Close Open Privacy Scan

bolt Snapshot: commit dd3b295
science engine v2
schedule 2026-07-06T18:07:59.188328+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code. Dependency data flows are listed separately and do not affect this verdict.

App Privacy Score

97 /100
Low privacy risk

Low risk · 73 finding(s)

Dependency score: 82 (Low risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 1 medium 72 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz Application data flows

No application data flows were found. See dependency data flows below.

hub Dependency data flows (1)
medium axios dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:861 pkgs/npm/[email protected]/lib/adapters/http.js:1062

</> First-Party Code

first-party (npm)

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #9df2ce53e5c21fc3 Environment-variable access.
repo/documentation/examples/advanced-creation.js:113
				const secret = options.context.secret ?? process.env.SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad0ce1ba69c6c4ec Environment-variable access.
repo/documentation/examples/gh-got.js:23
		token: process.env.GITHUB_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

axios

npm dependency
medium pii_flow dependency Excluded from app score #bf11096b585d374d Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:1062 · flow /tmp/closeopen-icis9my1/pkgs/npm/[email protected]/lib/adapters/http.js:861 → /tmp/closeopen-icis9my1/pkgs/npm/[email protected]/lib/adapters/http.js:1062
      req = transport.request(options, function handleResponse(res) {
        clearConnectPhaseTimer();

        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
              break;
            case 'zstd':
              if (isZstdSupported) {
                streams.push(zlib.createZstdDecompress(zstdOptions));
                delete res.headers['content-encoding'];
              }
              break;
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          // Enforce maxContentLength on streamed responses; previously this
          // was applied only to buffered responses.
          if (maxContentLength > -1) {
            const limit = maxContentLength;
            const source = responseStream;
            async function* enforceMaxContentLength() {
              let totalResponseBytes = 0;
              for await (const chunk of source) {
                totalResponseBytes += chunk.length;
                if (totalResponseBytes > limit) {
                  throw new AxiosError(
                    'maxContentLength size of ' + limit + ' exceeded',
                    AxiosError.ERR_BAD_RESPONSE,
                    config,
                    lastRequest
                  );
                }
                yield chunk;
              }
            }
            responseStream = stream.Readable.from(enforceMaxContentLength(), {
              objectMode: false,
            });
          }
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest,
              response
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (rejected) return;
            reject(AxiosError.from(err, null, config, lastRequest, response));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #16e925b95591f976 Environment-variable access.
pkgs/npm/[email protected]/lib/helpers/shouldBypassProxy.js:168
  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/request

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #3abe9fb0f54459ce Filesystem access.
pkgs/npm/@[email protected]/index.d.ts:9
import fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ava

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #d8ff0c91f0032d12 Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:297
		if (debug !== null && !process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a149698af9cce5e Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:454
	if (process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c60315eb98f55cb Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:496
		if (process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f63770d62019b9a1 Filesystem access.
pkgs/npm/[email protected]/lib/code-excerpt.js:21
		contents = fs.readFileSync(new URL(file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c432cc891789af30 Environment-variable access.
pkgs/npm/[email protected]/lib/load-config.js:44
const gitScmFile = process.env.AVA_FAKE_SCM_ROOT ?? '.git';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b62276e5fca0266 Filesystem access.
pkgs/npm/[email protected]/lib/scheduler.js:43
			failedTestFiles = JSON.parse(fs.readFileSync(filePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b74318adf87241e Filesystem access.
pkgs/npm/[email protected]/lib/snapshot-manager.js:80
		return fs.readFileSync(file);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #799a50b40c0f96eb Environment-variable access.
pkgs/npm/[email protected]/lib/watcher.js:20
const takeCoverageForSelfTests = process.env.TEST_AVA ? v8.takeCoverage : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee491ea8ba48ff2f Filesystem access.
pkgs/npm/[email protected]/lib/worker/line-numbers.js:10
	const ast = acorn.parse(fs.readFileSync(file, 'utf8'), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

bluebird

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #a44a5e63af438d4e Environment-variable access.
pkgs/npm/[email protected]/js/browser/bluebird.core.js:3812
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13263bcf8c64a769 Environment-variable access.
pkgs/npm/[email protected]/js/browser/bluebird.js:5676
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1e32dc35237b852 Environment-variable access.
pkgs/npm/[email protected]/js/release/util.js:322
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #645a18d2fdb8fd34 Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63baa2e1a5c60f33 Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4107f90476f850b6 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f065374f93c322af Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4c13d66c26c117f Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49dc80f3895a33a3 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c17c00931dd5e4ce Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c675fb226a22303 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7577ab69c427657 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09bc16a2cb016ef8 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45b9fdea7b5fcb17 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #56856f9f905923bb Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

np

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #c87c218c04d36b4e Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:10
			process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a134d29ac8a45550 Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:11
			&& process.env.ACTIONS_ID_TOKEN_REQUEST_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70bd9d4d78c4d20c Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:12
			&& process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23bb7442f2afc1c7 Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:18
		validate: () => process.env.GITLAB_CI && process.env.NPM_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bd6e25f2a0245a3 Environment-variable access.
pkgs/npm/[email protected]/source/prerequisite-tasks.js:30
			enabled: () => process.env.NODE_ENV !== 'test' && !package_.private,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pem

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #72630afc44d0605b Environment-variable access.
pkgs/npm/[email protected]/lib/debug.js:2
  if (process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76adbaee2f40b784 Filesystem access.
pkgs/npm/[email protected]/lib/helper.js:4
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41fa8410d0a27383 Environment-variable access.
pkgs/npm/[email protected]/lib/helper.js:7
var tempDir = process.env.PEMJS_TMPDIR || osTmpdir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4b6e4c64008e0bd Filesystem access.
pkgs/npm/[email protected]/lib/helper.js:90
    fs.writeFileSync(PasswordFile, options.password)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95e3cc755ce4f04d Filesystem access.
pkgs/npm/[email protected]/lib/openssl.js:6
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8ab9790918408bd Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:11
var tempDir = process.env.PEMJS_TMPDIR || osTmpdir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afb213ca51118b4c Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:15
if ("CI" in process.env && process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffcf8a0ce1913197 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:16
  if ("LIBRARY" in process.env && "VERSION" in process.env && process.env.LIBRARY != "" && process.env.VERSION != "") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34d9f773bb2b0205 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:17
    const filePathOpenSSL=`./openssl/${process.env.LIBRARY}_v${process.env.VERSION}/bin/openssl`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb22bb280454bc81 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:19
      process.env.OPENSSL_BIN = filePathOpenSSL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53a982d52067e1c2 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:129
  var pathBin = get('pathOpenSSL') || process.env.OPENSSL_BIN || 'openssl'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f35e01a664b77d1e Filesystem access.
pkgs/npm/[email protected]/lib/openssl.js:231
    fs.writeFileSync(file.path, file.contents)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #342824b9d204095f Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:266
  var pathBin = get('pathOpenSSL') || process.env.OPENSSL_BIN || 'openssl'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

readable-stream

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #736415eeb888e9bd Environment-variable access.
pkgs/npm/[email protected]/lib/ours/index.js:4
if (Stream && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

request

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #b4f8f7b8047593d6 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:45
  var noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d67e8c29d8f03fa4 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:62
    return process.env.HTTP_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63dcdfdd6114b7f0 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:63
      process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5103e7d4428c2b84 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:67
    return process.env.HTTPS_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38cc8c2e678872c1 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:68
      process.env.https_proxy ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e01fc0ed7e75a24 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:69
      process.env.HTTP_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ceb1c42ffe79ef80 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:70
      process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58ee978580a46fcb Filesystem access.
pkgs/npm/[email protected]/lib/har.js:3
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fae9a671fddb11e4 Environment-variable access.
pkgs/npm/[email protected]/request.js:133
Request.debug = process.env.NODE_DEBUG && /\brequest\b/.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

slow-stream

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #4112bfab3b221caf Filesystem access.
pkgs/npm/[email protected]/test.js:1
var fs               = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83b7ada286542994 Filesystem access.
pkgs/npm/[email protected]/test.js:31
fs.writeFile(testSourceFile, boganData, function (err) {
  assert(!err)

  var startTs = +new Date

  fs.createReadStream(testSourceFile, { bufferSize: chunkSize })
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 3) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 2) }))
    .pipe(new SlowStream({ maxWriteInterval: maxWriteInterval })) // this one is the slowest and should be the bottleneck
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 2) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 3) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 10) }))
    .pipe(fs.createWriteStream(testDestFile))
    .on('close', function () {
      fs.readFile(testDestFile, function (err, data) {
        assert(!err)

        var endTs  = +new Date
          , chunks = Math.ceil(boganData.length / chunkSize)
          , time   = endTs - startTs

        assert.equal(data.toString(), boganData)
        tick('Correctly read, throttled and wrote bogan data')
        fs.unlink(testSourceFile)
        fs.unlink(testDestFile)

        console.log(('Totle time = ' + time + ' ms @ ' + (Math.round((time / chunks) * 100) / 100) + ' ms per chunk, targetted ' + maxWriteInterval + ' ms per chunk').yellow)
      })
    })
    .on('error', console.log)
})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1694ed220575baf5 Filesystem access.
pkgs/npm/[email protected]/test.js:45
      fs.readFile(testDestFile, function (err, data) {
        assert(!err)

        var endTs  = +new Date
          , chunks = Math.ceil(boganData.length / chunkSize)
          , time   = endTs - startTs

        assert.equal(data.toString(), boganData)
        tick('Correctly read, throttled and wrote bogan data')
        fs.unlink(testSourceFile)
        fs.unlink(testDestFile)

        console.log(('Totle time = ' + time + ' ms @ ' + (Math.round((time / chunks) * 100) / 100) + ' ms per chunk, targetted ' + maxWriteInterval + ' ms per chunk').yellow)
      })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tempy

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #df72d53393d16155 Filesystem access.
pkgs/npm/[email protected]/index.js:112
	fs.writeFileSync(filename, fileContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

then-busboy

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #d73bc4e558105922 Filesystem access.
pkgs/npm/[email protected]/lib/cjs/listener/onFile.js:7
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #963fadeb88edb579 Filesystem access.
pkgs/npm/[email protected]/lib/esm/listener/onFile.js:2
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #cc22e12c98e06d43 Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1875bcc2e229e67 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54ca6d3523a50d2e Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb8043d62a5667f0 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d396adc377b6b53 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efe0eaea4c9c75e2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b876de4033962f2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdda2fa7d79399ed Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc329775b3074f29 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f41817be2fca013 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • cacheable-request prod — dist-only: no readable source
  • keyv prod — dist-only: no readable source

Development

  • @sindresorhus/tsconfig dev — no javascript source
  • expect-type dev — dist-only: no readable source
  • tough-cookie dev — dist-only: no readable source
  • tsx dev — dist-only: no readable source
  • xo dev — dist-only: no readable source