Close Open Privacy Scan
App Privacy Score
Coverage too low to score · 149 finding(s)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Application data flows
Not enough of this repository was analyzed to look for application data flows. Absence of findings here is not evidence of a clean result.
</> First-Party Code
first-party (rust)
rust first-partyexpand_more 27 low-confidence finding(s)
let _ = fs::write(&file_path, new_error);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let errors_json = fs::read_to_string("/cwd/errors.json")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace = std::env::var("TURBOPACK_TRACING").ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_writer = std::fs::File::create(trace_file).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Ok(val) = env::var(DEBUG_JS_VAR) else {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("PATH").expect("the PATH environment variable should always be set"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("SystemRoot")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pub static UPDATE: LazyLock<bool> = LazyLock::new(|| env::var("UPDATE").unwrap_or_default() == "1");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let max_depth = env::var("BOTTOM_UP_DEPTH")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
collapse_crates: env::var("COLLAPSE_CRATES")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expand_crates: env::var("EXPAND_CRATES")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
expand_recursion: env::var("EXPAND_RECURSION").is_ok(),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Ok(mut file) = File::open(&self.path) else {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let stop_at = env::var("STOP_AT")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Ok(mut real_file) = File::open(&self.path) else {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let drop_ids = std::env::var("DROP_SPANS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
self_time_tree: env::var("NO_CORRECTED_TIME")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let bench_result_raw = fs::read_to_string("crates/turbopack/bench.json").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let version = if let Ok(release_version) = env::var("RELEASE_VERSION") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(
target_dir.join("../../package.json"),
serde_json::to_string_pretty(&pkg_json).unwrap(),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::read(package_dir.join("../../package.json")).expect("Unable to read package.json");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(
target_pkg_dir.join("../../package.json"),
serde_json::to_string_pretty(&pkg_json).unwrap(),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let workspace_pkg_json = fs::read_to_string(
env::current_dir()
.unwrap()
.join(&workspace.path)
.join("package.json"),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(&data_file.path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::create(&latest_for_sha_path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::create(&latest_path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let summary_file = File::open(&summary_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): crates/next-api
rust first-partyexpand_more 3 low-confidence finding(s)
tracing::info!("WARN: conflict");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(chunk_name = %chunk_name, target = %target, "hmr subscription");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
std::env::var_os("TURBOPACK_PRINT_USE_CACHE_SUBTREE")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): crates/next-build-test
rust first-partyexpand_more 21 low-confidence finding(s)
let mut file = std::fs::File::open(&path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!("collecting endpoints");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("building only the files:");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(" {}", file);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("rendered {} pages in {:?}", count, start.elapsed());
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("No pages found, these pages exist:");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(" {}", route);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"rendering routes with {} parallel and strategy {}",
factor,
strategy
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("{name}...");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("WARN: conflict {}", name);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"{name} {:?} {} MiB (memory usage increased by {} MiB)",
duration,
memory_after / 1024 / 1024,
(memory_after - memory) / 1024 / 1024
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"{name} {:?} {} MiB (memory usage decreased by {} MiB)",
duration,
memory_after / 1024 / 1024,
(memory - memory_after) / 1024 / 1024
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("{name} {:?} {} MiB", duration, memory_after / 1024 / 1024);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("HMR...");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("HMR: {:?} {:?}", ident, e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("HMR {:?}", start.elapsed());
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("threads stopped");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let trace = std::env::var("NEXT_TURBOPACK_TRACING").ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_writer = std::fs::File::create(trace_file).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!("memory usage: {} MiB", memory / 1024 / 1024);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("drop {:?}", start.elapsed());
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
first-party (rust): crates/next-code-frame
rust first-partyexpand_more 1 low-confidence finding(s)
let source = match fs::read_to_string(&args.file) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): crates/next-custom-transforms
rust first-partyexpand_more 4 low-confidence finding(s)
tracing::debug!("mark_as_candidate");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("ssg: Start");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("mark_as_candidate: {:?}", n);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("ssg: Start");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
first-party (rust): crates/next-napi-bindings
rust first-partyexpand_more 18 low-confidence finding(s)
let is_macos_target = env::var("CARGO_CFG_TARGET_OS").is_ok_and(|value| value == "macos");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let package_json_content = fs::read_to_string(&package_json_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut trace = std::env::var("NEXT_TURBOPACK_TRACING")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_path_override = std::env::var_os("NEXT_TURBOPACK_TRACING_PATH")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_writer = std::fs::File::create(trace_file.clone()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_writer = std::fs::File::create(trace_file.clone()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_writer = std::fs::File::create(trace_file.clone()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_server = std::env::var("NEXT_TURBOPACK_TRACE_SERVER").ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Some(stats_path) = std::env::var_os("NEXT_TURBOPACK_TASK_STATISTICS") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = std::fs::File::create(&stats_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!(chunk_name = %chunk_name, target = %target, "hmr subscription");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let is_ci = std::env::var("CI").is_ok_and(|v| !v.is_empty());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
storage_mode: Some(if std::env::var("TURBO_ENGINE_READ_ONLY").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
|| env::var("SWC_DEBUG") == Ok("1".to_string())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
|| env::var("CI").is_ok_and(|v| !v.is_empty())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
|| env::var("NEXT_TEST_CI").is_ok_and(|v| !v.is_empty())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let src = fs::read_to_string(&resource_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let v = std::env::var(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): scripts/send-trace-to-jaeger
rust first-partyexpand_more 1 low-confidence finding(s)
let file = File::open(filename)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-persistence
rust first-partyexpand_more 18 low-confidence finding(s)
static LARGE_DB: LazyLock<bool> = LazyLock::new(|| std::env::var_os("LARGE_DB").is_some());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let current: u32 = File::open(db_path.join("CURRENT"))?
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = fs::read(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut next_file = File::create(&next_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut current_file = match File::open(self.path.join("CURRENT")) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut content = &*fs::read(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = File::create(&del_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = CountingWriter::new(BufWriter::new(File::create(file)?));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = BufWriter::new(File::create(file)?);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file_bytes = std::fs::read(&sst_path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(path.join("CURRENT.next"), b"\xAA")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = File::create(&file)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks
rust first-partyexpand_more 3 low-confidence finding(s)
tracing::warn!(
attempts = *attempts,
?keys,
"retrying effect application; this implies multiple routes are fighting to \
write one of these files",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Failed to send compilation event: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
if let Ok(raw) = env::var("TURBO_TASKS_AVAILABLE_PARALLELISM") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks-backend
rust first-partyexpand_more 9 low-confidence finding(s)
std::env::var("TURBO_ENGINE_EVICT_MIN_BYTES")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("TURBO_ENGINE_SNAPSHOT_IDLE_TIMEOUT_MILLIS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("TURBO_ENGINE_SNAPSHOT_MIN_ACTIVE_TIME_MILLIS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var("TURBO_ENGINE_VERIFY_GRAPH").ok().as_deref() == Some("0") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match File::open(base_path.join(INVALIDATION_MARKER)) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(version) = env::var("TURBO_ENGINE_VERSION") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let ignore_dirty = env::var("TURBO_ENGINE_IGNORE_DIRTY").ok().is_some();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let disabled_versioning = env::var("TURBO_ENGINE_DISABLE_VERSIONING").ok().is_some();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os(key)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks-env
rust first-partyexpand_more 1 low-confidence finding(s)
let mut vars = env::vars()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks-fs
rust first-partyexpand_more 10 low-confidence finding(s)
fs::write(
temp_path.join("file.txt"),
start.elapsed().as_micros().to_string(),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(path, content).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var(name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = std::fs::File::create(&full_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var_os("TURBO_ENGINE_WRITE_VERSION")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = std::fs::File::create(&full_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
extract_disk_access(retry_blocking(|| std::fs::File::open(path)).await, path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = std::fs::File::open(p)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reads.push(fs.read(path.clone()))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match env::var("TURBO_TASKS_FORCE_WATCH_MODE").as_deref() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks-fuzz
rust first-partyexpand_more 2 low-confidence finding(s)
match std::fs::read(&child_path) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = std::fs::File::create(&child_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks-malloc
rust first-partyexpand_more 2 low-confidence finding(s)
if let Ok(content) = std::fs::read_to_string("/proc/pressure/memory")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = std::fs::read_to_string("/proc/meminfo").ok()?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbo-tasks-testing
rust first-partyexpand_more 3 low-confidence finding(s)
let infinite_initial_runs = env::var("INFINITE_INITIAL_RUNS").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let infinite_memory_runs = !infinite_initial_runs && env::var("INFINITE_MEMORY_RUNS").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let single_run = infinite_initial_runs || env::var("SINGLE_RUN").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbopack-bench
rust first-partyexpand_more 10 low-confidence finding(s)
fs::write(
install_dir.join("next.config.js"),
include_bytes!("next.config.js"),
)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(
install_dir.join("rspack.config.js"),
include_bytes!("rspack.config.js"),
)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(
install_dir.join("vite.config.js"),
if self.swc {
include_bytes!("vite.swc.config.js") as &[u8]
} else {
include_bytes!("vite.config.js") as &[u8]
},
)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(
install_dir.join("webpack.config.js"),
include_bytes!("webpack.config.js"),
)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut contents = fs::read_to_string(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Ok(move || Ok(fs::write(&path, contents)?))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let config = std::env::var(name).ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let config = std::env::var(name).ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let config = std::env::var(name).ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(install_dir.join("package.json"))?
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbopack-cli
rust first-partyexpand_more 6 low-confidence finding(s)
let binary = std::env::var("CARGO_BIN_EXE_turobpack-cli")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_ci = env::var("CI").is_ok_and(|value| !value.is_empty());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_ci = std::env::var("CI").is_ok_and(|v| !v.is_empty());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let storage_mode = if std::env::var("TURBO_ENGINE_READ_ONLY").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace = std::env::var("TURBOPACK_TRACING").ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let trace_writer = std::fs::File::create(trace_file).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbopack-core
rust first-partyexpand_more 8 low-confidence finding(s)
std::env::var_os("TURBOPACK_PRINT_UNUSED_REFERENCES")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var_os("TURBOPACK_PRINT_USED_EXPORTS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
LazyLock::new(|| match std::env::var_os("TURBOPACK_PRINT_CHUNK_GROUPS") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(f, result.join("\n"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match std::env::var_os("TURBOPACK_TEMP_DISABLE_DUPLICATE_MODULES_CHECK") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var_os("TURBOPACK_PRINT_SIDE_EFFECT_INFO")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
LazyLock::new(|| match std::env::var("TURBOPACK_DEBUG_CSS_CHUNKING") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&path, &bytes)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbopack-create-test-app
rust first-partyexpand_more 1 low-confidence finding(s)
File::create(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
first-party (rust): turbopack/crates/turbopack-ecmascript
rust first-partyexpand_more 1 low-confidence finding(s)
let config = std::fs::read_to_string(config).unwrap_or_else(|_| "{}".into());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- first-party (rust): turbopack/crates/turbopack-env prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-image prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-mdx prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-nft prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-node prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-nodejs prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-resolve prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-static prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-swc-ast-explorer prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-swc-utils prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-test-utils prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-tests prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-trace-server prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-trace-utils prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-tracing prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbopack-wasm prod — scan budget exceeded
- first-party (rust): turbopack/crates/turbo-tasks-backend/fuzz prod — scan budget exceeded
- first-party (rust): turbopack/xtask prod — scan budget exceeded
- first-party (rust): crates/next-error-code-swc-plugin prod — scan budget exceeded
- first-party (rust): rspack prod — scan budget exceeded
- first-party (rust): rspack/crates/binding prod — scan budget exceeded
- first-party (rust): test/e2e/swc-plugins-env/plugin prod — scan budget exceeded
- @radix-ui/react-dialog prod — scan budget exceeded
- @radix-ui/react-popover prod — scan budget exceeded
- @radix-ui/react-select prod — scan budget exceeded
- @radix-ui/react-slot prod — scan budget exceeded
- @radix-ui/react-toggle-group prod — scan budget exceeded
- @radix-ui/react-tooltip prod — scan budget exceeded
- autoprefixer prod — scan budget exceeded
- class-variance-authority prod — scan budget exceeded
- clsx prod — scan budget exceeded
- cmdk prod — scan budget exceeded
- lucide-react prod — scan budget exceeded
- next-themes prod — scan budget exceeded
- polished prod — scan budget exceeded
- tailwind-merge prod — scan budget exceeded
- tailwindcss-animate prod — scan budget exceeded
- third-party-capital prod — scan budget exceeded
- eslint-import-resolver-node prod — scan budget exceeded
- eslint-import-resolver-typescript prod — scan budget exceeded
- eslint-plugin-jsx-a11y prod — scan budget exceeded
- @next/rspack-core prod — scan budget exceeded
- baseline-browser-mapping prod — scan budget exceeded
- caniuse-lite prod — scan budget exceeded
- globby prod — scan budget exceeded
- is-git-clean prod — scan budget exceeded
- jscodeshift prod — scan budget exceeded
- @eslint-community/eslint-utils prod — scan budget exceeded
- webpack-stats-plugin prod — scan budget exceeded
- next-minimal-server prod — scan budget exceeded
- @mantine/core prod — scan budget exceeded
- lodash-es prod — scan budget exceeded
- mermaid prod — scan budget exceeded
- recursive-copy prod — scan budget exceeded
- @szmarczak/http-timer prod — scan budget exceeded
- asciichart prod — scan budget exceeded
- downsample-lttb prod — scan budget exceeded
- listr2 prod — scan budget exceeded
- term-size prod — scan budget exceeded
- jest-circus prod — scan budget exceeded
- react-test-renderer prod — scan budget exceeded
- @vercel/webpack-nft prod — scan budget exceeded
- @datadog/datadog-api-client prod — scan budget exceeded
- inquirer prod — scan budget exceeded
- jstat prod — scan budget exceeded
- minimist prod — scan budget exceeded
- pidusage-tree prod — scan budget exceeded
- split2 prod — scan budget exceeded
- @vercel/experimental-nft prod — scan budget exceeded
- serde_json prod — scan budget exceeded
- reqwest prod — scan budget exceeded
- anyhow prod — scan budget exceeded
- bincode prod — scan budget exceeded
- console-subscriber prod — scan budget exceeded
- dhat prod — scan budget exceeded
- flate2 prod — scan budget exceeded
- futures-util prod — scan budget exceeded
- owo-colors prod — scan budget exceeded
- napi prod — scan budget exceeded
- napi-derive prod — scan budget exceeded
- next-code-frame prod — scan budget exceeded
- next-custom-transforms prod — scan budget exceeded
- next-taskless prod — scan budget exceeded
- rand prod — scan budget exceeded
- rustc-hash prod — scan budget exceeded
- serde prod — scan budget exceeded
- supports-hyperlinks prod — scan budget exceeded
- terminal_size prod — scan budget exceeded
- terminal_hyperlink prod — scan budget exceeded
- tracing prod — scan budget exceeded
- tracing-subscriber prod — scan budget exceeded
- tracing-chrome prod — scan budget exceeded
- url prod — scan budget exceeded
- urlencoding prod — scan budget exceeded
- regex prod — scan budget exceeded
- swc_core prod — scan budget exceeded
- console_error_panic_hook prod — scan budget exceeded
- getrandom2 prod — scan budget exceeded
- getrandom3 prod — scan budget exceeded
- js-sys prod — scan budget exceeded
- serde-wasm-bindgen prod — scan budget exceeded
- wasm-bindgen prod — scan budget exceeded
- wasm-bindgen-futures prod — scan budget exceeded
- mdxjs prod — scan budget exceeded
- async-trait prod — scan budget exceeded
- byteorder prod — scan budget exceeded
- either prod — scan budget exceeded
- futures prod — scan budget exceeded
- indexmap prod — scan budget exceeded
- next-core prod — scan budget exceeded
- roaring prod — scan budget exceeded
- turbo-bincode prod — scan budget exceeded
- turbo-rcstr prod — scan budget exceeded
- turbo-tasks prod — scan budget exceeded
- turbo-tasks-hash prod — scan budget exceeded
- turbo-tasks-env prod — scan budget exceeded
- turbo-tasks-fs prod — scan budget exceeded
- turbo-unix-path prod — scan budget exceeded
- turbopack prod — scan budget exceeded
- turbopack-analyze prod — scan budget exceeded
- turbopack-browser prod — scan budget exceeded
- turbopack-core prod — scan budget exceeded
- turbopack-css prod — scan budget exceeded
- turbopack-ecmascript prod — scan budget exceeded
- turbopack-node prod — scan budget exceeded
- turbopack-nodejs prod — scan budget exceeded
- turbopack-resolve prod — scan budget exceeded
- turbopack-wasm prod — scan budget exceeded
- next-api prod — scan budget exceeded
- num_cpus prod — scan budget exceeded
- tokio-stream prod — scan budget exceeded
- turbo-tasks-malloc prod — scan budget exceeded
- turbopack-trace-utils prod — scan budget exceeded
- clap prod — scan budget exceeded
- memchr prod — scan budget exceeded
- phf prod — scan budget exceeded
- regex-automata prod — scan budget exceeded
- unicode-width prod — scan budget exceeded
- base64 prod — scan budget exceeded
- allsorts prod — scan budget exceeded
- indoc prod — scan budget exceeded
- itertools prod — scan budget exceeded
- lightningcss prod — scan budget exceeded
- mime_guess prod — scan budget exceeded
- percent-encoding prod — scan budget exceeded
- qstring prod — scan budget exceeded
- react_remove_properties prod — scan budget exceeded
- regress prod — scan budget exceeded
- remove_console prod — scan budget exceeded
- serde_path_to_error prod — scan budget exceeded
- smallvec prod — scan budget exceeded
- swc_sourcemap prod — scan budget exceeded
- thiserror prod — scan budget exceeded
- modularize_imports prod — scan budget exceeded
- turbo-esregex prod — scan budget exceeded
- turbo-tasks-bytes prod — scan budget exceeded
- turbo-tasks-fetch prod — scan budget exceeded
- turbopack-ecmascript-plugins prod — scan budget exceeded
- turbopack-ecmascript-runtime prod — scan budget exceeded
- turbopack-image prod — scan budget exceeded
- turbopack-static prod — scan budget exceeded
- bytes-str prod — scan budget exceeded
- chrono prod — scan budget exceeded
- easy-error prod — scan budget exceeded
- hex prod — scan budget exceeded
- pathdiff prod — scan budget exceeded
- sha1 prod — scan budget exceeded
- styled_components prod — scan budget exceeded
- styled_jsx prod — scan budget exceeded
- swc_emotion prod — scan budget exceeded
- swc_relay prod — scan budget exceeded
- preset_env_base prod — scan budget exceeded
- mime prod — scan budget exceeded
- ringmap prod — scan budget exceeded
- unty prod — scan budget exceeded
- bitfield prod — scan budget exceeded
- crc32fast prod — scan budget exceeded
- dashmap prod — scan budget exceeded
- fs-err prod — scan budget exceeded
- jiff prod — scan budget exceeded
- lzzzz prod — scan budget exceeded
- memmap2 prod — scan budget exceeded
- nohash-hasher prod — scan budget exceeded
- parking_lot prod — scan budget exceeded
- qfilter prod — scan budget exceeded
- postcard prod — scan budget exceeded
- zerocopy prod — scan budget exceeded
- quick_cache prod — scan budget exceeded
- thread_local prod — scan budget exceeded
- xxhash-rust prod — scan budget exceeded
- turbo-persistence prod — scan budget exceeded
- triomphe prod — scan budget exceeded
- new_debug_unreachable prod — scan budget exceeded
- shrink-to-fit prod — scan budget exceeded
- turbo-rcstr-macros prod — scan budget exceeded
- auto-hash-map prod — scan budget exceeded
- concurrent-queue prod — scan budget exceeded
- erased-serde prod — scan budget exceeded
- event-listener prod — scan budget exceeded
- pin-project-lite prod — scan budget exceeded
- scattered-collect prod — scan budget exceeded
- tokio-util prod — scan budget exceeded
- turbo-dyn-eq-hash prod — scan budget exceeded
- turbo-frozenmap prod — scan budget exceeded
- turbo-tasks-macros prod — scan budget exceeded
- unsize prod — scan budget exceeded
- hashbrown prod — scan budget exceeded
- crossbeam-utils prod — scan budget exceeded
- bytes prod — scan budget exceeded
- dotenvs prod — scan budget exceeded
- bitflags prod — scan budget exceeded
- dunce prod — scan budget exceeded
- include_dir prod — scan budget exceeded
- jsonc-parser prod — scan budget exceeded
- notify prod — scan budget exceeded
- data-encoding prod — scan budget exceeded
- proc-macro-error prod — scan budget exceeded
- proc-macro2 prod — scan budget exceeded
- quote prod — scan budget exceeded
- syn prod — scan budget exceeded
- turbopack-env prod — scan budget exceeded
- turbopack-mdx prod — scan budget exceeded
- chromiumoxide prod — scan budget exceeded
- portpicker prod — scan budget exceeded
- tungstenite prod — scan budget exceeded
- turbopack-create-test-app prod — scan budget exceeded
- serde_qs prod — scan budget exceeded
- turbopack-cli-utils prod — scan budget exceeded
- turbopack-dev-server prod — scan budget exceeded
- webbrowser prod — scan budget exceeded
- crossterm prod — scan budget exceeded
- browserslist-rs prod — scan budget exceeded
- const_format prod — scan budget exceeded
- num-bigint prod — scan budget exceeded
- patricia_tree prod — scan budget exceeded
- petgraph prod — scan budget exceeded
- ref-cast prod — scan budget exceeded
- turbo-prehash prod — scan budget exceeded
- uuid prod — scan budget exceeded
- parcel_selectors prod — scan budget exceeded
- parcel_sourcemap prod — scan budget exceeded
- hyper prod — scan budget exceeded
- hyper-tungstenite prod — scan budget exceeded
- socket2 prod — scan budget exceeded
- turbopack-ecmascript-hmr-protocol prod — scan budget exceeded
- allocator-api2 prod — scan budget exceeded
- bumpalo prod — scan budget exceeded
- num-traits prod — scan budget exceeded
- swc_ecma_react_compiler prod — scan budget exceeded
- react_compiler prod — scan budget exceeded
- strsim prod — scan budget exceeded
- turbopack-swc-utils prod — scan budget exceeded
- image prod — scan budget exceeded
- markdown prod — scan budget exceeded
- async-stream prod — scan budget exceeded
- futures-retry prod — scan budget exceeded
- serde_with prod — scan budget exceeded
- similar prod — scan budget exceeded
- rustc-demangle prod — scan budget exceeded
- zstd prod — scan budget exceeded
- crossbeam-channel prod — scan budget exceeded
- wasmparser prod — scan budget exceeded
- wat prod — scan budget exceeded
- afl prod — scan budget exceeded
- arbitrary prod — scan budget exceeded
- libfuzzer-sys prod — scan budget exceeded
- cargo-lock prod — scan budget exceeded
- inquire prod — scan budget exceeded
- num-format prod — scan budget exceeded