Close Open Privacy Scan

bolt Snapshot: commit 52d5e8f
science engine v3
schedule 2026-07-08T10:06:07.881025+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

97 /100
Low privacy risk

Low risk · 14 finding(s)

Dependency score: 98 (Low risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 0 medium 14 low
First-party packages: 1
Dependency packages: 1
Ecosystem: npm

swap_horiz Application data flows

No high- or medium-confidence application data-flow findings in this scan.

</> First-Party Code

first-party (npm)

npm first-party
expand_more 13 low-confidence finding(s)
low env_fs test-only #4b4836f457a412aa Environment-variable access.
repo/__tests__/application/index.test.js:39
    const NODE_ENV = process.env.NODE_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a75396a0afad5623 Environment-variable access.
repo/__tests__/application/index.test.js:40
    process.env.NODE_ENV = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b70002a3f867130 Environment-variable access.
repo/__tests__/application/index.test.js:42
    process.env.NODE_ENV = NODE_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e333575e06aa5f79 Environment-variable access.
repo/__tests__/application/inspect.test.js:8
process.env.NODE_ENV = 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ede109512701b490 Filesystem access.
repo/__tests__/application/respond.test.js:8
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55d98d630b499815 Filesystem access.
repo/__tests__/application/respond.test.js:163
      const { length } = fs.readFileSync('package.json')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7fce6df3c649f68 Filesystem access.
repo/__tests__/application/respond.test.js:780
        ctx.length = fs.readFileSync('package.json').length

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f71a5a49c0551f98 Filesystem access.
repo/__tests__/application/respond.test.js:799
          ctx.length = fs.readFileSync('package.json').length

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #4f15f53a6116af16 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Test harness — not production egress.
repo/__tests__/application/respond.test.js:926 · flow /tmp/closeopen-6c37qivt/repo/__tests__/application/respond.test.js:927 → /tmp/closeopen-6c37qivt/repo/__tests__/application/respond.test.js:926
        const req = http.request({
          port: server.address().port,
          path: '/'
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #027997d9d7dccfe9 Filesystem access.
repo/__tests__/response/body.test.js:7
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #802d601e5507ecb4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Test harness — not production egress.
repo/__tests__/response/flushHeaders.test.js:107 · flow /tmp/closeopen-6c37qivt/repo/__tests__/response/flushHeaders.test.js:104 → /tmp/closeopen-6c37qivt/repo/__tests__/response/flushHeaders.test.js:107
      const req = http.request({ port })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #d78d724d06dddf6c Filesystem access.
repo/__tests__/response/length.test.js:6
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f84668be74d1a4d Environment-variable access.
repo/lib/application.js:79
    this.env = options.env || process.env.NODE_ENV || 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

destroy

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #751c223ddef4764f Filesystem access.
pkgs/npm/[email protected]/index.js:16
var ReadStream = require('fs').ReadStream

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • content-disposition prod — dist-only: no readable source
  • content-type prod — dist-only: no readable source