Close Open Privacy Scan

bolt Snapshot: commit 97f0f36
science engine v1
schedule 2026-06-26T01:05:33.266461+00:00

verified_user Possible application data leak

Potential data exfiltration identified in application code.

App Privacy Score

72 /100
Medium privacy risk — possible application leak

Medium risk · 213 finding(s)

Dependency score: 87 (Low risk)

bar_chart Score Breakdown

pii_flow −15
egress −10
env_fs −3

list Scan Summary

0 high 1 medium 212 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz Potential data exfiltration in application code

External domains: opencollective.com

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/static.js:9 repo/scripts/static.js:29

</> First-Party Code

first-party (npm)

npm first-party
medium pii_flow production #d2baf6fce879b09d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
repo/scripts/static.js:29 · flow /tmp/closeopen-whdvw9_i/repo/scripts/static.js:9 → /tmp/closeopen-whdvw9_i/repo/scripts/static.js:29
    console.log(`now listening on http://127.0.0.1:${port}${urlPath}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 48 low-confidence finding(s)
low env_fs production #3e4491cfb745e86f Environment-variable access.
repo/benchmarks/createDeepNestedDocArray.js:23
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #838ec13a9231b31d Environment-variable access.
repo/benchmarks/findOneAndUpdateSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #719e4cd668e31301 Environment-variable access.
repo/benchmarks/findOneWithCast.js:38
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #356c472ee038862d Environment-variable access.
repo/benchmarks/insertManySimple.js:15
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb5144010c10d88c Environment-variable access.
repo/benchmarks/nestedArrayLarge.js:28
    if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bffcf0015249044 Environment-variable access.
repo/benchmarks/recursiveToObject.js:28
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54c90a1b0b4001b9 Environment-variable access.
repo/benchmarks/saveSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #407b8c1af330ebb7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/docs/js/ask-ai.js:85
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          model: 'mongodb-chat-latest',
          stream: true,
          store: true,
          input: question
        })
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3fe8f10731aedbfa Filesystem access.
repo/docs/source/api.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fe8f10731aedbfa Filesystem access.
repo/docs/source/api.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbda4f68f792c90d Filesystem access.
repo/docs/source/api.js:361
    const comments = dox.parseComments(fs.readFileSync(file, 'utf8'), { raw: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c689fb497222896f Filesystem access.
repo/docs/source/utils.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c689fb497222896f Filesystem access.
repo/docs/source/utils.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0709fad49fbd6a42 Filesystem access.
repo/docs/source/utils.js:20
    const content = fs.readFileSync(`${dirName}/${filename}`, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd0856c1a2342d1a Environment-variable access.
repo/lib/helpers/printJestWarning.js:5
if (typeof jest !== 'undefined' && !process.env.SUPPRESS_JEST_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2650a8468b9c5909 Filesystem access.
repo/scripts/generateLLMsTXT.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2650a8468b9c5909 Filesystem access.
repo/scripts/generateLLMsTXT.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4784312a1d6e309f Filesystem access.
repo/scripts/generateLLMsTXT.js:153
  await fs.promises.writeFile(llmsTxtPath, `${lines.join('\n').trim()}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc688d5352a99c1c Filesystem access.
repo/scripts/generateSearch.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc688d5352a99c1c Filesystem access.
repo/scripts/generateSearch.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b3dc46a1878fa4a Filesystem access.
repo/scripts/generateSearch.js:54
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c787e216aed0f33 Filesystem access.
repo/scripts/generateSearch.js:90
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9c0b4f51b3961b2 Filesystem access.
repo/scripts/loadSponsorData.js:13
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9c0b4f51b3961b2 Filesystem access.
repo/scripts/loadSponsorData.js:13
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #daea001a6749c5f1 Filesystem access.
repo/scripts/loadSponsorData.js:77
  fs.writeFileSync(`${docsDir}/data/sponsors.json`, JSON.stringify(subscribers, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #feac521ce4b14066 Filesystem access.
repo/scripts/loadSponsorData.js:80
  fs.writeFileSync(`${docsDir}/data/jobs.json`, JSON.stringify(jobs, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #177e930419acc32a Hardcoded external endpoint. Review what data is sent to this destination.
repo/scripts/loadSponsorData.js:82
  const opencollectiveSponsors = await fetch('https://opencollective.com/mongoose/members.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8444e834073f9443 Filesystem access.
repo/scripts/loadSponsorData.js:106
    fs.writeFileSync(`${docsDir}/data/opencollective.json`, JSON.stringify(opencollectiveSponsors, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c4c88a8874d9b2d Filesystem access.
repo/scripts/setup-encryption-tests.js:14
  await writeFile('fle-cluster-config.json', JSON.stringify(configuration, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3b86512a1f5815b Environment-variable access.
repo/scripts/static.js:8
const port = process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e8ff3d70bccccae Environment-variable access.
repo/scripts/static.js:9
  ? parseInt(process.env.PORT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #100206a8b9fe2d24 Filesystem access.
repo/scripts/tsc-diagnostics-check.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #100206a8b9fe2d24 Filesystem access.
repo/scripts/tsc-diagnostics-check.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb6a1c50e6f0f645 Filesystem access.
repo/scripts/tsc-diagnostics-check.js:5
const stdin = fs.readFileSync(0).toString('utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d894bd09b898753 Filesystem access.
repo/scripts/update-mongodb-links.js:77
    const promise = fs.readFile(fullPath, { encoding: 'utf8' }).then(text => fs.writeFile(fullPath, mapURLsMongoDb(text)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d894bd09b898753 Filesystem access.
repo/scripts/update-mongodb-links.js:77
    const promise = fs.readFile(fullPath, { encoding: 'utf8' }).then(text => fs.writeFile(fullPath, mapURLsMongoDb(text)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea62ea3b565cee09 Filesystem access.
repo/scripts/website.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea62ea3b565cee09 Filesystem access.
repo/scripts/website.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b938c926bb2d077f Filesystem access.
repo/scripts/website.js:116
      retArray.push(acquit.parse(fs.readFileSync(file).toString()));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f03f76443c944f4c Environment-variable access.
repo/scripts/website.js:333
  const versionedDeploy = process.env.DOCS_DEPLOY ? !(base.currentVersion.listed === base.latestVersion.listed) : false;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d15e9f708e2818d4 Filesystem access.
repo/scripts/website.js:503
      await fs.promises.writeFile(versionedMarkdownPath, str);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57abd3317625f9d4 Filesystem access.
repo/scripts/website.js:508
    await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12a3298c828efbdc Filesystem access.
repo/scripts/website.js:517
  let contents = fs.readFileSync(path.resolve(cwd, inputFile)).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a69e4123b91a65c1 Filesystem access.
repo/scripts/website.js:530
      fs.writeFileSync(path.resolve(cwd, inputFile), contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dfd3121eeb222ee Filesystem access.
repo/scripts/website.js:587
  await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfa3f1c9c4587a4a Filesystem access.
repo/scripts/website.js:596
    await fs.promises.writeFile(versionedMarkdownPath, markdownSource);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c70c64e37e36d022 Environment-variable access.
repo/scripts/website.js:700
    if (process.env.GENERATE_SEARCH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c3b176b9f11eaa3 Environment-variable access.
repo/scripts/website.js:715
    if (!!process.env.DOCS_DEPLOY && !!versionObj.versionedPath) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@ark/attest

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #24b41f8a644d6f2d Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:131
    let fileText = readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc9621ce2bee6670 Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:142
    writeFile(path, fileText);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b170c3f19e7f9be Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:29
            const contents = readFile(path).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e1e11ab30ba9f82 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:45
        const contents = this.virtualEnv.sys.readFile(tsPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #593afeefe2499142 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:107
    const configFileText = readFileSync(path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d537e5870ac1f8a8 Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:133
        writeFile(summaryPath, outputCapture.getBuffer());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54e59e1f2180554f Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:151
    writeFile(summaryPath, summaryContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c119da543e3803b1 Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:552
    writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96e90df45e57aea0 Environment-variable access.
pkgs/npm/@[email protected]/out/fixtures.js:12
    process.env.ATTEST_CONFIG = JSON.stringify(config);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-ignore

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #31515cd836de02f1 Filesystem access.
pkgs/npm/[email protected]/docs.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31515cd836de02f1 Filesystem access.
pkgs/npm/[email protected]/docs.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96466715e784f4a6 Filesystem access.
pkgs/npm/[email protected]/docs.js:6
let md = fs.readFileSync('./HEADER.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a25baf99c397654d Filesystem access.
pkgs/npm/[email protected]/docs.js:9
const blocks = acquit.parse(fs.readFileSync('./test/examples.test.js').toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a8f99304fcb904d Filesystem access.
pkgs/npm/[email protected]/docs.js:26
require('fs').writeFileSync('./README.md', md);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a8f99304fcb904d Filesystem access.
pkgs/npm/[email protected]/docs.js:26
require('fs').writeFileSync('./README.md', md);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-require

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #c36b9cd663e8830d Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c36b9cd663e8830d Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b19587516c2b0d2a Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:20
const text = fs.readFileSync(commander.path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cae53421e50403f Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:21
const tests = fs.readFileSync(commander.test).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa5160f1a2d3b313 Filesystem access.
pkgs/npm/[email protected]/docs.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa5160f1a2d3b313 Filesystem access.
pkgs/npm/[email protected]/docs.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b2deced7af47137 Filesystem access.
pkgs/npm/[email protected]/docs.js:3
let readme = fs.readFileSync('./README.md', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d08975bca20b974c Filesystem access.
pkgs/npm/[email protected]/docs.js:5
const md = fs.readFileSync('./test/data/article.md').

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45acff5916c2bb8c Filesystem access.
pkgs/npm/[email protected]/docs.js:11
readme = readme.replace('[code]', fs.readFileSync('./test/data/simple.js'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3a0880547a81d50 Filesystem access.
pkgs/npm/[email protected]/docs.js:13
fs.writeFileSync('./README.md', readme);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #90c1e8e435b5f864 Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cb0c73d4d9ed333 Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #753476d63b992d0b Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #753476d63b992d0b Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4fb468b0e869999 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5bb585f9ba69dc6 Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c921e5492f18bcef Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ed550a2db5b2072 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ed550a2db5b2072 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46dc13c3675a149f Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42bf8cd082a78bed Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42bf8cd082a78bed Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39b5b558ad36d7f2 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #753487fd00ca72b3 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #c762d41c21a76b7e Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5af35000f3e20bcf Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2694a91ab296ea5 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3483e6f23faea70a Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6760273215a7c37 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e56b289e4dee4de7 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f29c324930435ff Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d92c3f17bbd66a4 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f175bb0c2fa292a0 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64e03dc43a0a316e Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcb1a598f16456c6 Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02681ff987668845 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bd3043926a127d6 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #27340c4e7d48836d Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-extra

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #5f908c5cc41dc002 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:24
      await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c17bd93048c8d990 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:32
    await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e33e7a26ea1b84c Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:60
  fs.writeFileSync(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b9eeffa6c473b60 Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:16
  return fs.writeFile(file, data, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b39fed02751d1e9f Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:25
  fs.writeFileSync(file, ...args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli2

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #dd354f31cb2132cc Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:38
const readJsonc = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(jsoncParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9b04f5719255859 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:41
const readToml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(tomlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90f6aee40b2c1bbf Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:44
const readYaml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(yamlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ef588eaa9255d83 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:762
            subTasks.push(fs.promises.readFile(fileName, utf8).

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c2bd040aca2556e Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:765
                return fs.promises.writeFile(fileName, fixed, utf8);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mocha

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #84c41667204e2116 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:40
    require("js-yaml").load(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e9c8b340bfb7b03 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:56
      require("strip-json-comments").default(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae256852d4fea02c Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:27
  const css = fs.readFileSync(path.join(srcdir, "mocha.css"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9307037320ad3e4 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:28
  const js = fs.readFileSync(path.join(srcdir, "mocha.js"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3382fda1b5148dc2 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:29
  const tmpl = fs.readFileSync(
    path.join(srcdir, "lib", "browser", "template.html"),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c4be172f2c0c6dd Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:32
  fs.writeFileSync(path.join(destdir, "mocha.css"), css);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd274767de5a1974 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:33
  fs.writeFileSync(path.join(destdir, "mocha.js"), js);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f128d7b196533dbc Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:34
  fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #778852dfe7d78e7e Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:35
  fs.writeFileSync(path.join(destdir, "index.html"), tmpl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a7bea91864b48cd Filesystem access.
pkgs/npm/[email protected]/lib/cli/options.js:240
      configData = fs.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d02dfd847764b358 Environment-variable access.
pkgs/npm/[email protected]/lib/cli/options.js:302
  const envConfig = parse(process.env.MOCHA_OPTIONS || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9647e7940bca8c12 Environment-variable access.
pkgs/npm/[email protected]/lib/reporters/base.js:57
  (supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8dc60c275704854 Filesystem access.
pkgs/npm/[email protected]/lib/reporters/json.js:90
        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d91acba250f88b1a Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:714
  return !!process.env.CI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mongodb

npm dependency
expand_more 56 low-confidence finding(s)
low env_fs dependency Excluded from app score #fc7e9fc2050f22a0 Filesystem access.
pkgs/npm/[email protected]/etc/prepare.js:3
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc7e9fc2050f22a0 Filesystem access.
pkgs/npm/[email protected]/etc/prepare.js:3
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c268568eb07edd0c Environment-variable access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:57
    if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #870079eddad87e82 Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:339
            const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72735b1776029ebe Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:343
            options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #95286e01fa005f93 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/gcp_machine_workflow.js:29
    const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #da91a0a24a0660c6 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:19
    if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05f5e4a001b4bdf1 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:20
        filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec6352727465b5b1 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:22
    else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aad772c45f8a60dc Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:23
        filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1346d42bc9335c6b Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:4
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1346d42bc9335c6b Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:4
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fed1e0106c13ef98 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:15
    const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a183316aafe08433 Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:19
    const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ec817c9d90d8982 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:390
        MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #990ed7098e16b60f Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:391
        MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79fb7299fa00184b Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:392
        MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2618ac5e96a78eb8 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:393
        MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c20c0ebbf5e6b16 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:394
        MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e9a00eb1a7447f9 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:395
        MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76dfa4679f398bf6 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:396
        MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9a5d0fa76167093 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:397
        MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8be37472e2761d92 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8be37472e2761d92 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdf6b4ae39823884 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:216
                options.ca ??= await fs_1.promises.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1142ca2a3210ff7 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:219
                options.crl ??= await fs_1.promises.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de161dd2b99d8885 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:223
                    const contents = await fs_1.promises.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #684dea04df98c7b2 Filesystem access.
pkgs/npm/[email protected]/lib/utils.js:53
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #684dea04df98c7b2 Filesystem access.
pkgs/npm/[email protected]/lib/utils.js:53
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aab9edc27b569708 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:1
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65732cecc27714fe Environment-variable access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:80
  if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #627abfc7950fc05d Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:530
      const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6c8a1d9ac825ff1 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:534
      options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #2e16c01614284dcb Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/gcp_machine_workflow.ts:35
  const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #f44751cc1878a35e Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa3f5928e231f1ac Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:22
  if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c091847daf876a14 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:23
    filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #937a82858d728025 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:24
  } else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6c82e54918d6a1e Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:25
    filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d77b7e66ae301c3 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:29
  const token = await readFile(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91b6dc204e0e2368 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8851103472a92b82 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:16
  const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84560df0e32a1d76 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:20
  const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b33076600391bf2 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:530
      MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de487b4902daeb66 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:531
      MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9248d2d79234ddc5 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:532
      MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f31ccbc486c8452b Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:533
      MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c72d936cb86c0458 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:534
      MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c376110e695e6dc6 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:535
      MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ab5933c2e0f2a41 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:536
      MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7905ce5777a4b40 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:537
      MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f69521d410ee7c56 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:1
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a0fffd48a289f39 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:628
        options.ca ??= await fs.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e759a32face3d67 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:631
        options.crl ??= await fs.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ceac040c95ef8f72 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:635
          const contents = await fs.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a72097b3cfb255b9 Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:3
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ncp

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #f13a7642a5faeed3 Filesystem access.
pkgs/npm/[email protected]/lib/ncp.js:1
var fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f13a7642a5faeed3 Filesystem access.
pkgs/npm/[email protected]/lib/ncp.js:1
var fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pug

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #e007aaf7517d67ba Filesystem access.
pkgs/npm/[email protected]/lib/index.js:13
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e007aaf7517d67ba Filesystem access.
pkgs/npm/[email protected]/lib/index.js:13
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bea8f8ab59953556 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:241
    if (str === undefined) str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #deddea25e05990a5 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:476
  var str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85a13713d5e8c3eb Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:489
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sift

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #e3e7ee40ca9b5be2 Environment-variable access.
pkgs/npm/[email protected]/es/index.js:585
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d8e5e01ba849b8c Environment-variable access.
pkgs/npm/[email protected]/es5m/index.js:694
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bc7c73d933b92df Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:700
        else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2d99e54382cda8c Environment-variable access.
pkgs/npm/[email protected]/src/operations.ts:413
  } else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #3b54ae8b39aa61dd Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #125502b5e2426aad Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dde55702e314089d Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a95555619c3541c2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65ac5f82af5c373c Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72e44ea4b5700f57 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96721315c0d0aa96 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96721315c0d0aa96 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96721315c0d0aa96 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96721315c0d0aa96 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96721315c0d0aa96 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec4e86c38e17ff09 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f617b49bcaf4262e Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce3b345467982320 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @standard-schema/spec prod — dist-only: no readable source

Development

  • @mongodb-js/mongodb-downloader dev — dist-only: no readable source
  • glob dev — dist-only: no readable source
  • mkdirp dev — dist-only: no readable source
  • tstyche dev — dist-only: no readable source
  • typescript-eslint dev — dist-only: no readable source