Close Open Privacy Scan

bolt Snapshot: commit 66ca4e0
science engine v2
schedule 2026-07-01T12:08:05.952592+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code. Dependency data flows are listed separately and do not affect this verdict.

App Privacy Score

97 /100
Low privacy risk

Low risk · 73 finding(s)

Dependency score: 82 (Low risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 1 medium 72 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz Application data flows

No application data flows were found. See dependency data flows below.

hub Dependency data flows (1)
medium axios dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:861 pkgs/npm/[email protected]/lib/adapters/http.js:1062

</> First-Party Code

first-party (npm)

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #66c6cb83702416f2 Environment-variable access.
repo/documentation/examples/advanced-creation.js:113
				const secret = options.context.secret ?? process.env.SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e51d4b681a678f98 Environment-variable access.
repo/documentation/examples/gh-got.js:23
		token: process.env.GITHUB_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

axios

npm dependency
medium pii_flow dependency Excluded from app score #7424529c6a1b734f Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:1062 · flow /tmp/closeopen-3j88kr5f/pkgs/npm/[email protected]/lib/adapters/http.js:861 → /tmp/closeopen-3j88kr5f/pkgs/npm/[email protected]/lib/adapters/http.js:1062
      req = transport.request(options, function handleResponse(res) {
        clearConnectPhaseTimer();

        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
              break;
            case 'zstd':
              if (isZstdSupported) {
                streams.push(zlib.createZstdDecompress(zstdOptions));
                delete res.headers['content-encoding'];
              }
              break;
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          // Enforce maxContentLength on streamed responses; previously this
          // was applied only to buffered responses.
          if (maxContentLength > -1) {
            const limit = maxContentLength;
            const source = responseStream;
            async function* enforceMaxContentLength() {
              let totalResponseBytes = 0;
              for await (const chunk of source) {
                totalResponseBytes += chunk.length;
                if (totalResponseBytes > limit) {
                  throw new AxiosError(
                    'maxContentLength size of ' + limit + ' exceeded',
                    AxiosError.ERR_BAD_RESPONSE,
                    config,
                    lastRequest
                  );
                }
                yield chunk;
              }
            }
            responseStream = stream.Readable.from(enforceMaxContentLength(), {
              objectMode: false,
            });
          }
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest,
              response
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (rejected) return;
            reject(AxiosError.from(err, null, config, lastRequest, response));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #7bb6af3d8a8b2675 Environment-variable access.
pkgs/npm/[email protected]/lib/helpers/shouldBypassProxy.js:168
  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/request

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #992dbdd0c15edb3c Filesystem access.
pkgs/npm/@[email protected]/index.d.ts:9
import fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ava

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #9d83f6cfaedb8ceb Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:297
		if (debug !== null && !process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c73dcde8daa3ca92 Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:454
	if (process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #010662e87a014273 Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:496
		if (process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbbb8609ed0080e7 Filesystem access.
pkgs/npm/[email protected]/lib/code-excerpt.js:21
		contents = fs.readFileSync(new URL(file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38e628c1db0c5d4f Environment-variable access.
pkgs/npm/[email protected]/lib/load-config.js:44
const gitScmFile = process.env.AVA_FAKE_SCM_ROOT ?? '.git';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #408fea2c3cfaad46 Filesystem access.
pkgs/npm/[email protected]/lib/scheduler.js:43
			failedTestFiles = JSON.parse(fs.readFileSync(filePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21d49a46b228a294 Filesystem access.
pkgs/npm/[email protected]/lib/snapshot-manager.js:80
		return fs.readFileSync(file);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1902c236aa712bcd Environment-variable access.
pkgs/npm/[email protected]/lib/watcher.js:20
const takeCoverageForSelfTests = process.env.TEST_AVA ? v8.takeCoverage : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc1383546be0a682 Filesystem access.
pkgs/npm/[email protected]/lib/worker/line-numbers.js:10
	const ast = acorn.parse(fs.readFileSync(file, 'utf8'), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

bluebird

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #7a5c7af91acb0829 Environment-variable access.
pkgs/npm/[email protected]/js/browser/bluebird.core.js:3812
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7813030736f4a23b Environment-variable access.
pkgs/npm/[email protected]/js/browser/bluebird.js:5676
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf5a0903c56ef6b5 Environment-variable access.
pkgs/npm/[email protected]/js/release/util.js:322
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #2e8abe2ea4f771ec Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55de0ed3261df742 Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #305bf49defebac38 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fbe4d47334cd51b Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c32c9b5b192ae8e1 Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a516bfe602286603 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dc1e25e9f83fe7c Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbb7a427af8ec05d Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88e711e829401eb8 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #256b87f163bb32e9 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f89c951b0dea8d3 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #0055253692a36fa8 Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

np

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #96cab20596b6d175 Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:10
			process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a195eadca196ad6 Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:11
			&& process.env.ACTIONS_ID_TOKEN_REQUEST_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #605bc98b95caa5db Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:12
			&& process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9ece6b42e1348d2 Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:18
		validate: () => process.env.GITLAB_CI && process.env.NPM_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e72071b20d2376b7 Environment-variable access.
pkgs/npm/[email protected]/source/prerequisite-tasks.js:30
			enabled: () => process.env.NODE_ENV !== 'test' && !package_.private,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pem

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #c831883d37a7106f Environment-variable access.
pkgs/npm/[email protected]/lib/debug.js:2
  if (process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #462a670f1ad7a4a5 Filesystem access.
pkgs/npm/[email protected]/lib/helper.js:4
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bf5d70ab7490cb0 Environment-variable access.
pkgs/npm/[email protected]/lib/helper.js:7
var tempDir = process.env.PEMJS_TMPDIR || osTmpdir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c8d8e04a8c88385 Filesystem access.
pkgs/npm/[email protected]/lib/helper.js:90
    fs.writeFileSync(PasswordFile, options.password)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9b48435f75ad32a Filesystem access.
pkgs/npm/[email protected]/lib/openssl.js:6
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f12f2a1ed0a600c9 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:11
var tempDir = process.env.PEMJS_TMPDIR || osTmpdir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47ea7ad5854c5dca Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:15
if ("CI" in process.env && process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c15344eb63bede90 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:16
  if ("LIBRARY" in process.env && "VERSION" in process.env && process.env.LIBRARY != "" && process.env.VERSION != "") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5b7c251934e57bc Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:17
    const filePathOpenSSL=`./openssl/${process.env.LIBRARY}_v${process.env.VERSION}/bin/openssl`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acea82c6b36b534e Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:19
      process.env.OPENSSL_BIN = filePathOpenSSL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96897d997122e4fd Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:129
  var pathBin = get('pathOpenSSL') || process.env.OPENSSL_BIN || 'openssl'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1e41eacada80de8 Filesystem access.
pkgs/npm/[email protected]/lib/openssl.js:231
    fs.writeFileSync(file.path, file.contents)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1642cb5db0430599 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:266
  var pathBin = get('pathOpenSSL') || process.env.OPENSSL_BIN || 'openssl'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

readable-stream

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #46d17fdc593f2afd Environment-variable access.
pkgs/npm/[email protected]/lib/ours/index.js:4
if (Stream && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

request

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #c3748507f71d30bf Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:45
  var noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16984016e6739bde Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:62
    return process.env.HTTP_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13cd60ca7cbeeddd Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:63
      process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7604b80b59439ece Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:67
    return process.env.HTTPS_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #089fc797a6b05675 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:68
      process.env.https_proxy ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b22e55032c79652 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:69
      process.env.HTTP_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0fdafa097ece095 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:70
      process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dcbd26e2992463f Filesystem access.
pkgs/npm/[email protected]/lib/har.js:3
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7114ffaf57cadb22 Environment-variable access.
pkgs/npm/[email protected]/request.js:133
Request.debug = process.env.NODE_DEBUG && /\brequest\b/.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

slow-stream

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #1db89185cc0af682 Filesystem access.
pkgs/npm/[email protected]/test.js:1
var fs               = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57174520efab053d Filesystem access.
pkgs/npm/[email protected]/test.js:31
fs.writeFile(testSourceFile, boganData, function (err) {
  assert(!err)

  var startTs = +new Date

  fs.createReadStream(testSourceFile, { bufferSize: chunkSize })
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 3) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 2) }))
    .pipe(new SlowStream({ maxWriteInterval: maxWriteInterval })) // this one is the slowest and should be the bottleneck
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 2) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 3) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 10) }))
    .pipe(fs.createWriteStream(testDestFile))
    .on('close', function () {
      fs.readFile(testDestFile, function (err, data) {
        assert(!err)

        var endTs  = +new Date
          , chunks = Math.ceil(boganData.length / chunkSize)
          , time   = endTs - startTs

        assert.equal(data.toString(), boganData)
        tick('Correctly read, throttled and wrote bogan data')
        fs.unlink(testSourceFile)
        fs.unlink(testDestFile)

        console.log(('Totle time = ' + time + ' ms @ ' + (Math.round((time / chunks) * 100) / 100) + ' ms per chunk, targetted ' + maxWriteInterval + ' ms per chunk').yellow)
      })
    })
    .on('error', console.log)
})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22aee1897001e860 Filesystem access.
pkgs/npm/[email protected]/test.js:45
      fs.readFile(testDestFile, function (err, data) {
        assert(!err)

        var endTs  = +new Date
          , chunks = Math.ceil(boganData.length / chunkSize)
          , time   = endTs - startTs

        assert.equal(data.toString(), boganData)
        tick('Correctly read, throttled and wrote bogan data')
        fs.unlink(testSourceFile)
        fs.unlink(testDestFile)

        console.log(('Totle time = ' + time + ' ms @ ' + (Math.round((time / chunks) * 100) / 100) + ' ms per chunk, targetted ' + maxWriteInterval + ' ms per chunk').yellow)
      })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tempy

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #a8e085f8fc7be78e Filesystem access.
pkgs/npm/[email protected]/index.js:112
	fs.writeFileSync(filename, fileContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

then-busboy

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #1ab1739c8067c201 Filesystem access.
pkgs/npm/[email protected]/lib/cjs/listener/onFile.js:7
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81bc23867504e9c2 Filesystem access.
pkgs/npm/[email protected]/lib/esm/listener/onFile.js:2
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #05689dccf01607d8 Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #411006f17fd9a117 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4da451f46e520dde Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f650fc7686ce8f89 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93f38d31abd0612e Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f76b86e80df897a7 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa80bc47be96bc72 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0225f60173c1765a Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11d0ee661873beb6 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cd5fc49134e8bfc Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • cacheable-request prod — dist-only: no readable source
  • keyv prod — dist-only: no readable source

Development

  • @sindresorhus/tsconfig dev — no javascript source
  • expect-type dev — dist-only: no readable source
  • tough-cookie dev — dist-only: no readable source
  • tsx dev — dist-only: no readable source
  • xo dev — dist-only: no readable source