Close Open Privacy Scan

link https://github.com/koajs/koa
bolt Snapshot: commit 52d5e8f
science engine v1
schedule 2026-06-25T12:21:36.435209+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

97 /100
Low privacy risk

Low risk · 35 finding(s)

Dependency score: 97 (Low risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 0 medium 35 low
First-party packages: 1
Dependency packages: 4
Ecosystem: npm

swap_horiz Application data flows

No high- or medium-confidence application data-flow findings in this scan.

</> First-Party Code

first-party (npm)

npm first-party
expand_more 16 low-confidence finding(s)
low env_fs test-only #aeb2b9f06f0e71ad Environment-variable access.
repo/__tests__/application/index.test.js:39 
    const NODE_ENV = process.env.NODE_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #e65e47d3018ae781 Environment-variable access.
repo/__tests__/application/index.test.js:40 
    process.env.NODE_ENV = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #18dfa61c76bdee8f Environment-variable access.
repo/__tests__/application/index.test.js:42 
    process.env.NODE_ENV = NODE_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #33c1f8900723698c Environment-variable access.
repo/__tests__/application/inspect.test.js:8 
process.env.NODE_ENV = 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9f48cd157fb8e899 Filesystem access.
repo/__tests__/application/respond.test.js:8 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #9f48cd157fb8e899 Filesystem access.
repo/__tests__/application/respond.test.js:8 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #54818eaa264f2681 Filesystem access.
repo/__tests__/application/respond.test.js:163 
      const { length } = fs.readFileSync('package.json')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #88402f1f3f6f3580 Filesystem access.
repo/__tests__/application/respond.test.js:780 
        ctx.length = fs.readFileSync('package.json').length

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #2cff1a40965d78e3 Filesystem access.
repo/__tests__/application/respond.test.js:799 
          ctx.length = fs.readFileSync('package.json').length

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low pii_flow test-only Excluded from app score #8870f6201fba7546 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Test harness — not production egress.
repo/__tests__/application/respond.test.js:926 · flow /tmp/closeopen-s0m47pci/repo/__tests__/application/respond.test.js:927 → /tmp/closeopen-s0m47pci/repo/__tests__/application/respond.test.js:926 
        const req = http.request({
          port: server.address().port,
          path: '/'
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
low env_fs test-only #60e81d4472055176 Filesystem access.
repo/__tests__/response/body.test.js:7 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #60e81d4472055176 Filesystem access.
repo/__tests__/response/body.test.js:7 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low pii_flow test-only Excluded from app score #5999aff8557a316c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Test harness — not production egress.
repo/__tests__/response/flushHeaders.test.js:107 · flow /tmp/closeopen-s0m47pci/repo/__tests__/response/flushHeaders.test.js:104 → /tmp/closeopen-s0m47pci/repo/__tests__/response/flushHeaders.test.js:107 
      const req = http.request({ port })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.
low env_fs test-only #61e29cd0b2146190 Filesystem access.
repo/__tests__/response/length.test.js:6 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs test-only #61e29cd0b2146190 Filesystem access.
repo/__tests__/response/length.test.js:6 
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs production #e07856e4daeb5e96 Environment-variable access.
repo/lib/application.js:79 
    this.env = options.env || process.env.NODE_ENV || 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

c8

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #8d736220818803fa Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27 
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #327cf424ba23ee9e Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40 
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #60027b84a0cec9e5 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #60027b84a0cec9e5 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #6d903253e6fe4c9a Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18 
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #2abc2a8d6eded352 Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129 
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #aa1d0282a07531e4 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9 
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3ae4e1a6b6e56d7a Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11 
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #3ae4e1a6b6e56d7a Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11 
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #9b813b927b1f7822 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452 
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0b040d03c30bedd7 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #0b040d03c30bedd7 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27 
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #20cc7225a6df5ee3 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40 
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #be75b8470d429312 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71 
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

destroy

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #8ddbc6a2a14e6302 Filesystem access.
pkgs/npm/[email protected]/index.js:16 
var ReadStream = require('fs').ReadStream

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gen-esm-wrapper

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #82ce92f5c6b31f4e Filesystem access.
pkgs/npm/[email protected]/gen-esm-wrapper.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #82ce92f5c6b31f4e Filesystem access.
pkgs/npm/[email protected]/gen-esm-wrapper.js:5 
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.
low env_fs dependency Excluded from app score #91d958593b17ed69 Filesystem access.
pkgs/npm/[email protected]/gen-esm-wrapper.js:81 
  fs.writeFileSync(target, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

standard

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #33f9bff9a4a26d10 Filesystem access.
pkgs/npm/[email protected]/lib/options.js:8 
const pkgJSON = readFileSync(pkgURL, { encoding: 'utf-8' })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • content-disposition prod — dist-only: no readable source
  • content-type prod — dist-only: no readable source