Close Open Privacy Scan

link https://github.com/nuxt/nuxt
bolt Snapshot: commit 369a6c6
science engine v1
schedule 2026-06-28T06:13:07.624186+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

App Privacy Score

37 /100
High privacy risk — application leak confirmed

High risk · 675 finding(s)

Dependency score: 37 (High risk)

bar_chart Score Breakdown

pii_flow −60
env_fs −3

list Scan Summary

10 high 13 medium 652 low
First-party packages: 8
Dependency packages: 36
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:105 repo/packages/nuxt/src/app/components/nuxt-island.ts:220
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:35 repo/scripts/release.ts:44
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:35 repo/scripts/release.ts:55
high first-party (npm): packages/nuxt User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:105 repo/packages/nuxt/src/app/components/nuxt-island.ts:220
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/release.ts:97 repo/scripts/release.ts:103
medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/release.ts:97 repo/scripts/release.ts:160
hub Dependency data flows (17)
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:215
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:317
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:523
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:549
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:568
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:590
medium esbuild dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/install.js:29 pkgs/npm/[email protected]/install.js:260
medium esbuild dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/lib/main.js:1889 pkgs/npm/[email protected]/lib/main.js:1973
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:230
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:321
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:325
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:330
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:532
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:560
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:577
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:610
medium pkg-pr-new dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:619

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #572acd9cb3172c8f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:220 · flow /tmp/closeopen-dsbc1fle/repo/packages/nuxt/src/app/components/nuxt-island.ts:105 → /tmp/closeopen-dsbc1fle/repo/packages/nuxt/src/app/components/nuxt-island.ts:220 
      const r = await fetch(withQuery(((import.meta.dev && import.meta.client) || props.source) ? url : joinURL(config.app.baseURL ?? '', url), {
        ...props.context,
        props: props.props ? serializedProps.value : undefined,
      }))

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow production #de8d2434781e3c93 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:44 · flow /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:35 → /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:44 
  const idTokenResponse = await fetch(idTokenUrl, {
    headers: { authorization: `Bearer ${requestToken}` },
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow production #71b49b837f2528a2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:55 · flow /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:35 → /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:55 
  const exchangeResponse = await fetch(exchangeUrl, {
    method: 'POST',
    headers: { authorization: `Bearer ${idToken}` },
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #f8a9cf70ec2d082e PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/release.ts:103 · flow /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:97 → /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:103 
  console.info(`🚀 ${isNightly ? 'Nightly' : 'Regular'} release with tags: ${allTags.join(', ')}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow production #55ae401a93612817 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/release.ts:160 · flow /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:97 → /tmp/closeopen-dsbc1fle/repo/scripts/release.ts:160 
      console.info(`🏷️ Publishing ${pkgDir} with tag: ${tag}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 97 low-confidence finding(s)
low env_fs production #a0a06be77f32e8c4 Environment-variable access.
repo/nuxt.config.ts:10 
      if (!process.env.DOCS_TYPECHECK) { return }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5aa8ef2598bf9322 Environment-variable access.
repo/nuxt.config.ts:51 
  pages: process.env.DOCS_TYPECHECK === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5124334f3a1f85a7 Environment-variable access.
repo/nuxt.config.ts:61 
    shim: process.env.DOCS_TYPECHECK === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dee67a7a8afdc83d Filesystem access.
repo/packages/kit/src/ignore.ts:66 
    const contents = readFileSync(nuxtignoreFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #86f848c043c1afd5 Filesystem access.
repo/packages/kit/src/module/install.test.ts:16 
    await writeFile(join(prereleaseModule, 'package.json'), JSON.stringify({
      name: 'prerelease-module',
      version: '2.0.0-beta.1',
      type: 'module',
      exports: './index.js',
    }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #88da8d1166aedd22 Filesystem access.
repo/packages/kit/src/module/install.test.ts:22 
    await writeFile(join(prereleaseModule, 'index.js'), `
export default Object.assign(() => {}, {
  getMeta: () => ({
    name: 'prerelease-module',
    configKey: 'prereleaseModule'
  })
})
    `)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #814ac228a80f233f Filesystem access.
repo/packages/kit/src/module/install.ts:337 
      buildTimeModuleMeta = JSON.parse(await fsp.readFile(moduleMetadataPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f83553b0a77118fb Environment-variable access.
repo/packages/kit/src/runtime-config.ts:20 
    envExpansion: nuxt.options.nitro.experimental?.envExpansion ?? !!process.env.NITRO_ENV_EXPANSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #197ad5801c0adc07 Filesystem access.
repo/packages/kit/src/template.ts:652 
    fsp.writeFile(appTsConfigPath, JSON.stringify(tsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3474abd410eab15c Filesystem access.
repo/packages/kit/src/template.ts:653 
    fsp.writeFile(legacyTsConfigPath, JSON.stringify(legacyTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fcfe5d4173bc4a24 Filesystem access.
repo/packages/kit/src/template.ts:654 
    fsp.writeFile(nodeTsConfigPath, JSON.stringify(nodeTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ad6bae21c0e36294 Filesystem access.
repo/packages/kit/src/template.ts:655 
    fsp.writeFile(sharedTsConfigPath, JSON.stringify(sharedTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #126fb7bf16ed68e0 Filesystem access.
repo/packages/kit/src/template.ts:656 
    fsp.writeFile(declarationPath, declaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #307b95c45dae57c8 Filesystem access.
repo/packages/kit/src/template.ts:657 
    fsp.writeFile(nodeDeclarationPath, nodeDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0a7ccc5b5ba380e3 Filesystem access.
repo/packages/kit/src/template.ts:658 
    fsp.writeFile(sharedDeclarationPath, sharedDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b3ce20b048eca8a5 Filesystem access.
repo/packages/nitro-server/src/index.ts:461 
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify({}))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b6784abd99cc6b19 Filesystem access.
repo/packages/nitro-server/src/index.ts:494 
        await fsp.writeFile(join(tempDir, 'latest.json'), JSON.stringify({
          id: buildId,
          timestamp: buildTimestamp,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #45337e144bf2bbdb Filesystem access.
repo/packages/nitro-server/src/index.ts:498 
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify(manifest))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #85e8e6295937ba50 Filesystem access.
repo/packages/nitro-server/src/index.ts:882 
    let projectConfiguration = await readFile(join(cacheDir, 'chrome-workspace.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #83a2b0c279f39a63 Filesystem access.
repo/packages/nitro-server/src/index.ts:889 
      await writeFile(join(cacheDir, 'chrome-workspace.json'), JSON.stringify(projectConfiguration), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e07e099aa4708202 Filesystem access.
repo/packages/nitro-server/src/index.ts:993 
          nitro.options.virtual['#build/dist/server/server.mjs'] = () => memfs.readFileSync(join(nuxt.options.buildDir, 'dist/server/server.mjs'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d4a68beeb8f9d517 Filesystem access.
repo/packages/nitro-server/src/index.ts:1108 
      return readFileSync(spaLoadingTemplate, 'utf-8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f73a546b72f6511e Environment-variable access.
repo/packages/nitro-server/src/runtime/utils/renderer/build-files.ts:73 
    if (import.meta.dev && process.env.NUXT_VITE_NODE_OPTIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e85e4db15931801e Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:118 
          const contents = await readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2e91d5adb926cb63 Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:173 
          contents = await readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #577e7f5a32e8939d Filesystem access.
repo/packages/nuxt/src/core/app.ts:98 
      writes.push(() => writeFileSync(fullPath, contents, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #02b31a43ce7b9203 Filesystem access.
repo/packages/nuxt/src/core/app.ts:125 
      return await fsp.readFile(template.src, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e0b3ca96e83d0535 Filesystem access.
repo/packages/nuxt/src/core/app.ts:258 
      const code = nuxt.vfs[plugin.src] ?? await fsp.readFile(plugin.src!, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed31c81227d69052 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:52 
      await writeFile(buildIdCacheFile, nuxt.options.buildId)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #28391dab536dca51 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:86 
  const cachedBuildId = (await readFile(buildIdCacheFile, 'utf-8')).trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2dd242b60258cbda Filesystem access.
repo/packages/nuxt/src/core/cache.ts:246 
    const data = await fd.readFile()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #aa0f7ef4bf7ada46 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:280 
  const files = parseTar(await readFile(cacheFile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dc1faebf5f6a5fe0 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:306 
      await fd.writeFile(file.data!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #445309761e8d1094 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:323 
  await writeFile(cacheFile, tarData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #559825d03ea821fe Environment-variable access.
repo/packages/nuxt/src/core/nuxt.ts:891 
  if (options.telemetry !== false && !process.env.NUXT_TELEMETRY_DISABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8e5a0e93f41b709b Environment-variable access.
repo/packages/nuxt/src/core/perf.ts:141 
const SLOW_HOOK_THRESHOLD_MS = Number(process.env.NUXT_PERF_SLOW_HOOK_MS) || 50

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #73d9b2e2a0cc6347 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:707 
      writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #63909e4b45e46d9e Filesystem access.
repo/packages/nuxt/src/core/perf.ts:708 
      writeFileSync(tracePath, JSON.stringify({ traceEvents: this.getTraceEvents() }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #35dd776d20d4c94d Filesystem access.
repo/packages/nuxt/src/core/schema.ts:150 
      await writeFile(
        resolve(nuxt.options.buildDir, 'schema/nuxt.schema.json'),
        JSON.stringify(schema, null, 2),
        'utf8',
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5c19fdb87eb89fa5 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:180 
      await writeFile(typesPath, types, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc331239bc6be218 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:13 
    = process.env.https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c7f1dab78cc0ba9a Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:14 
      || process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b9f932ffaafae17c Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:15 
      || process.env.http_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3bd02c23d18d378b Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:16 
      || process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #852f3e32ee811acf Filesystem access.
repo/packages/nuxt/src/pages/module.ts:313 
        const dts = await readFile(declarationFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a23b9f98170e070d Filesystem access.
repo/packages/nuxt/src/pages/utils.ts:164 
      const fileContent = vfs[route.file] ?? fs.readFileSync(ctx.fullyResolvedPaths?.has(route.file) ? route.file : await resolvePath(route.file), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a7007df773faece2 Environment-variable access.
repo/packages/schema/src/config/app.ts:33 
        return process.env.NUXT_APP_BASE_URL || '/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cfc631af949aacf4 Environment-variable access.
repo/packages/schema/src/config/app.ts:41 
        return process.env.NUXT_APP_BUILD_ASSETS_DIR || '/_nuxt/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b20596f0a6023339 Environment-variable access.
repo/packages/schema/src/config/app.ts:50 
        return process.env.NUXT_APP_CDN_URL || (typeof val === 'string' ? val : '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0336d6a36e93baac Environment-variable access.
repo/packages/schema/src/config/common.ts:142 
          perf: process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eac296034a63c94d Environment-variable access.
repo/packages/schema/src/config/common.ts:147 
        if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a00f99a328212312 Environment-variable access.
repo/packages/schema/src/config/common.ts:148 
          (val as NuxtDebugOptions).perf = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c5d7435590e32e43 Environment-variable access.
repo/packages/schema/src/config/common.ts:153 
      if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #931d901f2cf41a77 Environment-variable access.
repo/packages/schema/src/config/common.ts:154 
        const perf: boolean | 'quiet' = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc01ffe5b818a35a Environment-variable access.
repo/packages/schema/src/config/dev.ts:8 
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc01ffe5b818a35a Environment-variable access.
repo/packages/schema/src/config/dev.ts:8 
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc01ffe5b818a35a Environment-variable access.
repo/packages/schema/src/config/dev.ts:8 
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c98b451a2b049a3e Environment-variable access.
repo/packages/schema/src/config/dev.ts:9 
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c98b451a2b049a3e Environment-variable access.
repo/packages/schema/src/config/dev.ts:9 
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c98b451a2b049a3e Environment-variable access.
repo/packages/schema/src/config/dev.ts:9 
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e824c0f844124944 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:27 
      const contents = await fsp.readFile(r(page, 'index.html'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5820f84a8e2ee735 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:29 
      const messages = JSON.parse(await fsp.readFile(r(page, 'messages.json'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #35746ba60b2222c8 Filesystem access.
repo/packages/ui-templates/lib/prerender.ts:16 
    await fsp.writeFile(file.replace('.js', '/index.html'), updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #50cfc609f43f0615 Filesystem access.
repo/packages/ui-templates/lib/render.ts:47 
        let html = readFileSync(fileName, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8367d283bd45120b Filesystem access.
repo/packages/ui-templates/lib/render.ts:68 
          const svg = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9088ae1017598aad Filesystem access.
repo/packages/ui-templates/lib/render.ts:83 
          let contents = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dae326373ea5afee Filesystem access.
repo/packages/ui-templates/lib/render.ts:99 
        const messages = JSON.parse(readFileSync(r(`templates/${templateName}/messages.json`), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #66d885861c23c9d5 Filesystem access.
repo/packages/ui-templates/lib/render.ts:193 
        writeFileSync(fileName.replace('/index.html', '.ts'), functionalCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #34f7498f8f892bb7 Filesystem access.
repo/packages/ui-templates/lib/render.ts:194 
        writeFileSync(fileName.replace('/index.html', '.vue'), vueCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #02852608c39b1ab4 Environment-variable access.
repo/packages/ui-templates/vite.config.ts:18 
    outDir: process.env.OUTPUT_DIR || 'dist',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #46af0007b0096648 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:73 
      const clientManifest = nuxt.options.dev ? devClientManifest : JSON.parse(readFileSync(manifestFile, 'utf-8')) as ViteClientManifest

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #53abf9737dbc2345 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:106 
          await writeFile(resolve(serverDist, 'client.manifest.mjs'), manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8041a77a4e56c1f7 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:107 
          await writeFile(resolve(serverDist, 'client.precomputed.mjs'), precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed755b095245121e Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:29 
          readFile(id, 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #74c37e962a45ffc3 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:30 
          readFile(id + '.map.json', 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dabe6fd978cc48cd Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:71 
        await writeFile(dest, JSON.stringify({
          file: chunk.map.file,
          mappings: chunk.map.mappings,
          names: chunk.map.names,
          sources: chunk.map.sources,
          sourcesContent: chunk.map.sourcesContent,
          version: chunk.map.version,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8d83725a76cee7ce Environment-variable access.
repo/packages/vite/src/plugins/vite-node.ts:342 
        process.env.NUXT_VITE_NODE_OPTIONS = JSON.stringify(viteNodeServerOptions)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b9571c7d68696a1a Environment-variable access.
repo/packages/vite/src/utils/logger.ts:45 
    if (typeof msg === 'string' && !process.env.DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a944caa71ee6ef1f Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:16 
    await writeFile(join(fixtureDir, 'app/app.vue'), '<template><div/></template>')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #84ddadd963b4f6bf Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:17 
    await writeFile(join(fixtureDir, 'nuxt.config.ts'), `
export default defineNuxtConfig({
  modules: [
    (_, nuxt) => {
      nuxt.options.build.transpile.push('my-async-package')
    },
  ],
})
`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1fd45152606e07cf Environment-variable access.
repo/packages/vite/src/vite-node.ts:9 
  const envVar = process.env.NUXT_VITE_NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b8d212cbad0275f1 Filesystem access.
repo/packages/webpack/src/plugins/ssr-styles.ts:51 
    const src = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d8a8742d0f7a3e53 Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:170 
        await writeFile(join(this.serverDist, 'client.manifest.mjs'), this.manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #59816a6a3e92ae9c Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:171 
        await writeFile(join(this.serverDist, 'client.precomputed.mjs'), this.precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #59a5141354e21990 Filesystem access.
repo/scripts/_utils.ts:21 
  const data = JSON.parse(await fsp.readFile(pkgPath, 'utf-8').catch(() => '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c7dbf409e0efa686 Filesystem access.
repo/scripts/_utils.ts:22 
  const save = () => fsp.writeFile(pkgPath, JSON.stringify(data, null, 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #754971f6c39bcc56 Environment-variable access.
repo/scripts/_utils.ts:172 
        'Authorization': `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ab5db786e1c88d88 Filesystem access.
repo/scripts/release.ts:24 
  return JSON.parse(readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a250432d7ed8fe91 Environment-variable access.
repo/scripts/release.ts:35 
  const requestUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f2e4ce058206a273 Environment-variable access.
repo/scripts/release.ts:36 
  const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c9c066b00a06f240 Environment-variable access.
repo/scripts/release.ts:97 
  const tagsInput = process.env.TAG || 'latest'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #89badf9f10e48df7 Filesystem access.
repo/scripts/release.ts:122 
    const originalReadme = readFileSync('README.md', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2ecb37d8cb94793d Filesystem access.
repo/scripts/release.ts:127 
    writeFileSync('README.md', readme)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #4d6a34aa08e42b0c Filesystem access.
repo/scripts/release.ts:184 
    writeFileSync('README.md', originalReadme)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5f9c132a83f9778a Environment-variable access.
repo/scripts/update-changelog.ts:73 
        Authorization: `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #966c9cea2f28e4fe Environment-variable access.
repo/scripts/update-changelog.ts:89 
      Authorization: `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #081a31b04ab5818b Environment-variable access.
repo/vitest.config.ts:20 
    appManifest: process.env.TEST_MANIFEST !== 'manifest-off',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nuxt

npm first-party
high pii_flow production #572acd9cb3172c8f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:220 · flow /tmp/closeopen-dsbc1fle/repo/packages/nuxt/src/app/components/nuxt-island.ts:105 → /tmp/closeopen-dsbc1fle/repo/packages/nuxt/src/app/components/nuxt-island.ts:220 
      const r = await fetch(withQuery(((import.meta.dev && import.meta.client) || props.source) ? url : joinURL(config.app.baseURL ?? '', url), {
        ...props.context,
        props: props.props ? serializedProps.value : undefined,
      }))

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 23 low-confidence finding(s)
low env_fs production #e85e4db15931801e Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:118 
          const contents = await readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2e91d5adb926cb63 Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:173 
          contents = await readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #577e7f5a32e8939d Filesystem access.
repo/packages/nuxt/src/core/app.ts:98 
      writes.push(() => writeFileSync(fullPath, contents, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #02b31a43ce7b9203 Filesystem access.
repo/packages/nuxt/src/core/app.ts:125 
      return await fsp.readFile(template.src, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e0b3ca96e83d0535 Filesystem access.
repo/packages/nuxt/src/core/app.ts:258 
      const code = nuxt.vfs[plugin.src] ?? await fsp.readFile(plugin.src!, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed31c81227d69052 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:52 
      await writeFile(buildIdCacheFile, nuxt.options.buildId)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #28391dab536dca51 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:86 
  const cachedBuildId = (await readFile(buildIdCacheFile, 'utf-8')).trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #2dd242b60258cbda Filesystem access.
repo/packages/nuxt/src/core/cache.ts:246 
    const data = await fd.readFile()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #aa0f7ef4bf7ada46 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:280 
  const files = parseTar(await readFile(cacheFile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dc1faebf5f6a5fe0 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:306 
      await fd.writeFile(file.data!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #445309761e8d1094 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:323 
  await writeFile(cacheFile, tarData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #559825d03ea821fe Environment-variable access.
repo/packages/nuxt/src/core/nuxt.ts:891 
  if (options.telemetry !== false && !process.env.NUXT_TELEMETRY_DISABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8e5a0e93f41b709b Environment-variable access.
repo/packages/nuxt/src/core/perf.ts:141 
const SLOW_HOOK_THRESHOLD_MS = Number(process.env.NUXT_PERF_SLOW_HOOK_MS) || 50

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #73d9b2e2a0cc6347 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:707 
      writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #63909e4b45e46d9e Filesystem access.
repo/packages/nuxt/src/core/perf.ts:708 
      writeFileSync(tracePath, JSON.stringify({ traceEvents: this.getTraceEvents() }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #35dd776d20d4c94d Filesystem access.
repo/packages/nuxt/src/core/schema.ts:150 
      await writeFile(
        resolve(nuxt.options.buildDir, 'schema/nuxt.schema.json'),
        JSON.stringify(schema, null, 2),
        'utf8',
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5c19fdb87eb89fa5 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:180 
      await writeFile(typesPath, types, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc331239bc6be218 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:13 
    = process.env.https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c7f1dab78cc0ba9a Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:14 
      || process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b9f932ffaafae17c Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:15 
      || process.env.http_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3bd02c23d18d378b Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:16 
      || process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #852f3e32ee811acf Filesystem access.
repo/packages/nuxt/src/pages/module.ts:313 
        const dts = await readFile(declarationFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a23b9f98170e070d Filesystem access.
repo/packages/nuxt/src/pages/utils.ts:164 
      const fileContent = vfs[route.file] ?? fs.readFileSync(ctx.fullyResolvedPaths?.has(route.file) ? route.file : await resolvePath(route.file), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/kit

npm first-party
expand_more 12 low-confidence finding(s)
low env_fs production #dee67a7a8afdc83d Filesystem access.
repo/packages/kit/src/ignore.ts:66 
    const contents = readFileSync(nuxtignoreFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #86f848c043c1afd5 Filesystem access.
repo/packages/kit/src/module/install.test.ts:16 
    await writeFile(join(prereleaseModule, 'package.json'), JSON.stringify({
      name: 'prerelease-module',
      version: '2.0.0-beta.1',
      type: 'module',
      exports: './index.js',
    }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #88da8d1166aedd22 Filesystem access.
repo/packages/kit/src/module/install.test.ts:22 
    await writeFile(join(prereleaseModule, 'index.js'), `
export default Object.assign(() => {}, {
  getMeta: () => ({
    name: 'prerelease-module',
    configKey: 'prereleaseModule'
  })
})
    `)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #814ac228a80f233f Filesystem access.
repo/packages/kit/src/module/install.ts:337 
      buildTimeModuleMeta = JSON.parse(await fsp.readFile(moduleMetadataPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f83553b0a77118fb Environment-variable access.
repo/packages/kit/src/runtime-config.ts:20 
    envExpansion: nuxt.options.nitro.experimental?.envExpansion ?? !!process.env.NITRO_ENV_EXPANSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #197ad5801c0adc07 Filesystem access.
repo/packages/kit/src/template.ts:652 
    fsp.writeFile(appTsConfigPath, JSON.stringify(tsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #3474abd410eab15c Filesystem access.
repo/packages/kit/src/template.ts:653 
    fsp.writeFile(legacyTsConfigPath, JSON.stringify(legacyTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #fcfe5d4173bc4a24 Filesystem access.
repo/packages/kit/src/template.ts:654 
    fsp.writeFile(nodeTsConfigPath, JSON.stringify(nodeTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ad6bae21c0e36294 Filesystem access.
repo/packages/kit/src/template.ts:655 
    fsp.writeFile(sharedTsConfigPath, JSON.stringify(sharedTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #126fb7bf16ed68e0 Filesystem access.
repo/packages/kit/src/template.ts:656 
    fsp.writeFile(declarationPath, declaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #307b95c45dae57c8 Filesystem access.
repo/packages/kit/src/template.ts:657 
    fsp.writeFile(nodeDeclarationPath, nodeDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0a7ccc5b5ba380e3 Filesystem access.
repo/packages/kit/src/template.ts:658 
    fsp.writeFile(sharedDeclarationPath, sharedDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nitro-server

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #b3ce20b048eca8a5 Filesystem access.
repo/packages/nitro-server/src/index.ts:461 
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify({}))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b6784abd99cc6b19 Filesystem access.
repo/packages/nitro-server/src/index.ts:494 
        await fsp.writeFile(join(tempDir, 'latest.json'), JSON.stringify({
          id: buildId,
          timestamp: buildTimestamp,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #45337e144bf2bbdb Filesystem access.
repo/packages/nitro-server/src/index.ts:498 
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify(manifest))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #85e8e6295937ba50 Filesystem access.
repo/packages/nitro-server/src/index.ts:882 
    let projectConfiguration = await readFile(join(cacheDir, 'chrome-workspace.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #83a2b0c279f39a63 Filesystem access.
repo/packages/nitro-server/src/index.ts:889 
      await writeFile(join(cacheDir, 'chrome-workspace.json'), JSON.stringify(projectConfiguration), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e07e099aa4708202 Filesystem access.
repo/packages/nitro-server/src/index.ts:993 
          nitro.options.virtual['#build/dist/server/server.mjs'] = () => memfs.readFileSync(join(nuxt.options.buildDir, 'dist/server/server.mjs'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d4a68beeb8f9d517 Filesystem access.
repo/packages/nitro-server/src/index.ts:1108 
      return readFileSync(spaLoadingTemplate, 'utf-8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #f73a546b72f6511e Environment-variable access.
repo/packages/nitro-server/src/runtime/utils/renderer/build-files.ts:73 
    if (import.meta.dev && process.env.NUXT_VITE_NODE_OPTIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/schema

npm first-party
expand_more 14 low-confidence finding(s)
low env_fs production #a7007df773faece2 Environment-variable access.
repo/packages/schema/src/config/app.ts:33 
        return process.env.NUXT_APP_BASE_URL || '/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #cfc631af949aacf4 Environment-variable access.
repo/packages/schema/src/config/app.ts:41 
        return process.env.NUXT_APP_BUILD_ASSETS_DIR || '/_nuxt/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b20596f0a6023339 Environment-variable access.
repo/packages/schema/src/config/app.ts:50 
        return process.env.NUXT_APP_CDN_URL || (typeof val === 'string' ? val : '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #0336d6a36e93baac Environment-variable access.
repo/packages/schema/src/config/common.ts:142 
          perf: process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #eac296034a63c94d Environment-variable access.
repo/packages/schema/src/config/common.ts:147 
        if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a00f99a328212312 Environment-variable access.
repo/packages/schema/src/config/common.ts:148 
          (val as NuxtDebugOptions).perf = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c5d7435590e32e43 Environment-variable access.
repo/packages/schema/src/config/common.ts:153 
      if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #931d901f2cf41a77 Environment-variable access.
repo/packages/schema/src/config/common.ts:154 
        const perf: boolean | 'quiet' = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc01ffe5b818a35a Environment-variable access.
repo/packages/schema/src/config/dev.ts:8 
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc01ffe5b818a35a Environment-variable access.
repo/packages/schema/src/config/dev.ts:8 
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #bc01ffe5b818a35a Environment-variable access.
repo/packages/schema/src/config/dev.ts:8 
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c98b451a2b049a3e Environment-variable access.
repo/packages/schema/src/config/dev.ts:9 
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c98b451a2b049a3e Environment-variable access.
repo/packages/schema/src/config/dev.ts:9 
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #c98b451a2b049a3e Environment-variable access.
repo/packages/schema/src/config/dev.ts:9 
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/ui-templates

npm first-party
expand_more 10 low-confidence finding(s)
low env_fs production #e824c0f844124944 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:27 
      const contents = await fsp.readFile(r(page, 'index.html'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #5820f84a8e2ee735 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:29 
      const messages = JSON.parse(await fsp.readFile(r(page, 'messages.json'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #35746ba60b2222c8 Filesystem access.
repo/packages/ui-templates/lib/prerender.ts:16 
    await fsp.writeFile(file.replace('.js', '/index.html'), updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #50cfc609f43f0615 Filesystem access.
repo/packages/ui-templates/lib/render.ts:47 
        let html = readFileSync(fileName, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8367d283bd45120b Filesystem access.
repo/packages/ui-templates/lib/render.ts:68 
          const svg = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #9088ae1017598aad Filesystem access.
repo/packages/ui-templates/lib/render.ts:83 
          let contents = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dae326373ea5afee Filesystem access.
repo/packages/ui-templates/lib/render.ts:99 
        const messages = JSON.parse(readFileSync(r(`templates/${templateName}/messages.json`), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #66d885861c23c9d5 Filesystem access.
repo/packages/ui-templates/lib/render.ts:193 
        writeFileSync(fileName.replace('/index.html', '.ts'), functionalCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #34f7498f8f892bb7 Filesystem access.
repo/packages/ui-templates/lib/render.ts:194 
        writeFileSync(fileName.replace('/index.html', '.vue'), vueCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #02852608c39b1ab4 Environment-variable access.
repo/packages/ui-templates/vite.config.ts:18 
    outDir: process.env.OUTPUT_DIR || 'dist',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/vite

npm first-party
expand_more 11 low-confidence finding(s)
low env_fs production #46af0007b0096648 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:73 
      const clientManifest = nuxt.options.dev ? devClientManifest : JSON.parse(readFileSync(manifestFile, 'utf-8')) as ViteClientManifest

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #53abf9737dbc2345 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:106 
          await writeFile(resolve(serverDist, 'client.manifest.mjs'), manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8041a77a4e56c1f7 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:107 
          await writeFile(resolve(serverDist, 'client.precomputed.mjs'), precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #ed755b095245121e Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:29 
          readFile(id, 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #74c37e962a45ffc3 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:30 
          readFile(id + '.map.json', 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #dabe6fd978cc48cd Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:71 
        await writeFile(dest, JSON.stringify({
          file: chunk.map.file,
          mappings: chunk.map.mappings,
          names: chunk.map.names,
          sources: chunk.map.sources,
          sourcesContent: chunk.map.sourcesContent,
          version: chunk.map.version,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #8d83725a76cee7ce Environment-variable access.
repo/packages/vite/src/plugins/vite-node.ts:342 
        process.env.NUXT_VITE_NODE_OPTIONS = JSON.stringify(viteNodeServerOptions)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #b9571c7d68696a1a Environment-variable access.
repo/packages/vite/src/utils/logger.ts:45 
    if (typeof msg === 'string' && !process.env.DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #a944caa71ee6ef1f Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:16 
    await writeFile(join(fixtureDir, 'app/app.vue'), '<template><div/></template>')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #84ddadd963b4f6bf Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:17 
    await writeFile(join(fixtureDir, 'nuxt.config.ts'), `
export default defineNuxtConfig({
  modules: [
    (_, nuxt) => {
      nuxt.options.build.transpile.push('my-async-package')
    },
  ],
})
`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #1fd45152606e07cf Environment-variable access.
repo/packages/vite/src/vite-node.ts:9 
  const envVar = process.env.NUXT_VITE_NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/webpack

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #b8d212cbad0275f1 Filesystem access.
repo/packages/webpack/src/plugins/ssr-styles.ts:51 
    const src = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #d8a8742d0f7a3e53 Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:170 
        await writeFile(join(this.serverDist, 'client.manifest.mjs'), this.manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #59816a6a3e92ae9c Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:171 
        await writeFile(join(this.serverDist, 'client.precomputed.mjs'), this.precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

pkg-pr-new

npm dependency
high pii_flow dependency Excluded from app score #13f8f041495fc22a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:215 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:215 
            checkResponse = await fetch(new URL("/check", apiUrl), {
              method: "POST",
              body: JSON.stringify({
                owner,
                repo,
                key,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow dependency Excluded from app score #71d790d00a6040d8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:317 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:317 
              const resource = await fetch(longDepUrl, {
                signal: controller.signal,
              });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow dependency Excluded from app score #3ac42ce163b585eb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:523 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:523 
                const createMultipartRes = await fetch(createMultipart, {
                  method: "POST",
                  headers: {
                    "sb-key": key,
                    "sb-name": name.slice("package:".length),
                    "sb-sha": sha,
                  },
                });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow dependency Excluded from app score #3ab75854468041b2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:549 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:549 
                  const uploadMultipartRes = await fetch(uploadMultipart, {
                    method: "PUT",
                    headers: {
                      key: uploadKey,
                      id: uploadId,
                      "part-number": `${i + 1}`,
                    },
                    body: chunk,
                  });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow dependency Excluded from app score #ca66bdda3577b40c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:568 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:568 
                const completeMultipartRes = await fetch(completeMultipart, {
                  method: "POST",
                  headers: {
                    key: uploadKey,
                    id: uploadId,
                    "uploaded-parts": JSON.stringify(uploadedParts),
                  },
                });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
high pii_flow dependency Excluded from app score #4de84c66264b4bd0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:590 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:590 
          const res = await fetch(publishUrl, {
            method: "POST",
            headers: {
              "sb-sha": sha,
              "sb-comment": comment,
              "sb-compact": `${isCompact}`,
              "sb-key": key,
              "sb-shasums": JSON.stringify(shasums),
              "sb-run-id": GITHUB_RUN_ID,
              "sb-bin": `${isBinaryApplication}`,
              "sb-package-manager": selectedPackageManager.join(","),
              "sb-only-templates": `${isOnlyTemplates}`,
              "sb-comment-with-sha": `${isCommentWithSha}`,
              "sb-comment-with-dev": `${isCommentWithDev}`,
            },
            body: formData,
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #6f9c375d5742520d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:230 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:230 
            console.error(
              `Check failed (${checkResponse.status}): ${errorText}`,
            );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #790c7a172cf11f1d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:321 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:321 
                console.warn(
                  `${pJson.name}@${formattedSha} was already published on ${longDepUrl}`,
                );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #f76ff0e205a0bd4e PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:325 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:325 
                console.warn(
                  `Server error checking ${longDepUrl} (${resource.status}), proceeding with publish`,
                );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #49d3051eda15afa2 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:330 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:330 
              console.warn(
                `Failed to check if package exists at ${longDepUrl}: ${error}`,
              );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #86d414f414a4bf4c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:532 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:532 
                  console.error(await createMultipartRes.text());

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #59640cfad68251b7 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:560 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:560 
                    console.error(
                      `Error uploading part ${i + 1}: ${await uploadMultipartRes.text()}`,
                    );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #ac2a2d5b98f954db PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:577 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:577 
                  console.error(
                    `Error completing ${key}: ${await completeMultipartRes.text()}`,
                  );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #a209dc11f56ba8ee PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:610 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:610 
            console.error(`Publishing failed (${res.status}): ${errorText}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #59e4c7ac26100a6d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/index.ts:619 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/index.ts:619 
            console.error(`Raw response: ${await res.text()}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #f0ee2f851c915b58 Environment-variable access.
pkgs/npm/[email protected]/index.ts:42 
const apiUrl = process.env.API_URL ?? API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5a3efbc06447cba6 Environment-variable access.
pkgs/npm/[email protected]/index.ts:186 
          if (!process.env.TEST && process.env.GITHUB_ACTIONS !== "true") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5a3efbc06447cba6 Environment-variable access.
pkgs/npm/[email protected]/index.ts:186 
          if (!process.env.TEST && process.env.GITHUB_ACTIONS !== "true") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a322ae667b030495 Environment-variable access.
pkgs/npm/[email protected]/index.ts:240 
          if (process.env.GITHUB_EVENT_NAME !== "pull_request") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f5203e991f122cb2 Filesystem access.
pkgs/npm/[email protected]/index.ts:380 
              const gitignoreContent = await fs.readFile(gitignorePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #185d80c2eab53931 Filesystem access.
pkgs/npm/[email protected]/index.ts:394 
              const file = await fs.readFile(path.join(templateDir, filePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7f5628caf47109a2 Filesystem access.
pkgs/npm/[email protected]/index.ts:495 
              const buffer = await fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a872df79e15ddd9c Filesystem access.
pkgs/npm/[email protected]/index.ts:659 
            await fs.writeFile(jsonFilePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #afc52d664b2f3f03 Filesystem access.
pkgs/npm/[email protected]/index.ts:714 
      .update(await fs.readFile(path.resolve(p, filename)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2f4624b0fe977428 Filesystem access.
pkgs/npm/[email protected]/index.ts:754 
  return () => fs.writeFile(pJsonPath, pJsonContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d585eec2653a5e88 Filesystem access.
pkgs/npm/[email protected]/index.ts:812 
    return await fs.readFile(p, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d469813dc3c9a707 Environment-variable access.
pkgs/npm/[email protected]/tsup.config.ts:12 
    API_URL: JSON.stringify(process.env.API_URL ?? "https://localhost:3000"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

esbuild

npm dependency
medium pii_flow dependency Excluded from app score #fe602bdfea01afe0 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/install.js:260 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/install.js:29 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/install.js:260 
      console.warn(`[esbuild] Ignoring bad configuration: ESBUILD_BINARY_PATH=${ESBUILD_BINARY_PATH}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
medium pii_flow dependency Excluded from app score #172c15995f15d235 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/[email protected]/lib/main.js:1973 · flow /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/lib/main.js:1889 → /tmp/closeopen-dsbc1fle/pkgs/npm/[email protected]/lib/main.js:1973 
      console.warn(`[esbuild] Ignoring bad configuration: ESBUILD_BINARY_PATH=${ESBUILD_BINARY_PATH}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
expand_more 26 low-confidence finding(s)
low env_fs dependency Excluded from app score #44c600d6edf62366 Filesystem access.
pkgs/npm/[email protected]/install.js:26 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #44c600d6edf62366 Filesystem access.
pkgs/npm/[email protected]/install.js:26 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #78a7487a19972126 Environment-variable access.
pkgs/npm/[email protected]/install.js:29 
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4ac1eb127ebae78d Filesystem access.
pkgs/npm/[email protected]/install.js:89 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4ac1eb127ebae78d Filesystem access.
pkgs/npm/[email protected]/install.js:89 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f1f3cc8aa26295d0 Filesystem access.
pkgs/npm/[email protected]/install.js:186 
    fs2.writeFileSync(path2.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cd582676ce72643a Filesystem access.
pkgs/npm/[email protected]/install.js:192 
    binaryIntegrityCheck(pkg, subpath, fs2.readFileSync(installedBinPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1999d7f4e581e722 Filesystem access.
pkgs/npm/[email protected]/install.js:217 
  fs2.writeFileSync(toPath, `#!/usr/bin/env node
require('child_process').execFileSync(${pathString}, process.argv.slice(2), { stdio: 'inherit' });
`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b4da04f4e1f7be51 Filesystem access.
pkgs/npm/[email protected]/install.js:221 
  const code = fs2.readFileSync(libMain, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a4135628d8c7d332 Filesystem access.
pkgs/npm/[email protected]/install.js:222 
  fs2.writeFileSync(libMain, `var ESBUILD_BINARY_PATH = ${pathString};
${code}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aa159d1996ef7c3c Filesystem access.
pkgs/npm/[email protected]/install.js:250 
    fs2.writeFileSync(binPath, bytes);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bf2a9d519ca76ee6 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1020 
            fs3.readFile(response.code, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.code = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #10fc11227935cbf1 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1031 
            fs3.readFile(response.map, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.map = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0e4dab03cb757577 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1057 
      start = () => fs3.writeFile(input, next);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6b7a3ee44c2d822c Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1714 
            contents = streamIn.readFileSync(match[1], "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e16cc11477498148 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1886 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e16cc11477498148 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1886 
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1a19f44e2ea777eb Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1889 
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #49a5832e59a4af04 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2080 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #49a5832e59a4af04 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2080 
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5d92b22ec9de5e2d Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2084 
if (process.env.ESBUILD_WORKER_THREADS !== "0") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a20bd9e17d02c5b6 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2122 
      let contents = fs2.readFileSync(tempFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dea43fe22c87ba6e Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2135 
      fs2.writeFileSync(tempFile, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #88a6a81ce1f1c225 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2145 
      fs2.readFile(tempFile, "utf8", (err, contents) => {
        try {
          fs2.unlink(tempFile, () => callback(err, contents));
        } catch {
          callback(err, contents);
        }
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #119640ed1cc038c2 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2159 
      fs2.writeFile(tempFile, contents, (err) => err !== null ? callback(null) : callback(tempFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #39ad01210e7f7380 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2380 
    maxBuffer: +process.env.ESBUILD_MAX_BUFFER || 16 * 1024 * 1024

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@babel/core

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #3b561dbb39c6d359 Filesystem access.
pkgs/npm/@[email protected]/lib/config/files/index.js:20 
    return fn(filepath, yield* readFile(filepath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #22952cd49ae6d9e2 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/files/index.js:326 
  const targetPath = process.env.BABEL_SHOW_CONFIG_FOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c0f42890bf986104 Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:315 
  return process.env.BABEL_ENV || process.env.NODE_ENV || defaultValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c0f42890bf986104 Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:315 
  return process.env.BABEL_ENV || process.env.NODE_ENV || defaultValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9fb5b874b915faa1 Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:1761 
  if (typeof process !== "undefined" && process.env.BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b4bd63dddd7384c9 Filesystem access.
pkgs/npm/@[email protected]/lib/transform-file.js:12 
  const code = yield* readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2e4adab04cac4fcb Filesystem access.
pkgs/npm/@[email protected]/lib/transformation/read-input-source-map-file.js:65 
    const inputMapContent = fs.readFileSync(inputMapPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@nuxt/cli

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #deb3b193a819e8ff Environment-variable access.
pkgs/npm/@[email protected]/bin/nuxi.mjs:10 
if (nodeModule.enableCompileCache && !process.env.NODE_DISABLE_COMPILE_CACHE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7b8dca76f1d40dd2 Environment-variable access.
pkgs/npm/@[email protected]/bin/nuxi.mjs:15 
      process.env.NODE_COMPILE_CACHE ||= directory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@nuxt/friendly-errors-webpack-plugin

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #597561ecca66b11a Environment-variable access.
pkgs/npm/@[email protected]/src/reporters/base.js:36 
        if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@parcel/watcher

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #9d5155b374e719da Environment-variable access.
pkgs/npm/@[email protected]/scripts/build-from-source.js:5 
if (process.env.npm_config_build_from_source === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@rspack/core

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #09dd59288873e72d Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:209 
else if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1b177ec5d3fda4e7 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:258 
  if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || '')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f80b003e2146c3f9 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:271 
if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs.__patched) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #37183e0df7da94b6 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:760 
var platform = process.env.GRACEFUL_FS_PLATFORM || process.platform

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4b54f64f411d48b7 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3032 
	+process.env.WATCHPACK_WATCHER_LIMIT || (IS_OSX ? 20 : 10000);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #01b6863458014a02 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3035 
	process.env.WATCHPACK_RECURSIVE_WATCHER_LOGGING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #74a8d40edf7194b4 Filesystem access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3490 
module.exports = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/compiler-core

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #dbcd6d83358c85f2 Environment-variable access.
pkgs/npm/@[email protected]/index.js:3 
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/language-core

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #ab1d95ce9a3613df Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:18 
            return host.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9125b9312e34bf65 Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:51 
                return host.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5958a095f46c300b Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:174 
        const packageJsonPath = this.ts.findConfigFile(folder, fileName => this.readFile(fileName) !== undefined, 'node_modules/vue/package.json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #61699c31e4c16d03 Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:178 
        const packageJsonContent = this.readFile(packageJsonPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/shared

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #b5021cbaf75097b8 Environment-variable access.
pkgs/npm/@[email protected]/index.js:3 
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

autoprefixer

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #da885e55d47d76c9 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:559 
      } else if (typeof process.env.AUTOPREFIXER_GRID !== 'undefined') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c6aeeb07e81433e3 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:560 
        if (process.env.AUTOPREFIXER_GRID === 'autoplace') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chokidar

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #8a8207e1034be0b7 Environment-variable access.
pkgs/npm/[email protected]/index.js:284 
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8f443ef5e34df135 Environment-variable access.
pkgs/npm/[email protected]/index.js:294 
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #67e8f8dd89f6eb9e Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129 
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2ef6fac3c63ca444 Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133 
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5b5ebf90bf60ee73 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281 
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7cb782f90590e86c Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326 
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d2def9c1b47454f4 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330 
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7d1be547b8754a03 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825 
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d6f4ca74712dced4 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44 
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c4939490a2132226 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56 
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fb5adce281040a9f Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60 
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cc10572fbb89e586 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64 
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b57c2cc56fe435a3 Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697 
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0465a6bfef953860 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217 
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #40fea37ca9e9b64c Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240 
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-import-x

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #1333c9892a883477 Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:658 
			pkg: JSON.parse(stripBOM(node_fs.default.readFileSync(fp, { encoding: "utf8" }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2f001dfb78039ea9 Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:1369 
		const content = node_fs.default.readFileSync(filepath, { encoding: "utf8" });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #010befcaab66668b Environment-variable access.
pkgs/npm/[email protected]/lib/index.cjs:2029 
	const client = process.env.npm_config_user_agent?.split("/")[0];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #61a4c1a4d441d8d1 Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:4384 
		return JSON.parse(node_fs.default.readFileSync(jsonPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9a62fc47b20e712e Filesystem access.
pkgs/npm/[email protected]/lib/rules/no-extraneous-dependencies.js:16 
        return JSON.parse(fs.readFileSync(jsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #21536e1a44f4d920 Filesystem access.
pkgs/npm/[email protected]/lib/utils/export-map.js:68 
        const content = fs.readFileSync(filepath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ebfdd64bfe3704c0 Environment-variable access.
pkgs/npm/[email protected]/lib/utils/npm-client.js:14 
    const client = process.env.npm_config_user_agent?.split('/')[0];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d714d108993db5da Filesystem access.
pkgs/npm/[email protected]/lib/utils/read-pkg-up.js:13 
            pkg: JSON.parse(stripBOM(fs.readFileSync(fp, { encoding: 'utf8' }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fork-ts-checker-webpack-plugin

npm dependency
expand_more 16 low-confidence finding(s)
low env_fs dependency Excluded from app score #cd6607ff2aa6dac6 Filesystem access.
pkgs/npm/[email protected]/lib/formatter/code-frame-formatter.js:14 
        const source = issue.file && fs_extra_1.default.existsSync(issue.file) && fs_extra_1.default.readFileSync(issue.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5799e7f5068defc6 Environment-variable access.
pkgs/npm/[email protected]/lib/rpc/rpc-worker.js:81 
    return JSON.parse(process.env[WORKER_DATA_ENV_KEY] || '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #42c3f9c02c3f9bff Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/file-system.d.ts:2 
import type { Dirent, Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #caad29bc1cd95ae5 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/mem-file-system.js:46 
        return memfs_1.fs
            .readFileSync(real_file_system_1.realFileSystem.normalizePath(path), { encoding: encoding })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2b274a925f3fd012 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/mem-file-system.js:67 
    memfs_1.fs.writeFileSync(real_file_system_1.realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d214bda8620f5408 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:35 
            ? real_file_system_1.realFileSystem.readFile(path, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #da38118c91ce07bf Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:36 
            : mem_file_system_1.memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f550e79e96ff37cd Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:39 
        return real_file_system_1.realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #babe96a677a8a078 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:42 
        return mem_file_system_1.memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #97d3f42230095b5c Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/real-file-system.js:98 
            readFileCache.set(normalizedPath, fs.readFileSync(normalizedPath, { encoding: encoding }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9d08c97d46ecfe6e Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/real-file-system.js:152 
    fs.writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #87ecb3c3c701b83f Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/host/watch-solution-builder-host.js:28 
            system_1.system.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1974bbb6f4f561aa Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:45 
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #46c6ca10d2d5e299 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:52 
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #80f0cbe0cfefcbaa Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:213 
                const content = passive_file_system_1.passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9d4e16df6db1a8be Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:215 
                    mem_file_system_1.memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

happy-dom

npm dependency
expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #e1760c839a85a7b1 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/Fetch.js:8 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6ced9abc35d86c60 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/Fetch.js:293 
            buffer = await FS.promises.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f32f6fc97d6ee092 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/SyncFetch.js:4 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9b8bac91d013c3d2 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/SyncFetch.js:246 
            buffer = FS.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #691b1fc10092ea35 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:2 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bf43893cde7921bb Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:42 
                promises.push(FS.promises
                    .readFile(Path.join(absoluteDirectory, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b6a8175d7a51bc9e Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:49 
                        return FS.promises
                            .readFile(Path.join(absoluteDirectory, file.split('.')[0] + '.data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #82d6b5cd44d1040d Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:129 
                        promises.push(FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.json`), json));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6629a9e1b806ebb6 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:131 
                            promises.push(FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.data`), cachedResponse.response.body));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #62bbf3eca751f483 Filesystem access.
pkgs/npm/[email protected]/lib/module/ModuleURLUtility.js:5 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #586d5c07a91aa01d Filesystem access.
pkgs/npm/[email protected]/lib/module/ModuleURLUtility.js:101 
                packageJson = JSON.parse(FS.readFileSync(Path.join(nodeModulesDirectory, packageName, 'package.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #599dd3ef0454ecba Filesystem access.
pkgs/npm/[email protected]/src/fetch/Fetch.ts:12 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7882bea13ae3b017 Filesystem access.
pkgs/npm/[email protected]/src/fetch/Fetch.ts:380 
			buffer = await FS.promises.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9dc3a7509baa0103 Filesystem access.
pkgs/npm/[email protected]/src/fetch/SyncFetch.ts:6 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fd251fd97f88d0b0 Filesystem access.
pkgs/npm/[email protected]/src/fetch/SyncFetch.ts:326 
			buffer = FS.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4e7e5c180c8d5f51 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:3 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6117b0dc20a31549 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:53 
					FS.promises
						.readFile(Path.join(absoluteDirectory, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8835f8c935bb623a Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:61 
								return FS.promises
									.readFile(Path.join(absoluteDirectory, file.split('.')[0] + '.data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8fffd8c0f77f977f Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:157 
							FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.json`), json)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #974df4d3383893c3 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:162 
								FS.promises.writeFile(
									Path.join(absoluteDirectory, `${hash}.data`),
									cachedResponse.response.body
								)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f4960c976280bbf5 Filesystem access.
pkgs/npm/[email protected]/src/module/ModuleURLUtility.ts:7 
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #de7dcc6522b4c75a Filesystem access.
pkgs/npm/[email protected]/src/module/ModuleURLUtility.ts:128 
					FS.readFileSync(Path.join(nodeModulesDirectory, packageName, 'package.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

jiti

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #26a2ffab24db458a Environment-variable access.
pkgs/npm/[email protected]/lib/jiti-cli.mjs:15 
if (nodeModule.enableCompileCache && !process.env.NODE_DISABLE_COMPILE_CACHE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4d15b9741892b167 Filesystem access.
pkgs/npm/[email protected]/lib/jiti-hooks.mjs:45 
  const rawSource = await readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3384f71f9311d0b9 Filesystem access.
pkgs/npm/[email protected]/lib/jiti-hooks.mjs:121 
    return JSON.parse(await readFile(packageJsonPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #aedd49c6ca57dcc3 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:194 
      fs.writeFileSync(options.output, lintResultString);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4d8b57028d28eeb5 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:278 
  const ignoreText = fs.readFileSync(ignorePath, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f3439e0a2ffc4ec4 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:323 
        const originalText = fs.readFileSync(file, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #680339aa970919cf Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:326 
          fs.writeFileSync(file, fixedText, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

memfs

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #e784dd263dbf1c5d Filesystem access.
pkgs/npm/[email protected]/demo/runkit.js:3 
fs.writeFileSync('/hello.txt', 'Hello World');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #b671dee34abb541f Filesystem access.
pkgs/npm/[email protected]/demo/runkit.js:5 
console.log(fs.readFileSync('/hello.txt', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

oxc-transform

npm dependency
expand_more 61 low-confidence finding(s)
low env_fs dependency Excluded from app score #bab7ccbe96b0a223 Filesystem access.
pkgs/npm/[email protected]/index.js:10 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bab7ccbe96b0a223 Filesystem access.
pkgs/npm/[email protected]/index.js:10 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ba3ca27e8872abf4 Filesystem access.
pkgs/npm/[email protected]/index.js:32 
    return readFileSync('/usr/bin/ldd', 'utf-8').includes('musl')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2ef19ed796fe132d Environment-variable access.
pkgs/npm/[email protected]/index.js:68 
  if (process.env.NAPI_RS_NATIVE_LIBRARY_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2d1054e5df43ca9f Environment-variable access.
pkgs/npm/[email protected]/index.js:70 
      return require(process.env.NAPI_RS_NATIVE_LIBRARY_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7733024afdccbcd5 Environment-variable access.
pkgs/npm/[email protected]/index.js:84 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7733024afdccbcd5 Environment-variable access.
pkgs/npm/[email protected]/index.js:84 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f55b623ffd189cff Environment-variable access.
pkgs/npm/[email protected]/index.js:100 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f55b623ffd189cff Environment-variable access.
pkgs/npm/[email protected]/index.js:100 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #36f3e9f7a61193d9 Environment-variable access.
pkgs/npm/[email protected]/index.js:121 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #36f3e9f7a61193d9 Environment-variable access.
pkgs/npm/[email protected]/index.js:121 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f24b154295c72121 Environment-variable access.
pkgs/npm/[email protected]/index.js:137 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f24b154295c72121 Environment-variable access.
pkgs/npm/[email protected]/index.js:137 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cfe93c8f11636fa1 Environment-variable access.
pkgs/npm/[email protected]/index.js:154 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cfe93c8f11636fa1 Environment-variable access.
pkgs/npm/[email protected]/index.js:154 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fa773861f4cb15b1 Environment-variable access.
pkgs/npm/[email protected]/index.js:170 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fa773861f4cb15b1 Environment-variable access.
pkgs/npm/[email protected]/index.js:170 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #06739594e45e1eed Environment-variable access.
pkgs/npm/[email protected]/index.js:189 
      if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #06739594e45e1eed Environment-variable access.
pkgs/npm/[email protected]/index.js:189 
      if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d505292cbbfef501 Environment-variable access.
pkgs/npm/[email protected]/index.js:205 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d505292cbbfef501 Environment-variable access.
pkgs/npm/[email protected]/index.js:205 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8d8f15ccddbf713e Environment-variable access.
pkgs/npm/[email protected]/index.js:221 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8d8f15ccddbf713e Environment-variable access.
pkgs/npm/[email protected]/index.js:221 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9c8d1413a43335cf Environment-variable access.
pkgs/npm/[email protected]/index.js:241 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9c8d1413a43335cf Environment-variable access.
pkgs/npm/[email protected]/index.js:241 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d60efdcdfe6ed2fd Environment-variable access.
pkgs/npm/[email protected]/index.js:257 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d60efdcdfe6ed2fd Environment-variable access.
pkgs/npm/[email protected]/index.js:257 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2fbfc5d2550223e0 Environment-variable access.
pkgs/npm/[email protected]/index.js:278 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2fbfc5d2550223e0 Environment-variable access.
pkgs/npm/[email protected]/index.js:278 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ad54491861d1f661 Environment-variable access.
pkgs/npm/[email protected]/index.js:294 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ad54491861d1f661 Environment-variable access.
pkgs/npm/[email protected]/index.js:294 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #558b92c0a1d5fe9a Environment-variable access.
pkgs/npm/[email protected]/index.js:312 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #558b92c0a1d5fe9a Environment-variable access.
pkgs/npm/[email protected]/index.js:312 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6bced5a804e2aa1e Environment-variable access.
pkgs/npm/[email protected]/index.js:328 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6bced5a804e2aa1e Environment-variable access.
pkgs/npm/[email protected]/index.js:328 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #78fa24c1bfde47d7 Environment-variable access.
pkgs/npm/[email protected]/index.js:346 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #78fa24c1bfde47d7 Environment-variable access.
pkgs/npm/[email protected]/index.js:346 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6e438b41bef86b1b Environment-variable access.
pkgs/npm/[email protected]/index.js:362 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6e438b41bef86b1b Environment-variable access.
pkgs/npm/[email protected]/index.js:362 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9fe5ecff6d1ff75a Environment-variable access.
pkgs/npm/[email protected]/index.js:380 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9fe5ecff6d1ff75a Environment-variable access.
pkgs/npm/[email protected]/index.js:380 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #48ed7d44ca28f7dc Environment-variable access.
pkgs/npm/[email protected]/index.js:396 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #48ed7d44ca28f7dc Environment-variable access.
pkgs/npm/[email protected]/index.js:396 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2704913d346f0304 Environment-variable access.
pkgs/npm/[email protected]/index.js:414 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2704913d346f0304 Environment-variable access.
pkgs/npm/[email protected]/index.js:414 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7282c2bb1cc606d5 Environment-variable access.
pkgs/npm/[email protected]/index.js:430 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7282c2bb1cc606d5 Environment-variable access.
pkgs/npm/[email protected]/index.js:430 
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #87532fb10f57b350 Environment-variable access.
pkgs/npm/[email protected]/index.js:447 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #87532fb10f57b350 Environment-variable access.
pkgs/npm/[email protected]/index.js:447 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6080dc053dd36b20 Environment-variable access.
pkgs/npm/[email protected]/index.js:463 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6080dc053dd36b20 Environment-variable access.
pkgs/npm/[email protected]/index.js:463 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #29cd102b75596562 Environment-variable access.
pkgs/npm/[email protected]/index.js:483 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #29cd102b75596562 Environment-variable access.
pkgs/npm/[email protected]/index.js:483 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #97ca3b56051e0eff Environment-variable access.
pkgs/npm/[email protected]/index.js:499 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #97ca3b56051e0eff Environment-variable access.
pkgs/npm/[email protected]/index.js:499 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a3aebbd006f8abe2 Environment-variable access.
pkgs/npm/[email protected]/index.js:515 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a3aebbd006f8abe2 Environment-variable access.
pkgs/npm/[email protected]/index.js:515 
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #57d11ad040cf8cc4 Environment-variable access.
pkgs/npm/[email protected]/index.js:540 
  process.env.NAPI_RS_FORCE_WASI === 'true' || process.env.NAPI_RS_FORCE_WASI === 'error'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #57d11ad040cf8cc4 Environment-variable access.
pkgs/npm/[email protected]/index.js:540 
  process.env.NAPI_RS_FORCE_WASI === 'true' || process.env.NAPI_RS_FORCE_WASI === 'error'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #827249747156c46e Environment-variable access.
pkgs/npm/[email protected]/index.js:568 
  if (process.env.NAPI_RS_FORCE_WASI === 'error' && !wasiBinding) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4eddc1052e4cfd38 Filesystem access.
pkgs/npm/[email protected]/webcontainer-fallback.cjs:4 
const pkg = JSON.parse(fs.readFileSync(require.resolve("oxc-transform/package.json"), "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

playwright-core

npm dependency
expand_more 49 low-confidence finding(s)
low env_fs dependency Excluded from app score #85f5ae753c9de399 Environment-variable access.
pkgs/npm/[email protected]/lib/bootstrap.js:13 
if (process.env.PW_INSTRUMENT_MODULES) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #34514b1ef9d6e0cd Environment-variable access.
pkgs/npm/[email protected]/lib/server/electron/loader.js:59 
  process.env.PLAYWRIGHT_LEGACY_SCREENSHOT ? "" : "--enable-features=CDPScreenshotNewSurface",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #268ed361ab665339 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:1780 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #268ed361ab665339 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:1780 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d512f2bac943258d Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5457 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d512f2bac943258d Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5457 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bcd4a423ad7be9ba Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5948 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bcd4a423ad7be9ba Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5948 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bd3274bfff33399d Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5955 
      if (process.env.CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR) console.error(error);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b8d9b14417471114 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6345 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b8d9b14417471114 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6345 
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fd45a1a2bbe539ac Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6582 
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d9453af7e314443e Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6593 
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #29466a64ba6e4076 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7092 
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #be5c25031b81cfc0 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7179 
    await import_fs.default.promises.writeFile(file, JSON.stringify(descriptor, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4f70d8c5e5b757bc Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7188 
    const content = await import_fs.default.promises.readFile(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9ef220beebb38bcf Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7199 
    const content = import_fs.default.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2364ff3a2fa88d49 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7213 
    return process.env.PWTEST_SERVER_REGISTRY || registryDirectory;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dcb3363907f328aa Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7243 
      descriptor = JSON.parse(import_fs.default.readFileSync(file, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #78ff32bc105c1aca Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7281 
    return process.env.XDG_CACHE_HOME || import_path2.default.join(import_os.default.homedir(), ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #70d103d6f65b3dd4 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7285 
    return process.env.LOCALAPPDATA || import_path2.default.join(import_os.default.homedir(), "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #1e054c3040775f78 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:35 
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #dea08780909238f0 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:44 
  if (process.env.PWTEST_CLI_CHANNEL_SCAN_DISABLED_FOR_TEST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #13f2d284f993f729 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:72 
    contents = await import_fs.default.promises.readFile(import_path.default.join(userDataDir, "DevToolsActivePort"), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #89b4ebfd2f9d4f7c Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:99 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #c612b77be7312fc5 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:104 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome Beta", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #7e84914a2fbfb55c Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:109 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome Dev", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #7eb26c109d77403a Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:114 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome SxS", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #10300e075bbdf5ca Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:119 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #f8e8d15571cdfac4 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:124 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge Beta", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #675d430ebd0e03cb Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:129 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge Dev", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #aa47b7c866888679 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:134 
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge SxS", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #831b036fef3f8700 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/output.js:191 
    if (process.env.PWTEST_PRINT_DASHBOARD_PID_FOR_TEST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #061d1988be026eb5 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:80 
      if (process.env.CLAUDECODE || process.env.COPILOT_CLI)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #061d1988be026eb5 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:80 
      if (process.env.CLAUDECODE || process.env.COPILOT_CLI)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #415de97c18354694 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:301 
  const pidFilterEnv = process.env.PWTEST_KILL_ALL_PID_FILTER_FOR_TEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #7791e6fc9a4a33c4 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:40 
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #cff46d9234fafef5 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:81 
      const data = await import_fs.default.promises.readFile(fileName, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #e1257c27c759f76f Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:120 
  if (process.env.PWTEST_DAEMON_SESSION_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #d0078460d14081e5 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:121 
    return process.env.PWTEST_DAEMON_SESSION_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #0d0f2e0cae54367c Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:124 
    localCacheDir = process.env.XDG_CACHE_HOME || import_path.default.join(import_os.default.homedir(), ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #a4791fa88ad7b469 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:128 
    localCacheDir = process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #504222efa7eb6515 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:135 
  const version = process.env.PLAYWRIGHT_CLI_VERSION_FOR_TEST || import_package.packageJSON.version;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #d428a908533e7755 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:163 
  return sessionName || process.env.PLAYWRIGHT_CLI_SESSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #59d563ec51a4944b Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/session.js:35 
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #18ed10591ac6657e Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/session.js:174 
          const errLogContent = import_fs.default.readFileSync(errLog, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #a1ad80c0599b81d7 Filesystem access.
pkgs/npm/[email protected]/lib/tools/utils/extension.js:36 
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #e3aba393cf559b98 Filesystem access.
pkgs/npm/[email protected]/lib/tools/utils/extension.js:59 
    const prefs = await import_fs.default.promises.readFile(import_path.default.join(profileDir, "Preferences"), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e6525c698c390208 Filesystem access.
pkgs/npm/[email protected]/types/types.d.ts:19 
import { ReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postcss

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #5872d2efd943e17e Environment-variable access.
pkgs/npm/[email protected]/lib/lazy-result.js:218 
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #051545eab99fc3d7 Environment-variable access.
pkgs/npm/[email protected]/lib/lazy-result.js:440 
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3a4b41589e2181a7 Environment-variable access.
pkgs/npm/[email protected]/lib/no-work-result.js:114 
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #706ee436f49f2ec4 Environment-variable access.
pkgs/npm/[email protected]/lib/parse.js:13 
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e006b1c7f3d43879 Environment-variable access.
pkgs/npm/[email protected]/lib/postcss.js:41 
      if (process.env.LANG && process.env.LANG.startsWith('cn')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e006b1c7f3d43879 Environment-variable access.
pkgs/npm/[email protected]/lib/postcss.js:41 
      if (process.env.LANG && process.env.LANG.startsWith('cn')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3ef67c582a2fee67 Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:3 
let { existsSync, readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3ef67c582a2fee67 Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:3 
let { existsSync, readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dbf890b0feaff2d5 Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:97 
      return readFileSync(path, 'utf-8').toString().trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #25f64f85debc2cf7 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:30 
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postcss-url

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #5292f6cf34896d84 Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:3 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5292f6cf34896d84 Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:3 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3fc064d6bb62c52b Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:10 
        fs.readFile(filePath, (err, data) => {
            if (err) {
                reject(err);
            }
            resolve(data);
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dc46b65e03909bd0 Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:4 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dc46b65e03909bd0 Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:4 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f6ebfdaeaddd3803 Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:22 
        fs.writeFile(dest, file.contents, { flag: 'wx' }, (err) => {
            if (err) {
                err.code === 'EEXIST' ? resolve() : reject(err);
            }
            resolve();
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency
expand_more 77 low-confidence finding(s)
low env_fs dependency Excluded from app score #db9e6ae72e91d144 Environment-variable access.
pkgs/npm/[email protected]/bin/prettier.cjs:66 
if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #219a20fcc1a7491a Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5609 
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #219a20fcc1a7491a Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5609 
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #218f10c0f6e12522 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6176 
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #218f10c0f6e12522 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6176 
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #984e5be455046424 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6177 
      process.env.TEST_PSEUDOMAP = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2779f5721c73bb2d Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6178 
    if (typeof Map === "function" && !process.env.TEST_PSEUDOMAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #be6ce9988d627582 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6520 
    var hasSymbol = typeof Symbol === "function" && process.env._nodeLRUCacheForceNoSymbol !== "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7470e4aa31574b86 Filesystem access.
pkgs/npm/[email protected]/index.mjs:7655 
            fs4.readFile(file, "utf8", function(err, data) {
              if (err) {
                reject(err);
                return;
              }
              resolve3(parseString2(data));
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #98341aea8ca18f0c Filesystem access.
pkgs/npm/[email protected]/index.mjs:7668 
      return parseString2(fs4.readFileSync(file, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e3d168493fc328f2 Filesystem access.
pkgs/npm/[email protected]/index.mjs:8004 
              fs4.readFile(name, "utf8", function(err, data) {
                resolve3({
                  name,
                  contents: err ? "" : data
                });
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ec6f66614bb043fc Filesystem access.
pkgs/npm/[email protected]/index.mjs:8020 
          file = fs4.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3895c29ba01b8065 Filesystem access.
pkgs/npm/[email protected]/index.mjs:10382 
import * as fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d69e891f2f9b31d9 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:11485 
  return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : import_picocolors4.default.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d69e891f2f9b31d9 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:11485 
  return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : import_picocolors4.default.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3d0bcfe90e1d60d7 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12540 
import fs2 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5e4d1c85138adbc6 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12546 
    return await fs2.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #67ad052821ca6f00 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12697 
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e708d9dfb93c028a Filesystem access.
pkgs/npm/[email protected]/index.mjs:12707 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #db2d1863c779279d Filesystem access.
pkgs/npm/[email protected]/index.mjs:13059 
    string = fs3.readFileSync(path6.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8e992f2cc7b2460d Environment-variable access.
pkgs/npm/[email protected]/index.mjs:16485 
      if (process.env.PRETTIER_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #624138260b3b7240 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:10 
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f218aaff26db9235 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:15 
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f23cf7a23f85cd6e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:371 
  return dist_default.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a060060938d2fe6e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:516 
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c8336bdf24c55bc5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:526 
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9fe4b177f018cfdb Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:878 
    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c82704ec7229b733 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1878 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #abfaf46074201cb6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1955 
          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #97404277dc2b4341 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1961 
          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b1d9212e91736be8 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:54 
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f3f48645b7abb133 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:96 
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e6eb9eddb7f2b18f Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:107 
      const buffer2 = attempt(() => fs2.readFileSync(path18), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #210a6c923b753449 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:116 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d10ed63204f820f0 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:612 
import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #eb4eced312b3ce52 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:627 
              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b05b4bbbccf8d046 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:633 
              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3a9d575cdb7cd02e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2515 
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #88f8f2b42c9e880c Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2525 
    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #12fcdb0a0c886aa2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2743 
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #71a8f87a1d9d53c7 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:3607 
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c0f08c2dc171fd7a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:4855 
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cfe98a1c96945392 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5794 
import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #21d951b1cdb6827b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5820 
          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0286ec2428fd7573 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5835 
          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8147d85f8d254a6e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5850 
          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5e97437a71b7486e Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6238 
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dcf42c10e4b2d0c8 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6252 
        return fs9.readFile(filePath, "utf8").then(parse_default2).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2ca61783730ac8c3 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6582 
import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7442bccf818f08c3 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6594 
      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3d66c4cd334257c1 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10466 
import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d0bc106c10495a44 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10488 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d34d52b30659d63f Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10493 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bda2bc6098012cc2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10499 
        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #88880fcbcb6c10b3 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10515 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7e20f09f02930be2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10521 
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c3fa9224c3b9b672 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11366 
import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1e7066af82ca145b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11559 
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #21ef0b080abcdf0b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11567 
  return dist_default36.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7a093e86e0a171cc Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12330 
import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ddb71661a1dca59b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12395 
  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #50d95c50c6a231eb Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12400 
  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e8cde4f328c77c53 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1233 
import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1c6ca4aae27125fe Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1554 
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #93cd6964bc0f897b Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1778 
import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #80e0d790122a3ea7 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1786 
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #489e87afd196bb36 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1794 
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3168bbde18089d4f Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1888 
    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e870aa727fe6f846 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1906 
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #bf75c39742174033 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1910 
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e64996369d1cbe8f Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1914 
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6d6cf58b04cce19e Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4302 
      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #623bc036d6c80f6d Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4506 
        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b25829c13f604fd6 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4894 
        const buffer = fs6.readFileSync(absolutePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ac5ea4b8cf44c26e Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5188 
import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ee39c5cbc4430b1e Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5449 
  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1bd1f2bc0660369b Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5805 
      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

semver

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #1926e5be641c6b64 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:6 
  process.env.NODE_DEBUG &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7a7f023c75a4a494 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:7 
  /\bsemver\b/i.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sherif

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #d9cb2d5af4b2b0ea Filesystem access.
pkgs/npm/[email protected]/index.js:4 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d9cb2d5af4b2b0ea Filesystem access.
pkgs/npm/[email protected]/index.js:4 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

svgo

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #9ce221c30371cb65 Filesystem access.
pkgs/npm/[email protected]/lib/svgo-node.js:2 
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3a59d357cbada687 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:1 
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #572c7efec3e99998 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:12 
const PKG = JSON.parse(await fs.promises.readFile(pkgPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e369b0f4f269ef03 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:378 
  return fs.promises.readFile(file, 'utf8').then(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #806f69d0b7eebb73 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:452 
  return fs.promises
    .writeFile(output, data, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #795e3a86ca5de3f0 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:517 
    return fs.promises.writeFile(
      path.resolve(output, path.basename(input)),
      data,
      'utf8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-checker-rspack-plugin

npm dependency
expand_more 29 low-confidence finding(s)
low env_fs dependency Excluded from app score #37568730b7723759 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:156 
        if (stats && stats.isFile()) readFileCache.set(normalizedPath, external_node_fs_default().readFileSync(normalizedPath, {
            encoding: encoding
        }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2d79611b3a78f6f2 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:202 
    external_node_fs_default().writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #42725b934417d8e9 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:263 
    if (stats && stats.isFile()) return external_memfs_namespaceObject.fs.readFileSync(realFileSystem.normalizePath(path), {
        encoding: encoding
    }).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #05d5b610c462f126 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:281 
    external_memfs_namespaceObject.fs.writeFileSync(realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f2b6dc2438e8bec5 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:316 
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f2b6dc2438e8bec5 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:316 
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #62d7ea03dbd8132b Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:317 
    if (fsStats) return realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e7a21f9138e67000 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:318 
    if (memStats) return memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #880187a8dec6aee1 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:361 
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d2a272ab4cf759cb Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:368 
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2de8e5765f013822 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:503 
                const content = passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #cc7c72f447dec5e4 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:505 
                    memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #217e39e75bbd68b1 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:271 
        if (stats && stats.isFile()) readFileCache.set(normalizedPath, external_node_fs_default().readFileSync(normalizedPath, {
            encoding: encoding
        }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7bc04c26c09168b3 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:317 
    external_node_fs_default().writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8ef69cb42b821f79 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:378 
    if (stats && stats.isFile()) return external_memfs_namespaceObject.fs.readFileSync(realFileSystem.normalizePath(path), {
        encoding: encoding
    }).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2bee65db80920041 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:396 
    external_memfs_namespaceObject.fs.writeFileSync(realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5cf4a330ccb11083 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:431 
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5cf4a330ccb11083 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:431 
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8f2415a80f8d46f0 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:432 
    if (fsStats) return realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #588917760f06dca1 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:433 
    if (memStats) return memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #38a49f09bc4b683d Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:476 
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1b6fd996c8e6df69 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:483 
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #15ac9382c31fc373 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:618 
                const content = passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #92496198d4bddbf8 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:620 
                    memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #723242f398bf81b7 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:994 
            system.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3af4c89ab680448d Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:145 
            return "object" == typeof process && ("0" === process.env.FORCE_COLOR || "false" === process.env.FORCE_COLOR) ? false : picocolors.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3af4c89ab680448d Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:145 
            return "object" == typeof process && ("0" === process.env.FORCE_COLOR || "false" === process.env.FORCE_COLOR) ? false : picocolors.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f57e1f5758dc680a Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:2609 
    const defaultPlatform = 'object' == typeof process && process ? 'object' == typeof process.env && process.env && process.env.__MINIMATCH_TESTING_PLATFORM__ || process.platform : 'posix';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0b100a52038dcfea Filesystem access.
pkgs/npm/[email protected]/lib/index.js:4385 
            const source = issue.file && external_node_fs_default().existsSync(issue.file) && external_node_fs_default().readFileSync(issue.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #340501eaaf9b4c3d Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51 
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #62bd364fce1e7971 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309 
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #006d7cacdc501cc2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535 
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a8d337ab2b04dc6b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548 
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b5268450d1ca975f Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565 
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ee3045b4486f822e Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566 
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7d928280141297fb Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569 
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7d928280141297fb Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569 
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7d928280141297fb Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569 
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7d928280141297fb Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569 
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7d928280141297fb Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569 
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #49be4bf4a047e1c4 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44 
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b3a234cc55ff1a5a Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88 
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #da5a511e86c217d7 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42 
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

undici

npm dependency
expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #b902548d8c4a67c3 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:67 
  const llhttpWasmData = process.env.JEST_WORKER_ID ? require('../llhttp/llhttp-wasm.js') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6dca87d87c5805d1 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:74 
  if (process.env.UNDICI_NO_WASM_SIMD === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #003d6e106ccd09c9 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:76 
  } else if (process.env.UNDICI_NO_WASM_SIMD === '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #21aac9b05cec1c6b Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26 
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #21aac9b05cec1c6b Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26 
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #656957af65468201 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33 
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #656957af65468201 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33 
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #229f64c3ecdaed52 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:142 
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #229f64c3ecdaed52 Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:142 
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c023a217f2f58c22 Environment-variable access.
pkgs/npm/[email protected]/lib/mock/pending-interceptors-formatter.js:23 
        colors: !disableColors && !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #127c6adea53c3b43 Filesystem access.
pkgs/npm/[email protected]/lib/mock/snapshot-recorder.js:424 
      const data = await readFile(resolve(path), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1b60b14bb721f437 Filesystem access.
pkgs/npm/[email protected]/lib/mock/snapshot-recorder.js:470 
    await writeFile(resolvedPath, JSON.stringify(data, null, 2), { flush: true })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #f7e2b7a42e0877ae Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:7 
  ? transcode(readFileSync('./undici-fetch.js'), 'utf8', 'latin1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #e15101b575e750d3 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:8 
  : readFileSync('./undici-fetch.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs tooling Excluded from app score unknown #e70f15574e724fd4 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:10 
writeFileSync('./undici-fetch.js', buffer.toString('latin1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

unstorage

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #f0bcb5ead6710480 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:38 
      return readFile(r(key), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #93c00770217ad95e Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:41 
      return readFile(r(key));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #31cfe4807def09ed Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:51 
      return writeFile(r(key), value, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8861f5e845db95e0 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:57 
      return writeFile(r(key), value);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #8464f085670d5cd6 Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:49 
      return readFile(r(key), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ae442c946479c95d Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:52 
      return readFile(r(key));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #80e38dc518ebb14b Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:62 
      return writeFile(r(key), value, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f57c24ea5cc605bb Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:68 
      return writeFile(r(key), value);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #15e41d6cd89f9f41 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.cjs:24 
  return _nodeFs.promises.writeFile(path, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #047173af05525183 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.cjs:27 
  return _nodeFs.promises.readFile(path, encoding).catch(ignoreNotfound);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0b6b4ed8822532ee Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.mjs:11 
  return fsPromises.writeFile(path, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #00b44cf9fea85572 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.mjs:14 
  return fsPromises.readFile(path, encoding).catch(ignoreNotfound);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #791308271d3cd643 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:19 
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fdf4b20f2ff83499 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:20 
          opts.url = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1f60397c241b08ad Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:27 
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d3110f35709e02d7 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:28 
          opts.token = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e13e97f01cd66468 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:13 
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #45c76d6666e37d4a Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:14 
          opts.url = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ce14f6967a1e033d Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:24 
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9cd5be8ed6eb9fa6 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:25 
          opts.token = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vite

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #8dba179a0b039d21 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:6 
  if (!process.env.DEBUG_DISABLE_SOURCE_MAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #495a77f952960e17 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:36 
  process.env.DEBUG = `${

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dab2b460af606f94 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:37 
    process.env.DEBUG ? process.env.DEBUG + ',' : ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #dab2b460af606f94 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:37 
    process.env.DEBUG ? process.env.DEBUG + ',' : ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4270bc43247cc550 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:43 
      process.env.VITE_DEBUG_FILTER = filter

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vue

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #f6cd64bf206f362e Environment-variable access.
pkgs/npm/[email protected]/index.js:3 
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vue-router

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #4e1a3b88539cceb2 Environment-variable access.
pkgs/npm/[email protected]/index.cjs:3 
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

webpack

npm dependency
expand_more 31 low-confidence finding(s)
low env_fs dependency Excluded from app score #54121d9bf65bea16 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:888 
							(this.outputFileSystem).writeFile(targetPath, content, (err) => {
								if (err) return callback(err);

								// information marker that the asset has been emitted
								compilation.emittedAssets.add(file);

								// cache the information that the Source has been written to that location
								const newGeneration =
									targetFileGeneration === undefined
										? 1
										: targetFileGeneration + 1;
								/** @type {CacheEntry} */
								(cacheEntry).writtenTo.set(targetPath, newGeneration);
								this._assetEmittingWrittenFiles.set(targetPath, newGeneration);
								this.hooks.assetEmitted.callAsync(
									file,
									{
										content,
										source,
										outputPath,
										compilation,
										targetPath
									},
									callback
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3be1ac3ab03eb6f7 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:983 
								return /** @type {OutputFileSystem} */ (
									this.outputFileSystem
								).readFile(targetPath, (err, existingContent) => {
									if (
										err ||
										!content.equals(/** @type {Buffer} */ (existingContent))
									) {
										return doWrite(content);
									}
									return alreadyWritten();
								});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #5e29d122557ac717 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:1129 
			(this.outputFileSystem).writeFile(
				/** @type {string} */ (this.recordsOutputPath),
				JSON.stringify(
					this.records,
					(n, value) => {
						if (
							typeof value === "object" &&
							value !== null &&
							!Array.isArray(value)
						) {
							const keys = Object.keys(value);
							if (!isSorted(keys)) {
								return sortObject(value, keys);
							}
						}
						return value;
					},
					2
				),
				callback
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b919d81e2d341bc0 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:1215 
			(this.inputFileSystem).readFile(
				/** @type {string} */
				(this.recordsInputPath),
				(err, content) => {
					if (err) return callback(err);

					try {
						this.records =
							/** @type {Records} */
							(parseJson(/** @type {Buffer} */ (content).toString("utf8")));
					} catch (parseErr) {
						return callback(
							new Error(
								`Cannot parse records: ${/** @type {Error} */ (parseErr).message}`
							)
						);
					}

					return callback(null);
				}
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #388f3b5aa830ecc3 Environment-variable access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:447 
					process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #98cc9b5d52a52d1a Environment-variable access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:448 
						? process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f2a3a26cb3a913ac Filesystem access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:465 
			fs.readFile(file, (err, content) => {
				if (err) reject(err);
				else resolve(/** @type {Buffer} */ (content).toString() || "");
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #1bf928a36e7446c3 Environment-variable access.
pkgs/npm/[email protected]/lib/EnvironmentPlugin.js:50 
					process.env[key] !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #d0938bf2e78d86ec Environment-variable access.
pkgs/npm/[email protected]/lib/EnvironmentPlugin.js:51 
						? process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7e94d94aa271bf40 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:2077 
								this.fs.readFile(path, (err, content) => {
									if (err) return callback(err);
									try {
										const context = dirname(this.fs, path);
										const source = /** @type {Buffer} */ (content).toString();
										const [imports] = lexer.parse(source);
										/** @type {Set<string>} */
										const added = new Set();
										for (const imp of imports) {
											try {
												/** @type {string} */
												let dependency;
												if (imp.d === -1) {
													// import ... from "..."
													dependency = parseString(
														source.slice(imp.s - 1, imp.e + 1)
													);
												} else if (imp.d > -1) {
													// import()
													const expr = source.slice(imp.s, imp.e).trim();
													dependency = parseString(expr);
												} else {
													// e.g. import.meta
													continue;
												}

												// We should not track Node.js build dependencies
												if (dependency.startsWith("node:")) continue;
												if (builtinModules.has(dependency)) continue;
												// Avoid extra jobs for identical imports
												if (added.has(dependency)) continue;

												push({
													type: RBDT_RESOLVE_ESM_FILE,
													context,
													path: dependency,
													expected: imp.d > -1 ? false : undefined,
													issuer: job
												});
												added.add(dependency);
											} catch (err1) {
												logger.warn(
													`Parsing of ${path} for build dependencies failed at 'import(${source.slice(
														imp.s,
														imp.e
													)})'.\n` +
														"Build dependencies behind this expression are ignored and might cause incorrect cache invalidation."
												);
												logger.debug(pathToString(job));
												logger.debug(/** @type {Error} */ (err1).stack);
											}
										}
									} catch (err2) {
										logger.warn(
											`Parsing of ${path} for build dependencies failed and all dependencies of this file are ignored, which might cause incorrect cache invalidation..`
										);
										logger.debug(pathToString(job));
										logger.debug(/** @type {Error} */ (err2).stack);
									}
									process.nextTick(callback);
								});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #b6b16357ce1ba90f Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:2154 
						this.fs.readFile(packageJson, (err, content) => {
							if (err) {
								if (err.code === "ENOENT") {
									resolveMissing.add(packageJson);
									const parent = dirname(this.fs, packagePath);
									if (parent !== packagePath) {
										push({
											type: RBDT_DIRECTORY_DEPENDENCIES,
											context: undefined,
											path: parent,
											expected: undefined,
											issuer: job
										});
									}
									callback();
									return;
								}
								return callback(err);
							}
							resolveFiles.add(packageJson);
							/** @type {JsonObject} */
							let packageData;
							try {
								packageData = JSON.parse(
									/** @type {Buffer} */
									(content).toString("utf8")
								);
							} catch (parseErr) {
								return callback(/** @type {Error} */ (parseErr));
							}
							const depsObject = packageData.dependencies;
							const optionalDepsObject = packageData.optionalDependencies;
							/** @type {Set<string>} */
							const allDeps = new Set();
							/** @type {Set<string>} */
							const optionalDeps = new Set();
							if (typeof depsObject === "object" && depsObject) {
								for (const dep of Object.keys(depsObject)) {
									allDeps.add(dep);
								}
							}
							if (
								typeof optionalDepsObject === "object" &&
								optionalDepsObject
							) {
								for (const dep of Object.keys(optionalDepsObject)) {
									allDeps.add(dep);
									optionalDeps.add(dep);
								}
							}
							for (const dep of allDeps) {
								push({
									type: RBDT_RESOLVE_DIRECTORY,
									context: packagePath,
									path: dep,
									expected: !optionalDeps.has(dep),
									issuer: job
								});
							}
							callback();
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #a554cdc1f5ec3dd9 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:3547 
		this.fs.readFile(path, (err, content) => {
			if (err) {
				if (err.code === "EISDIR") {
					this._fileHashes.set(path, "directory");
					return callback(null, "directory");
				}
				if (err.code === "ENOENT") {
					this._fileHashes.set(path, null);
					return callback(null, null);
				}
				if (err.code === "ERR_FS_FILE_TOO_LARGE") {
					/** @type {Logger} */
					(this.logger).warn(`Ignoring ${path} for hashing as it's very large`);
					this._fileHashes.set(path, "too large");
					return callback(null, "too large");
				}
				return callback(/** @type {WebpackError} */ (err));
			}

			const hash = createHash(this._hashFunction);

			hash.update(/** @type {string | Buffer} */ (content));

			const digest = hash.digest("hex");

			this._fileHashes.set(path, digest);

			callback(null, digest);
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9df8caa940065b5b Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:4269 
			this.fs.readFile(packageJsonPath, (err, content) => {
				if (err) {
					if (err.code === "ENOENT" || err.code === "ENOTDIR") {
						// no package.json or path is not a directory
						this.fs.readdir(path, (err, elements) => {
							if (
								!err &&
								/** @type {string[]} */ (elements).length === 1 &&
								/** @type {string[]} */ (elements)[0] === "node_modules"
							) {
								// This is only a grouping folder e.g. used by yarn
								// we are only interested in existence of this special directory
								this._managedItems.set(path, "*nested");
								return callback(null, "*nested");
							}
							/** @type {Logger} */
							(this.logger).warn(
								`Managed item ${path} isn't a directory or doesn't contain a package.json (see snapshot.managedPaths option)`
							);
							return callback();
						});
						return;
					}
					return callback(/** @type {WebpackError} */ (err));
				}
				/** @type {JsonObject} */
				let data;
				try {
					data = JSON.parse(/** @type {Buffer} */ (content).toString("utf8"));
				} catch (parseErr) {
					return callback(/** @type {WebpackError} */ (parseErr));
				}
				if (!data.name) {
					/** @type {Logger} */
					(this.logger).warn(
						`${packageJsonPath} doesn't contain a "name" property (see snapshot.managedPaths option)`
					);
					return callback();
				}
				const info = `${data.name || ""}@${data.version || ""}`;
				this._managedItems.set(path, info);
				callback(null, info);
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ab88349bc2802939 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:8 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ab88349bc2802939 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:8 
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #35863b0e1f0e8e58 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:1420 
			const packageInfo = JSON.parse(fs.readFileSync(pkgPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #fc6a3f94ad2373ea Environment-variable access.
pkgs/npm/[email protected]/lib/config/defaults.js:2310 
		(infrastructureLogging.stream).isTTY && process.env.TERM !== "dumb";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #667954e324787187 Filesystem access.
pkgs/npm/[email protected]/lib/dll/DllReferencePlugin.js:72 
					(compiler.inputFileSystem).readFile(manifest, (err, result) => {
						if (err) return callback(err);
						/** @type {CompilationDataItem} */
						const data = {
							path: manifest,
							data: undefined,
							error: undefined
						};
						// Catch errors parsing the manifest so that blank
						// or malformed manifest files don't kill the process.
						try {
							data.data =
								/** @type {DllReferencePluginOptionsManifest} */
								(
									/** @type {unknown} */
									(parseJson(/** @type {Buffer} */ (result).toString("utf8")))
								);
						} catch (parseErr) {
							// Store the error in the params so that it can
							// be added as a compilation error later on.
							const manifestPath = makePathsRelative(
								compiler.context,
								manifest,
								compiler.root
							);
							data.error = new DllManifestError(
								manifestPath,
								/** @type {Error} */ (parseErr).message
							);
						}
						compilationData.set(params, data);
						return callback();
					});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #c12d001895e6e27c Filesystem access.
pkgs/npm/[email protected]/lib/dll/LibManifestPlugin.js:136 
								intermediateFileSystem.writeFile(targetPath, buffer, callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4ac5471fcd4a9758 Filesystem access.
pkgs/npm/[email protected]/lib/ids/SyncModuleIdsPlugin.js:63 
				fs.readFile(this.options.path, (err, buffer) => {
					if (err) {
						if (err.code !== "ENOENT") {
							return callback(err);
						}
						return callback();
					}
					/** @type {JSONContent} */
					const json = JSON.parse(/** @type {Buffer} */ (buffer).toString());
					/** @type {Map<string, string | number | null>} */
					data = new Map();
					for (const key of Object.keys(json)) {
						data.set(key, json[key]);
					}
					dataChanged = false;
					return callback();
				});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #ef90b74090582f87 Filesystem access.
pkgs/npm/[email protected]/lib/ids/SyncModuleIdsPlugin.js:94 
				fs.writeFile(this.options.path, JSON.stringify(json), callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0bac56734ea7388b Filesystem access.
pkgs/npm/[email protected]/lib/schemes/FileUriPlugin.js:43 
						loaderContext.fs.readFile(resourcePath, (err, result) => {
							if (err) return callback(err);
							loaderContext.addDependency(resourcePath);
							callback(null, result);
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4419d124b8ec273a Environment-variable access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:495 
			this.options.proxy || process.env.http_proxy || process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4419d124b8ec273a Environment-variable access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:495 
			this.options.proxy || process.env.http_proxy || process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #56d9e845cbc146c2 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:588 
							intermediateFs.readFile(lockfileLocation, (err, buffer) => {
								if (err && err.code !== "ENOENT") {
									compilation.missingDependencies.add(lockfileLocation);
									return callback(err);
								}
								compilation.fileDependencies.add(lockfileLocation);
								compilation.fileSystemInfo.createSnapshot(
									compiler.fsStartTime,
									buffer ? [lockfileLocation] : [],
									[],
									buffer ? [] : [lockfileLocation],
									{ timestamp: true },
									(err, s) => {
										if (err) return callback(err);
										const lockfile = buffer
											? Lockfile.parse(buffer.toString("utf8"))
											: new Lockfile();
										lockfileCache = {
											lockfile,
											snapshot: /** @type {Snapshot} */ (s)
										};
										callback(null, lockfile);
									}
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #f8e03c8542d857ab Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:692 
							intermediateFs.writeFile(filePath, result.content, (err) => {
								if (err) return callback(err);
								callback(null, result);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #95c2fb2dc0ca1964 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1201 
									fs.readFile(filePath, (err, result) => {
										if (err) {
											if (err.code === "ENOENT") return doFetch();
											return callback(err);
										}
										const content = /** @type {Buffer} */ (result);
										/**
										 * Continue with cached content.
										 * @param {Buffer | undefined} _result result
										 * @returns {void}
										 */
										const continueWithCachedContent = (_result) => {
											if (!upgrade) {
												// When not in upgrade mode, we accept the result from the lockfile cache
												return callback(null, { entry, content });
											}
											return doFetch(content);
										};
										if (!verifyIntegrity(content, entry.integrity)) {
											/** @type {Buffer | undefined} */
											let contentWithChangedEol;
											let isEolChanged = false;
											try {
												contentWithChangedEol = Buffer.from(
													content.toString("utf8").replace(/\r\n/g, "\n")
												);
												isEolChanged = verifyIntegrity(
													contentWithChangedEol,
													entry.integrity
												);
											} catch (_err) {
												// ignore
											}
											if (isEolChanged) {
												if (!warnedAboutEol) {
													const explainer = `Incorrect end of line sequence was detected in the lockfile cache.
The lockfile cache is protected by integrity checks, so any external modification will lead to a corrupted lockfile cache.
When using git make sure to configure .gitattributes correctly for the lockfile cache:
  **/*webpack.lock.data/** -text
This will avoid that the end of line sequence is changed by git on Windows.`;
													if (frozen) {
														logger.error(explainer);
													} else {
														logger.warn(explainer);
														logger.info(
															"Lockfile cache will be automatically fixed now, but when lockfile is frozen this would result in an error."
														);
													}
													warnedAboutEol = true;
												}
												if (!frozen) {
													// "fix" the end of line sequence of the lockfile content
													logger.log(
														`${filePath} fixed end of line sequence (\\r\\n instead of \\n).`
													);
													intermediateFs.writeFile(
														filePath,
														/** @type {Buffer} */
														(contentWithChangedEol),
														(err) => {
															if (err) return callback(err);
															continueWithCachedContent(
																/** @type {Buffer} */
																(contentWithChangedEol)
															);
														}
													);
													return;
												}
											}
											if (frozen) {
												return callback(
													new Error(
														`${
															entry.resolved
														} integrity mismatch, expected content with integrity ${
															entry.integrity
														} but got ${computeIntegrity(content)}.
Lockfile corrupted (${
															isEolChanged
																? "end of line sequence was unexpectedly changed"
																: "incorrectly merged? changed by other tools?"
														}).
Run build with un-frozen lockfile to automatically fix lockfile.`
													)
												);
											}
											// "fix" the lockfile entry to the correct integrity
											// the content has priority over the integrity value
											entry = {
												...entry,
												integrity: computeIntegrity(content)
											};
											storeLockEntry(lockfile, url, entry);
										}
										continueWithCachedContent(result);
									});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #4c7c220c3c59d890 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1256 
													intermediateFs.writeFile(
														filePath,
														/** @type {Buffer} */
														(contentWithChangedEol),
														(err) => {
															if (err) return callback(err);
															continueWithCachedContent(
																/** @type {Buffer} */
																(contentWithChangedEol)
															);
														}
													);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #95beb326c1d6140b Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1409 
							intermediateFs.readFile(lockfileLocation, (err, buffer) => {
								if (err && err.code !== "ENOENT") {
									writeDone();
									return callback(err);
								}
								const lockfile = buffer
									? Lockfile.parse(buffer.toString("utf8"))
									: new Lockfile();
								for (const [key, value] of /** @type {LockfileUpdates} */ (
									lockfileUpdates
								)) {
									lockfile.entries.set(key, value);
								}
								intermediateFs.writeFile(
									tempFile,
									lockfile.toString(),
									(err) => {
										if (err) {
											writeDone();
											return (
												/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
												(intermediateFs.unlink)(tempFile, () => callback(err))
											);
										}
										intermediateFs.rename(tempFile, lockfileLocation, (err) => {
											if (err) {
												writeDone();
												return (
													/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
													(intermediateFs.unlink)(tempFile, () => callback(err))
												);
											}
											writeDone();
											callback();
										});
									}
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #7f7cecdeae9bcf3b Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1422 
								intermediateFs.writeFile(
									tempFile,
									lockfile.toString(),
									(err) => {
										if (err) {
											writeDone();
											return (
												/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
												(intermediateFs.unlink)(tempFile, () => callback(err))
											);
										}
										intermediateFs.rename(tempFile, lockfileLocation, (err) => {
											if (err) {
												writeDone();
												return (
													/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
													(intermediateFs.unlink)(tempFile, () => callback(err))
												);
											}
											writeDone();
											callback();
										});
									}
								);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #e17baca1a48a3802 Filesystem access.
pkgs/npm/[email protected]/lib/util/fs.js:675 
	fs.readFile(p, (err, buf) => {
		if (err) return callback(err);
		/** @type {JsonObject} */
		let data;
		try {
			data = JSON.parse(/** @type {Buffer} */ (buf).toString("utf8"));
		} catch (err1) {
			return callback(/** @type {Error} */ (err1));
		}
		return callback(null, data);
	});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

webpack-bundle-analyzer

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #2655fa805f04d857 Filesystem access.
pkgs/npm/[email protected]/lib/parseUtils.js:253 
  const content = fs.readFileSync(bundlePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #88ca9c92167ced39 Filesystem access.
pkgs/npm/[email protected]/lib/template.js:36 
  return fs.readFileSync(assetPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #08d92a93a880ca33 Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:71 
  return `${process.env.npm_package_name || "Webpack Bundle Analyzer"} [${currentTime}]`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #61dd86c5b0cb6010 Filesystem access.
pkgs/npm/[email protected]/lib/viewer.js:266 
  fs.writeFileSync(reportFilepath, reportHtml);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #14fb24937b23b38b Filesystem access.
pkgs/npm/[email protected]/lib/viewer.js:304 
  await fs.promises.writeFile(reportFilename, JSON.stringify(chartData));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @vue/compiler-sfc prod — dist-only: no readable source
  • css-loader prod — dist-only: no readable source
  • esbuild-loader prod — dist-only: no readable source
  • exsolve prod — dist-only: no readable source
  • file-loader prod — dist-only: no readable source
  • knitwork prod — dist-only: no readable source
  • mlly prod — dist-only: no readable source
  • ohash prod — dist-only: no readable source
  • postcss-loader prod — dist-only: no readable source
  • unplugin prod — dist-only: no readable source
  • url-loader prod — dist-only: no readable source
  • vue-loader prod — dist-only: no readable source
  • webpackbar prod — dist-only: no readable source
  • @vitejs/plugin-vue prod — dist-only: no readable source
  • pkg-types prod — dist-only: no readable source
  • vite-node prod — dist-only: no readable source
  • vite-plugin-checker prod — dist-only: no readable source
  • @dxup/nuxt prod — dist-only: no readable source
  • @nuxt/nitro-server prod — dist-only: no readable source
  • @nuxt/vite-builder prod — dist-only: no readable source
  • cookie-es prod — dist-only: no readable source
  • errx prod — dist-only: no readable source
  • impound prod — dist-only: no readable source
  • nanotar prod — dist-only: no readable source
  • oxc-walker prod — dist-only: no readable source
  • perfect-debounce prod — dist-only: no readable source
  • uncrypto prod — dist-only: no readable source
  • unrouting prod — dist-only: no readable source
  • lru-cache prod — dist-only: no readable source
  • vue-devtools-stub prod — dist-only: no readable source
  • nypm prod — dist-only: no readable source
  • rc9 prod — dist-only: no readable source
  • hook-augmenting-module prod — registry 404

Development

  • @arethetypeswrong/cli dev — dist-only: no readable source
  • @codspeed/core dev — dist-only: no readable source
  • @codspeed/vitest-plugin dev — dist-only: no readable source
  • @eslint/markdown dev — dist-only: no readable source
  • @nuxt/eslint-config dev — dist-only: no readable source
  • @nuxt/kit dev — dist-only: no readable source
  • @typescript-eslint/parser dev — dist-only: no readable source
  • @vitest/coverage-v8 dev — dist-only: no readable source
  • @vue/test-utils dev — dist-only: no readable source
  • acorn dev — dist-only: no readable source
  • changelogen dev — dist-only: no readable source
  • eslint-plugin-perfectionist dev — dist-only: no readable source
  • eslint-typegen dev — dist-only: no readable source
  • get-port-please dev — dist-only: no readable source
  • magic-string dev — dist-only: no readable source
  • ofetch dev — dist-only: no readable source
  • rolldown-string dev — dist-only: no readable source
  • rollup dev — dist-only: no readable source
  • std-env dev — dist-only: no readable source
  • tinyexec dev — dist-only: no readable source
  • tinyglobby dev — dist-only: no readable source
  • ufo dev — dist-only: no readable source
  • h3-next dev — no resolvable version
  • @vitejs/plugin-vue-jsx dev — dist-only: no readable source
  • rollup-plugin-visualizer dev — dist-only: no readable source
  • @nuxt/ui-templates dev — dist-only: no readable source
  • c12 dev — dist-only: no readable source
  • compatx dev — dist-only: no readable source
  • hookable dev — dist-only: no readable source
  • scule dev — dist-only: no readable source
  • unctx dev — dist-only: no readable source
  • unimport dev — dist-only: no readable source
  • untyped dev — dist-only: no readable source
  • vue-sfc-transformer dev — dist-only: no readable source
  • @unocss/reset dev — no javascript source
  • beasties dev — dist-only: no readable source
  • htmlnano dev — dist-only: no readable source
  • unocss dev — dist-only: no readable source
  • @vue/devtools-api dev — dist-only: no readable source