
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0515c21e0b4298d8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-212-anthropic-web-search-online.test.ts:35
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2012bbcfc36cb1b6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-234-prompt-caching.test.ts:40
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f105a2b615dd442 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-234-prompt-caching.test.ts:41
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f521912f7c29b3d0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-237-reasoning-linebreaks.test.ts:19
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f82e0fdbe5c0cbdb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-237-reasoning-linebreaks.test.ts:20
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #770f9a6ffa556ddb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-248-gemini-web-search-empty-response.test.ts:28
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #405e6599317803d2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-248-gemini-web-search-empty-response.test.ts:29
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32dc7ef0eeb6304f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-269-image-size-parameter.test.ts:78
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6fd8f7ed3232d1a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-287-tool-calls-missing-arguments.test.ts:25
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c4bac64ce10f4d5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-287-tool-calls-missing-arguments.test.ts:26
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5d8ec49aad324c1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-341-cache-control-last-text-part.test.ts:26
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a70d6c7c60aac6c9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-341-cache-control-last-text-part.test.ts:27
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a5350aae95d664e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-383-video-url-support.test.ts:26
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b4cb2b483501567 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-386-image-files-parameter.test.ts:80
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #449db46d611a25a5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-387-temperature-settings.test.ts:32
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #feaa0a2f7c6e8284 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-389-system-cache-control.test.ts:27
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48c84b6178339cf7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-389-system-cache-control.test.ts:28
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c21d10a9f4d13278 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-391-reasoning-effort-values.test.ts:28
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41ebe5cb191156a4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-391-reasoning-effort-values.test.ts:29
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67fbbf0c7cb5f2b9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-392-auto-router-plugin.test.ts:21
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ed0a994c2ea8955 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-392-auto-router-plugin.test.ts:22
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8981720598505d9a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-394-reasoning-end-signature.test.ts:21
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1641195de68770a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-394-reasoning-end-signature.test.ts:22
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82aa24f369c35701 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-407-token-usage-details.test.ts:27
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d62758aa189e4d9f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-407-token-usage-details.test.ts:28
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #531a225a2d375766 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-411-output-object-tools-conflict.test.ts:24
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6ae4f3c8b6d3116 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-411-output-object-tools-conflict.test.ts:25
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #788c706cc16c32c4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-418-gemini-thought-signature.test.ts:29
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc02c1a609134a36 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-418-gemini-thought-signature.test.ts:30
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cbf117060d82d95 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-419-420-finish-reason-usage-fallback.test.ts:40
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ee1dc2d189d41b6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-419-420-finish-reason-usage-fallback.test.ts:41
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #532f54b4463d6d7c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-419-usage-fallback.test.ts:23
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #681a2403a5e679ce Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-419-usage-fallback.test.ts:24
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87ecc65a7d1c95e0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-422-incomplete-error-information.test.ts:23
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6b6c0db967a8a6c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-423-signature-stripped.test.ts:25
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e96f4a571459ecab Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-423-signature-stripped.test.ts:26
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c17d14f30585207 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-423-streaming-signature-loss.test.ts:21
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #423af26d1c958532 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-423-streaming-signature-loss.test.ts:22
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56cf3e26f6bedb3a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-423-uimessage-roundtrip.test.ts:29
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f4db53b10845712 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-423-uimessage-roundtrip.test.ts:30
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0343ac8933b14d07 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-424-anthropic-auto-cache.test.ts:22
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0f53eb8c3c68096 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-424-anthropic-auto-cache.test.ts:23
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a7562e4cd110e7e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-432-raw-response-body.test.ts:25
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0e09e43134fb42b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-438-gemini-reasoning-redacted.test.ts:23
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c3b936be5d38be1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-438-gemini-reasoning-redacted.test.ts:24
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19f3901777686f3d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-439-exact-payload.test.ts:26
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43deacc173b47309 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-439-exact-payload.test.ts:27
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6eb85c75e8c43207 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-453-signature-reopen.test.ts:27
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df2ed8cfe334f0b3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-453-signature-reopen.test.ts:28
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df85929e4e261880 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-474-web-search-server-tool.test.ts:26
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09201af473c81391 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-474-web-search-server-tool.test.ts:27
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #969850a68f92d7b3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-63-web-search-annotations.test.ts:24
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09f47629bc3b29e3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/issues/issue-63-web-search-annotations.test.ts:25
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26ed328a658b599e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:166
          apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe44245cb0bd3f7d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:167
          baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce5efb6f776c2194 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:232
          apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f949b8cc556d55c7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:233
          baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9af2229c83858f0d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:304
          apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ff4166309d3ac8f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:305
          baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ead0b31b34921db Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:366
          apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #853b86d3bdb35b68 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/parallel-tool-calls.test.ts:367
          baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2fc71ad95c5d3ad Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:4
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2ef1f7cab3b7cd1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:14
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52db8ad507bf4e03 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:15
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #7194aa947c77f847 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:24
  const pdfBlob = await fetch('https://bitcoin.org/bitcoin.pdf').then((res) =>

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #c96c602dc8513228 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:70
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54f06e97defe81fb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:71
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ab64d4303f6b67e Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:90
  const metadataText = await readFile(metadataPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #caba82987c1eb7f2 Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-blob/index.test.ts:98
  const pdfBuffer = await readFile(pdfPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #738181401ece8208 Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-url/index.test.ts:4
import { writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84a7a72679ed7ed0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-url/index.test.ts:14
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d55920dc68b7756c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-url/index.test.ts:15
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #aed38d5ae9cc86fa Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-url/index.test.ts:33
        data: new URL('https://bitcoin.org/bitcoin.pdf'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #87c429201d6a4685 Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/pdf-url/index.test.ts:56
  await writeFile(
    new URL('./output.ignore.json', import.meta.url),
    JSON.stringify(messageHistory, null, 2),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b5f8a8602a68ae4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-effort.test.ts:12
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05175132690651fe Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-effort.test.ts:13
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63ef1177a50aae6e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-effort.test.ts:55
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6e5b18a4ffe6c8c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-effort.test.ts:56
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a9f2b47abf0a527 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-effort.test.ts:98
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc7403fd1ea99d08 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-effort.test.ts:99
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42270b49e63d77e8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-multiturn/index.test.ts:14
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54f16c987c1b7dc6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/reasoning-multiturn/index.test.ts:15
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #394e42a39fced5cb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/tools-with-reasoning.test.ts:24
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8e385af4d6d6d86 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/tools-with-reasoning.test.ts:25
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c73428b4e61dee49 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/tools.ts:8
  apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14b51e452e4b40b9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/tools.ts:9
  baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a0e96de0a0c1bcc Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/usage-accounting.test.ts:11
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cb908bd4a33a4ab Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/usage-accounting.test.ts:12
    baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f34738e2d8f3ceda Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/utils.ts:12
  writeFile(
    new URL(fileName ?? './output.ignore.json', baseUrl),
    JSON.stringify(fileData, null, 2),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ba3953a90d7d311 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:11
    apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9fe6e4486b8a435 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/video-generation.test.ts:18
        Authorization: `Bearer ${process.env.OPENROUTER_API_KEY}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c01372171ef884f9 Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/web-search/index.test.ts:2
import { writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1aa4f8417fd49185 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/web-search/index.test.ts:13
      apiKey: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #262d8b11db7f678e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/e2e/web-search/index.test.ts:14
      baseUrl: `${process.env.OPENROUTER_API_BASE}/api/v1`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0a1d79ddc0e6924 Filesystem access.
pkgs/npm/@[email protected]__reposrc/e2e/web-search/index.test.ts:45
    await writeFile(
      new URL('./output.ignore.json', import.meta.url),
      JSON.stringify(sources, null, 2),
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #16469e3962d6e2b2 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:46
              url: new URL('https://example.com/image.png'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #88e0242a6e6e1915 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:236
                url: new URL('https://example.com/audio.mp3'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #8ce7cd47c0dc61d0 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:256
              url: new URL('https://example.com/video.mp4'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #5d5530a1883281b8 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:346
            data: { type: 'url', url: new URL('https://example.com/sample') },

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #18316406d61b935d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:2313
                    url: new URL('https://example.com/generated-image.png'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #5710491ba859f555 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:2431
                    url: new URL('https://example.com/photo.jpg'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #7f6ff6628a15a3a6 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:2469
                    url: new URL('https://example.com/report.pdf'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #ed7a223b3a3c5bf5 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:2511
                    url: new URL('https://api.example.com/files/123'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #2e7aa546005a5113 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/src/chat/convert-to-openrouter-chat-messages.test.ts:2796
                    url: new URL('https://example.com/screenshot2.png'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #b5bdcba21901bf57 Filesystem access.
pkgs/npm/@[email protected]__reposrc/tsup.config.ts:5
  readFileSync(new URL('package.json', import.meta.url), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

rollup-plugin-node-polyfills

npm dependency
medium telemetry dependency Excluded from app score #f979010ea1c90872 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/polyfills/crypto-browserify.js:14053
      options.track(input.path(), start, input.length, 'tagged');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #7b0cebb2700369df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/polyfills/crypto-browserify.js:14056
      options.track(input.path(), input.offset, input.length, 'content');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #151c0b9768d0884e Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:5139
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #757586793048fbda Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:7529
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e62908ea354f6cb Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:10396
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce7ed0797aa4ed6a Environment-variable access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:14206
if (!process.browser && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19cce03e23810e30 Filesystem access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:18623
		if (typeof opts === 'function') return fs.writeFile(key, data, null, opts);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39f74730c5fe1ec1 Filesystem access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:18662
		fs.writeFile(key, data, opts, cb);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a581bb20709da1d3 Filesystem access.
pkgs/npm/[email protected]/polyfills/browserify-fs.js:18699
		if (typeof opts === 'function') return fs.readFile(key, null, opts);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c89c80a58f6f686 Environment-variable access.
pkgs/npm/[email protected]/polyfills/util.js:100
    debugEnviron = process.env.NODE_DEBUG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@phosphor-icons/react

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #7b89019531e6a1a0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/example/App.tsx:20
if (process.env.NODE_ENV === "development") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #586da4e1d6465850 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/assemble.ts:130
      fs.writeFileSync(path.join(CSR_PATH, `${name}.tsx`), csrString, {
        flag: "w",
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4839acf21c4c6f56 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/assemble.ts:133
      fs.writeFileSync(path.join(SSR_PATH, `${name}.tsx`), ssrString, {
        flag: "w",
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #2e21c2cb21860446 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/assemble.ts:136
      fs.writeFileSync(path.join(DEFS_PATH, `${name}.tsx`), defString, {
        flag: "w",
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #6a3b002d1a569108 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/assemble.ts:184
    fs.writeFileSync(INDEX_PATH, csrIndex, {
      flag: "w",
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #236bab84131cb253 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/assemble.ts:187
    fs.writeFileSync(path.join(SSR_PATH, "index.ts"), ssrIndex, {
      flag: "w",
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #34ca5e4ff991a35a Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/index.ts:66
      const file = fs.readFileSync(filepath).toString("utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@radix-ui/react-context-menu

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #c94700ccbde755dd Environment-variable access.
pkgs/npm/@[email protected]__sourcemap/src/context-menu.tsx:51
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #c0cc21d4d70f9557 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:4
if (process.env.DOTENV_CONFIG_ENCODING != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15758a3ab41eb341 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:5
  options.encoding = process.env.DOTENV_CONFIG_ENCODING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea2c61204873ae6d Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:8
if (process.env.DOTENV_CONFIG_PATH != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd9e658b23fbaf67 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:9
  options.path = process.env.DOTENV_CONFIG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d11c360095066f8 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:12
if (process.env.DOTENV_CONFIG_QUIET != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1819ec28e10ea9f Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:13
  options.quiet = process.env.DOTENV_CONFIG_QUIET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6afa5f0db0440183 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:16
if (process.env.DOTENV_CONFIG_DEBUG != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb1407a3b962d544 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:17
  options.debug = process.env.DOTENV_CONFIG_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #531c28f5418867bc Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:20
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #103aa0f7a7342df6 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:21
  options.override = process.env.DOTENV_CONFIG_OVERRIDE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bf6c8095979a2b0 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:24
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e6fa91ff2947475 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:25
  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #990857bb43e3264b Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a8c2ac851de3e8b Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:141
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c066ac684b311a8 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:142
    return process.env.DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #409f7af9b59d8056 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:221
  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13db54a13979cf71 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:222
  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec2b36674b5f11fc Filesystem access.
pkgs/npm/[email protected]/lib/main.js:277
      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

electron-log

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #3a3f9b71a4723da2 Filesystem access.
pkgs/npm/[email protected]/src/main/initialize.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ddf37962729c520 Filesystem access.
pkgs/npm/[email protected]/src/main/initialize.js:81
    fs.writeFileSync(preloadPath, preloadCode, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7b33d183c49c914 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:121
        return process.env.APPDATA || path.join(home, 'AppData/Roaming');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1aeb240a8649014e Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:125
        return process.env.XDG_CONFIG_HOME || path.join(home, '.config');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f870ce27e9d19a3 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:131
    return os.homedir?.() || process.env.HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49fa48ce40cce506 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:147
    return process.env.NODE_ENV === 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d05864e2f6b56d07 Environment-variable access.
pkgs/npm/[email protected]/src/node/NodeExternalApi.js:148
      || process.env.ELECTRON_IS_DEV === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #646144d2877246ba Filesystem access.
pkgs/npm/[email protected]/src/node/packageJson.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5dff655358a8fd9 Filesystem access.
pkgs/npm/[email protected]/src/node/packageJson.js:39
    const json = JSON.parse(fs.readFileSync(fileName, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d30bbe4902f47c59 Environment-variable access.
pkgs/npm/[email protected]/src/node/transports/console.js:56
    useStyles: process.env.FORCE_STYLES,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b97a3a9acc458a7 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71cc47a992507158 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:34
      fs.writeFileSync(this.path, '', {
        mode: this.writeOptions.mode,
        flag: 'w',
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2353ec9b7cff057 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:96
    fs.writeFile(this.path, text, this.writeOptions, (e) => {
      file.hasActiveAsyncWriting = false;

      if (e) {
        file.emit(
          'error',
          new Error(`Couldn't write to ${file.path}. ${e.message}`),
          this,
        );
      } else {
        file.increaseBytesWrittenCounter(text);
      }

      file.nextAsyncWrite();
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6de1fed1b6aa02b3 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/File.js:132
      fs.writeFileSync(this.path, text, this.writeOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed71aa5a2006638f Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/FileRegistry.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa25c44b3ce26391 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/FileRegistry.js:72
    fs.writeFileSync(filePath, '', { flag: 'a', mode: writeOptions.mode });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe0044355c83eebe Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/index.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67f2138c4aa0f3f3 Filesystem access.
pkgs/npm/[email protected]/src/node/transports/file/index.js:149
            lines: fs.readFileSync(logPath, 'utf8').split(os.EOL),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

electron-updater

npm dependency
expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #e44ac0d7a785fee4 Environment-variable access.
pkgs/npm/[email protected]/out/AppAdapter.js:11
        result = process.env["LOCALAPPDATA"] || path.join(homedir, "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10a50dd8654e3dae Environment-variable access.
pkgs/npm/[email protected]/out/AppAdapter.js:17
        result = process.env["XDG_CACHE_HOME"] || path.join(homedir, ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a524ab83100dde7 Filesystem access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:7
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a691bdb97d4aefb9 Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:18
        if (process.env["APPIMAGE"] == null && !this.forceDevUpdateConfig) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87784204c5ac548c Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:19
            if (process.env["SNAP"] == null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #721864bcd685ebac Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:38
                const oldFile = process.env["APPIMAGE"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07bd96bdb7439d14 Environment-variable access.
pkgs/npm/[email protected]/out/AppImageUpdater.js:73
        const appImageFile = process.env["APPIMAGE"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f39b3c89b46bd78 Filesystem access.
pkgs/npm/[email protected]/out/DownloadedUpdateHelper.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31bc77d74c83f1f2 Environment-variable access.
pkgs/npm/[email protected]/out/LinuxUpdater.js:96
        const pmOverride = (_a = process.env.ELECTRON_BUILDER_LINUX_PACKAGE_MANAGER) === null || _a === void 0 ? void 0 : _a.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96b42d41b6bae55b Filesystem access.
pkgs/npm/[email protected]/out/MacUpdater.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d61fbf7ca61b3884 Filesystem access.
pkgs/npm/[email protected]/out/differentialDownloader/DataSplitter.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d449cd54816ad6b Filesystem access.
pkgs/npm/[email protected]/out/differentialDownloader/DifferentialDownloader.js:6
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7666bb446049912a Environment-variable access.
pkgs/npm/[email protected]/out/differentialDownloader/downloadPlanBuilder.js:73
const isValidateOperationRange = process.env["DIFFERENTIAL_DOWNLOAD_PLAN_BUILDER_VALIDATE_RANGES"] === "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #302a9cb515c7d450 Environment-variable access.
pkgs/npm/[email protected]/out/providerFactory.js:24
            const token = (githubOptions.private ? process.env["GH_TOKEN"] || process.env["GITHUB_TOKEN"] : null) || githubOptions.token;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35b5e183171c407a Environment-variable access.
pkgs/npm/[email protected]/out/providers/Provider.js:32
            const arch = process.env["TEST_UPDATER_ARCH"] || process.arch;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

isomorphic-git

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #a176f0f3ffa03757 Filesystem access.
pkgs/npm/[email protected]/cli.cjs:2
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f10900a184ce0a5 Filesystem access.
pkgs/npm/[email protected]/index.cjs:5022
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #424987d162ae12da Filesystem access.
pkgs/npm/[email protected]/index.js:5009
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e65ea56780915848 Filesystem access.
pkgs/npm/[email protected]/models/index.cjs:213
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ff05ff5d344d8ca Filesystem access.
pkgs/npm/[email protected]/models/index.js:207
      return targetFs.readFile().catch(e => e)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mime

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #84f2a23775496bf0 Filesystem access.
pkgs/npm/[email protected]/src/mime_cli.ts:17
  const json = await fs.readFile(
    path.join(__dirname, '../../package.json'),
    'utf-8',
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nanostores

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #8661343bd693bb08 Environment-variable access.
pkgs/npm/[email protected]/atom/index.js:115
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f9be79ac886405c Environment-variable access.
pkgs/npm/[email protected]/clean-stores/index.js:6
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0d0faaa68a0b64e Environment-variable access.
pkgs/npm/[email protected]/computed/index.js:19
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3347090060ece60f Environment-variable access.
pkgs/npm/[email protected]/computed/index.js:43
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6157225d28b0568a Environment-variable access.
pkgs/npm/[email protected]/deep-map/index.js:9
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fa118791a90d4e8 Environment-variable access.
pkgs/npm/[email protected]/lifecycle/index.js:145
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #019e889482c3cce1 Environment-variable access.
pkgs/npm/[email protected]/map-creator/index.js:28
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #b4251c4f8538a6a2 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-compiler-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a652e7a90166d136 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-dev-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a30aa0429fc388d Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-dev-runtime.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee1a3dc19b665094 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-runtime.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20f5f7f8f3cc2ca1 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-jsx-runtime.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c17e1429e3c75e2f Environment-variable access.
pkgs/npm/[email protected]/cjs/react.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #085bf94e5baae4e1 Environment-variable access.
pkgs/npm/[email protected]/cjs/react.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #535ee5c88e2e0588 Environment-variable access.
pkgs/npm/[email protected]/compiler-runtime.js:10
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #746d2bdd47cef25f Environment-variable access.
pkgs/npm/[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c104b75c638f757a Environment-variable access.
pkgs/npm/[email protected]/jsx-dev-runtime.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bc4859f9b702a25 Environment-variable access.
pkgs/npm/[email protected]/jsx-dev-runtime.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbe49fce4be440df Environment-variable access.
pkgs/npm/[email protected]/jsx-runtime.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25a12c70db159af7 Environment-variable access.
pkgs/npm/[email protected]/jsx-runtime.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #941f551523664b8b Environment-variable access.
pkgs/npm/[email protected]/react.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react-beautiful-dnd

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #fa3aa4f3b56fedb9 Environment-variable access.
pkgs/npm/[email protected]/src/debug/timings.js:21
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #728f3944fc5f11d7 Environment-variable access.
pkgs/npm/[email protected]/src/debug/timings.js:37
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebc33459e30545a5 Environment-variable access.
pkgs/npm/[email protected]/src/dev-warning.js:3
const isProduction: boolean = process.env.NODE_ENV === 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b07abbbba7d1cb1 Environment-variable access.
pkgs/npm/[email protected]/src/invariant.js:3
const isProduction: boolean = process.env.NODE_ENV === 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2daf04c21f01015 Environment-variable access.
pkgs/npm/[email protected]/src/state/create-store.js:27
  process.env.NODE_ENV !== 'production' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9ce393ee3bae079 Environment-variable access.
pkgs/npm/[email protected]/src/state/middleware/util/validate-dimensions.js:64
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a6484674e1da360 Environment-variable access.
pkgs/npm/[email protected]/src/view/drag-drop-context/app.jsx:177
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e50fe5a88e10daf Environment-variable access.
pkgs/npm/[email protected]/src/view/drag-drop-context/error-boundary.jsx:33
      if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb1601de9524e02c Environment-variable access.
pkgs/npm/[email protected]/src/view/drag-drop-context/error-boundary.jsx:67
      if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d22587863e1757b1 Environment-variable access.
pkgs/npm/[email protected]/src/view/use-dev.js:5
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b31ba1af98b683a1 Environment-variable access.
pkgs/npm/[email protected]/src/view/use-droppable-publisher/get-closest-scrollable.js:34
  if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #025b41e516376a52 Environment-variable access.
pkgs/npm/[email protected]/src/view/use-droppable-publisher/use-droppable-publisher.js:168
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

react-dom

npm dependency
expand_more 24 low-confidence finding(s)
low env_fs dependency Excluded from app score #9f2575af4f6fb70d Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-profiling.development.js:15
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d8d388543c4e6d8 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server-legacy.browser.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36ca0be5372dfd28 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server-legacy.node.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5ed5ebc01c4c607 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.browser.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16a7ac47484944ec Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.edge.development.js:36
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75818ed093d5b13d Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-server.node.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7713574f280e4a3e Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom-test-utils.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #348cc04e8b675951 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf66ac1feb796d81 Environment-variable access.
pkgs/npm/[email protected]/cjs/react-dom.react-server.development.js:12
"production" !== process.env.NODE_ENV &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee7a5726220c0a07 Environment-variable access.
pkgs/npm/[email protected]/client.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #214992bcd6b67440 Environment-variable access.
pkgs/npm/[email protected]/client.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7ba87745f668ec9 Environment-variable access.
pkgs/npm/[email protected]/index.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6e7a0d541976867 Environment-variable access.
pkgs/npm/[email protected]/index.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35b250b3269bdaf8 Environment-variable access.
pkgs/npm/[email protected]/profiling.js:11
  if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55db5eec428a410a Environment-variable access.
pkgs/npm/[email protected]/profiling.js:31
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2363e9ab7bbed591 Environment-variable access.
pkgs/npm/[email protected]/react-dom.react-server.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97e8659edc6ac77d Environment-variable access.
pkgs/npm/[email protected]/server.browser.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9f73044091a7b20 Environment-variable access.
pkgs/npm/[email protected]/server.bun.js:5
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc9153e6f8a1fe29 Environment-variable access.
pkgs/npm/[email protected]/server.edge.js:5
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11286fe7a3ce4503 Environment-variable access.
pkgs/npm/[email protected]/server.node.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d3d4bbbc6b0e791 Environment-variable access.
pkgs/npm/[email protected]/static.browser.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa3e7b31a3e02e4d Environment-variable access.
pkgs/npm/[email protected]/static.edge.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0cf16f065647762 Environment-variable access.
pkgs/npm/[email protected]/static.node.js:4
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05f63f239ca9b93c Environment-variable access.
pkgs/npm/[email protected]/test-utils.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

remix-island

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #4b975361cb750418 Environment-variable access.
pkgs/npm/[email protected]/examples/cloudflare-example/server.js:6
  mode: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

zustand

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #6606118396b8642d Environment-variable access.
pkgs/npm/[email protected]/middleware.js:66
    extensionConnector = (enabled != null ? enabled : process.env.NODE_ENV !== "production") && window.__REDUX_DEVTOOLS_EXTENSION__;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5ccb7000e034ff3 Environment-variable access.
pkgs/npm/[email protected]/middleware.js:128
      if (process.env.NODE_ENV !== "production" && args[0].type === "__setState" && !didWarnAboutReservedActionType) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @codemirror/autocomplete prod — dist-only: no readable source
  • @codemirror/commands prod — dist-only: no readable source
  • @codemirror/language prod — dist-only: no readable source
  • @codemirror/search prod — dist-only: no readable source
  • @codemirror/state prod — dist-only: no readable source
  • @codemirror/view prod — dist-only: no readable source
  • @headlessui/react prod — dist-only: no readable source
  • @radix-ui/react-tabs prod — dist-only: no readable source
  • @radix-ui/react-tooltip prod — dist-only: no readable source
  • @remix-run/cloudflare prod — dist-only: no readable source
  • @remix-run/cloudflare-pages prod — dist-only: no readable source
  • @remix-run/react prod — dist-only: no readable source
  • @unocss/reset prod — no javascript source
  • ai prod — dist-only: no readable source
  • class-variance-authority prod — dist-only: no readable source
  • framer-motion prod — dist-only: no readable source
  • jose prod — dist-only: no readable source
  • ollama-ai-provider prod — dist-only: no readable source
  • react-chartjs-2 prod — dist-only: no readable source
  • react-hotkeys-hook prod — dist-only: no readable source
  • react-resizable-panels prod — dist-only: no readable source
  • react-window prod — dist-only: no readable source
  • shiki prod — dist-only: no readable source
  • use-debounce prod — dist-only: no readable source