Close Open Privacy Scan

bolt Snapshot: commit c69ab88
science engine v2
schedule 2026-07-03T10:14:51.221180+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

App Privacy Score

37 /100
High privacy risk — application leak confirmed

High risk · 588 finding(s)

Dependency score: 37 (High risk)

bar_chart Score Breakdown

pii_flow −60
env_fs −3

list Scan Summary

10 high 0 medium 578 low
First-party packages: 8
Dependency packages: 36
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:105 repo/packages/nuxt/src/app/components/nuxt-island.ts:220
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:35 repo/scripts/release.ts:44
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:35 repo/scripts/release.ts:55
high first-party (npm): packages/nuxt User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:105 repo/packages/nuxt/src/app/components/nuxt-island.ts:220
hub Dependency data flows (6)
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:215
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:317
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:523
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:549
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:568
high pkg-pr-new dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:42 pkgs/npm/[email protected]/index.ts:590

</> First-Party Code

first-party (npm)

npm first-party
high pii_flow production #1beaa52679bf2418 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:220 · flow /tmp/closeopen-xp4bpqqm/repo/packages/nuxt/src/app/components/nuxt-island.ts:105 → /tmp/closeopen-xp4bpqqm/repo/packages/nuxt/src/app/components/nuxt-island.ts:220
      const r = await fetch(withQuery(((import.meta.dev && import.meta.client) || props.source) ? url : joinURL(config.app.baseURL ?? '', url), {
        ...props.context,
        props: props.props ? serializedProps.value : undefined,
      }))

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6aac0fe5b3ef3abc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:44 · flow /tmp/closeopen-xp4bpqqm/repo/scripts/release.ts:35 → /tmp/closeopen-xp4bpqqm/repo/scripts/release.ts:44
  const idTokenResponse = await fetch(idTokenUrl, {
    headers: { authorization: `Bearer ${requestToken}` },
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5df41db104e9209f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/release.ts:55 · flow /tmp/closeopen-xp4bpqqm/repo/scripts/release.ts:35 → /tmp/closeopen-xp4bpqqm/repo/scripts/release.ts:55
  const exchangeResponse = await fetch(exchangeUrl, {
    method: 'POST',
    headers: { authorization: `Bearer ${idToken}` },
  })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 93 low-confidence finding(s)
low env_fs production #51e6ddcbe1b066c8 Environment-variable access.
repo/nuxt.config.ts:10
      if (!process.env.DOCS_TYPECHECK) { return }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cf44af5ddce7b72 Environment-variable access.
repo/nuxt.config.ts:51
  pages: process.env.DOCS_TYPECHECK === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4096ecdf059df73b Environment-variable access.
repo/nuxt.config.ts:61
    shim: process.env.DOCS_TYPECHECK === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b98d938b7f793080 Filesystem access.
repo/packages/kit/src/ignore.ts:66
    const contents = readFileSync(nuxtignoreFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bdd7263b9d0e4ba Filesystem access.
repo/packages/kit/src/module/install.test.ts:16
    await writeFile(join(prereleaseModule, 'package.json'), JSON.stringify({
      name: 'prerelease-module',
      version: '2.0.0-beta.1',
      type: 'module',
      exports: './index.js',
    }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #129a0c6c931bfb0d Filesystem access.
repo/packages/kit/src/module/install.test.ts:22
    await writeFile(join(prereleaseModule, 'index.js'), `
export default Object.assign(() => {}, {
  getMeta: () => ({
    name: 'prerelease-module',
    configKey: 'prereleaseModule'
  })
})
    `)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f889be0f43e29aad Filesystem access.
repo/packages/kit/src/module/install.ts:337
      buildTimeModuleMeta = JSON.parse(await fsp.readFile(moduleMetadataPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #029550b2cc46a1c1 Environment-variable access.
repo/packages/kit/src/runtime-config.ts:20
    envExpansion: nuxt.options.nitro.experimental?.envExpansion ?? !!process.env.NITRO_ENV_EXPANSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #795e667942956f88 Filesystem access.
repo/packages/kit/src/template.ts:652
    fsp.writeFile(appTsConfigPath, JSON.stringify(tsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec7aca4cd4189778 Filesystem access.
repo/packages/kit/src/template.ts:653
    fsp.writeFile(legacyTsConfigPath, JSON.stringify(legacyTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b513bdfeee7e05aa Filesystem access.
repo/packages/kit/src/template.ts:654
    fsp.writeFile(nodeTsConfigPath, JSON.stringify(nodeTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c998ebea446d845f Filesystem access.
repo/packages/kit/src/template.ts:655
    fsp.writeFile(sharedTsConfigPath, JSON.stringify(sharedTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f45824b47a31f18 Filesystem access.
repo/packages/kit/src/template.ts:656
    fsp.writeFile(declarationPath, declaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e6b4f1ffe9e3520 Filesystem access.
repo/packages/kit/src/template.ts:657
    fsp.writeFile(nodeDeclarationPath, nodeDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c123e33096f526a Filesystem access.
repo/packages/kit/src/template.ts:658
    fsp.writeFile(sharedDeclarationPath, sharedDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #646835684495b496 Filesystem access.
repo/packages/nitro-server/src/index.ts:461
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify({}))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75e5938903a0f47e Filesystem access.
repo/packages/nitro-server/src/index.ts:494
        await fsp.writeFile(join(tempDir, 'latest.json'), JSON.stringify({
          id: buildId,
          timestamp: buildTimestamp,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8e744951185e508 Filesystem access.
repo/packages/nitro-server/src/index.ts:498
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify(manifest))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #201a809c72c5bf2d Filesystem access.
repo/packages/nitro-server/src/index.ts:882
    let projectConfiguration = await readFile(join(cacheDir, 'chrome-workspace.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80fb82f341c6bd30 Filesystem access.
repo/packages/nitro-server/src/index.ts:889
      await writeFile(join(cacheDir, 'chrome-workspace.json'), JSON.stringify(projectConfiguration), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7868cd1a0c57b12 Filesystem access.
repo/packages/nitro-server/src/index.ts:993
          nitro.options.virtual['#build/dist/server/server.mjs'] = () => memfs.readFileSync(join(nuxt.options.buildDir, 'dist/server/server.mjs'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78c38c3cc9b5ea9f Filesystem access.
repo/packages/nitro-server/src/index.ts:1108
      return readFileSync(spaLoadingTemplate, 'utf-8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #392e4a934d5d8a95 Environment-variable access.
repo/packages/nitro-server/src/runtime/utils/renderer/build-files.ts:73
    if (import.meta.dev && process.env.NUXT_VITE_NODE_OPTIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #33ef26e2d833340e Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:118
          const contents = await readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de050d4714698ac9 Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:173
          contents = await readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a86ca706f01af7f8 Filesystem access.
repo/packages/nuxt/src/core/app.ts:98
      writes.push(() => writeFileSync(fullPath, contents, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #489bf6c076aed249 Filesystem access.
repo/packages/nuxt/src/core/app.ts:125
      return await fsp.readFile(template.src, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12967361307ed847 Filesystem access.
repo/packages/nuxt/src/core/app.ts:258
      const code = nuxt.vfs[plugin.src] ?? await fsp.readFile(plugin.src!, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5303eef997c882b Filesystem access.
repo/packages/nuxt/src/core/cache.ts:52
      await writeFile(buildIdCacheFile, nuxt.options.buildId)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7876032510360577 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:86
  const cachedBuildId = (await readFile(buildIdCacheFile, 'utf-8')).trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1920d48be9787b3b Filesystem access.
repo/packages/nuxt/src/core/cache.ts:246
    const data = await fd.readFile()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e67bf86a2e26a9e Filesystem access.
repo/packages/nuxt/src/core/cache.ts:280
  const files = parseTar(await readFile(cacheFile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02c87c002e402616 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:306
      await fd.writeFile(file.data!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82251eefa0370671 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:323
  await writeFile(cacheFile, tarData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #661d945f4da4b875 Environment-variable access.
repo/packages/nuxt/src/core/nuxt.ts:891
  if (options.telemetry !== false && !process.env.NUXT_TELEMETRY_DISABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec83d2f53a800793 Environment-variable access.
repo/packages/nuxt/src/core/perf.ts:141
const SLOW_HOOK_THRESHOLD_MS = Number(process.env.NUXT_PERF_SLOW_HOOK_MS) || 50

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #286abc87602cc030 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:707
      writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e42d205e4b73d66d Filesystem access.
repo/packages/nuxt/src/core/perf.ts:708
      writeFileSync(tracePath, JSON.stringify({ traceEvents: this.getTraceEvents() }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b5ce39330704d1f Filesystem access.
repo/packages/nuxt/src/core/schema.ts:150
      await writeFile(
        resolve(nuxt.options.buildDir, 'schema/nuxt.schema.json'),
        JSON.stringify(schema, null, 2),
        'utf8',
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21fdc9b1f7034b34 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:180
      await writeFile(typesPath, types, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cd672f9b7ec6fc8 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:13
    = process.env.https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7ffb3959c7108cf Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:14
      || process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91027169c61d0c9c Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:15
      || process.env.http_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ced74ad56a3a6e3 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:16
      || process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71bb46039e63ba74 Filesystem access.
repo/packages/nuxt/src/pages/module.ts:313
        const dts = await readFile(declarationFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6aee6485ab7d82ac Filesystem access.
repo/packages/nuxt/src/pages/utils.ts:164
      const fileContent = vfs[route.file] ?? fs.readFileSync(ctx.fullyResolvedPaths?.has(route.file) ? route.file : await resolvePath(route.file), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac69326647c91a16 Environment-variable access.
repo/packages/schema/src/config/app.ts:33
        return process.env.NUXT_APP_BASE_URL || '/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64b68946c6ada451 Environment-variable access.
repo/packages/schema/src/config/app.ts:41
        return process.env.NUXT_APP_BUILD_ASSETS_DIR || '/_nuxt/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b706dd641d1a0981 Environment-variable access.
repo/packages/schema/src/config/app.ts:50
        return process.env.NUXT_APP_CDN_URL || (typeof val === 'string' ? val : '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43bb9b88b9abfb58 Environment-variable access.
repo/packages/schema/src/config/common.ts:142
          perf: process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ff96f08c85e414d Environment-variable access.
repo/packages/schema/src/config/common.ts:147
        if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f355b751811e52bd Environment-variable access.
repo/packages/schema/src/config/common.ts:148
          (val as NuxtDebugOptions).perf = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fe18896683dc4b8 Environment-variable access.
repo/packages/schema/src/config/common.ts:153
      if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c014436f3dc42f0d Environment-variable access.
repo/packages/schema/src/config/common.ts:154
        const perf: boolean | 'quiet' = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e24f5c9e7a624627 Environment-variable access.
repo/packages/schema/src/config/dev.ts:8
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7951e84267735c43 Environment-variable access.
repo/packages/schema/src/config/dev.ts:9
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6579e1bc39eb47b8 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:27
      const contents = await fsp.readFile(r(page, 'index.html'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15f2974e2d99a785 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:29
      const messages = JSON.parse(await fsp.readFile(r(page, 'messages.json'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce03b09f6d52d67c Filesystem access.
repo/packages/ui-templates/lib/prerender.ts:16
    await fsp.writeFile(file.replace('.js', '/index.html'), updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21b5e8a9d71ffe78 Filesystem access.
repo/packages/ui-templates/lib/render.ts:47
        let html = readFileSync(fileName, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e72fc3c172f33a53 Filesystem access.
repo/packages/ui-templates/lib/render.ts:68
          const svg = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7d32363654d5241 Filesystem access.
repo/packages/ui-templates/lib/render.ts:83
          let contents = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5adc6767d7e7fbf9 Filesystem access.
repo/packages/ui-templates/lib/render.ts:99
        const messages = JSON.parse(readFileSync(r(`templates/${templateName}/messages.json`), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d431ccee24fa1a2c Filesystem access.
repo/packages/ui-templates/lib/render.ts:193
        writeFileSync(fileName.replace('/index.html', '.ts'), functionalCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be87d991c1d77dc Filesystem access.
repo/packages/ui-templates/lib/render.ts:194
        writeFileSync(fileName.replace('/index.html', '.vue'), vueCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7ec89f692d460fd Environment-variable access.
repo/packages/ui-templates/vite.config.ts:18
    outDir: process.env.OUTPUT_DIR || 'dist',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c0867e4ff7d46a6 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:73
      const clientManifest = nuxt.options.dev ? devClientManifest : JSON.parse(readFileSync(manifestFile, 'utf-8')) as ViteClientManifest

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4553830b1d28401a Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:106
          await writeFile(resolve(serverDist, 'client.manifest.mjs'), manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cd27a143f286576 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:107
          await writeFile(resolve(serverDist, 'client.precomputed.mjs'), precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c961f6ce5f30f28 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:29
          readFile(id, 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fbe45b18c7a3fe9 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:30
          readFile(id + '.map.json', 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0edc8f38b16dbd81 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:71
        await writeFile(dest, JSON.stringify({
          file: chunk.map.file,
          mappings: chunk.map.mappings,
          names: chunk.map.names,
          sources: chunk.map.sources,
          sourcesContent: chunk.map.sourcesContent,
          version: chunk.map.version,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5f9fc2a3bccc49d Environment-variable access.
repo/packages/vite/src/plugins/vite-node.ts:342
        process.env.NUXT_VITE_NODE_OPTIONS = JSON.stringify(viteNodeServerOptions)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eec4f749e1bf7f6 Environment-variable access.
repo/packages/vite/src/utils/logger.ts:45
    if (typeof msg === 'string' && !process.env.DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d0d1efb2499fc0f Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:16
    await writeFile(join(fixtureDir, 'app/app.vue'), '<template><div/></template>')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0ae20b73cdca66c Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:17
    await writeFile(join(fixtureDir, 'nuxt.config.ts'), `
export default defineNuxtConfig({
  modules: [
    (_, nuxt) => {
      nuxt.options.build.transpile.push('my-async-package')
    },
  ],
})
`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52ba24bfa4a90712 Environment-variable access.
repo/packages/vite/src/vite-node.ts:9
  const envVar = process.env.NUXT_VITE_NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3dbc0bdf75e98606 Filesystem access.
repo/packages/webpack/src/plugins/ssr-styles.ts:51
    const src = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5f25ae07006a00e Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:170
        await writeFile(join(this.serverDist, 'client.manifest.mjs'), this.manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21ed6973a2bdbf18 Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:171
        await writeFile(join(this.serverDist, 'client.precomputed.mjs'), this.precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34045a83e8db080f Filesystem access.
repo/scripts/_utils.ts:21
  const data = JSON.parse(await fsp.readFile(pkgPath, 'utf-8').catch(() => '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5e3c749254ee64d Filesystem access.
repo/scripts/_utils.ts:22
  const save = () => fsp.writeFile(pkgPath, JSON.stringify(data, null, 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49845ed8eef84a1e Environment-variable access.
repo/scripts/_utils.ts:172
        'Authorization': `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #914782e0ca0485ba Filesystem access.
repo/scripts/release.ts:24
  return JSON.parse(readFileSync(pkgPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8322f6523f1d0cf Environment-variable access.
repo/scripts/release.ts:35
  const requestUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #293edf5fcf518119 Environment-variable access.
repo/scripts/release.ts:36
  const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98e51fe42e72d5c3 Environment-variable access.
repo/scripts/release.ts:97
  const tagsInput = process.env.TAG || 'latest'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76bfe79f0f2ffdbf Filesystem access.
repo/scripts/release.ts:122
    const originalReadme = readFileSync('README.md', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fed4961de055b54a Filesystem access.
repo/scripts/release.ts:127
    writeFileSync('README.md', readme)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44486acaf1c64dbf Filesystem access.
repo/scripts/release.ts:184
    writeFileSync('README.md', originalReadme)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38e2753cd2630bd7 Environment-variable access.
repo/scripts/update-changelog.ts:73
        Authorization: `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e74807f6d98b99b1 Environment-variable access.
repo/scripts/update-changelog.ts:89
      Authorization: `token ${process.env.GITHUB_TOKEN}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f57ed438301845b Environment-variable access.
repo/vitest.config.ts:20
    appManifest: process.env.TEST_MANIFEST !== 'manifest-off',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nuxt

npm first-party
high pii_flow production #1beaa52679bf2418 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nuxt/src/app/components/nuxt-island.ts:220 · flow /tmp/closeopen-xp4bpqqm/repo/packages/nuxt/src/app/components/nuxt-island.ts:105 → /tmp/closeopen-xp4bpqqm/repo/packages/nuxt/src/app/components/nuxt-island.ts:220
      const r = await fetch(withQuery(((import.meta.dev && import.meta.client) || props.source) ? url : joinURL(config.app.baseURL ?? '', url), {
        ...props.context,
        props: props.props ? serializedProps.value : undefined,
      }))

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 23 low-confidence finding(s)
low env_fs production #33ef26e2d833340e Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:118
          const contents = await readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de050d4714698ac9 Filesystem access.
repo/packages/nuxt/src/compiler/module.ts:173
          contents = await readFile(absolutePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a86ca706f01af7f8 Filesystem access.
repo/packages/nuxt/src/core/app.ts:98
      writes.push(() => writeFileSync(fullPath, contents, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #489bf6c076aed249 Filesystem access.
repo/packages/nuxt/src/core/app.ts:125
      return await fsp.readFile(template.src, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12967361307ed847 Filesystem access.
repo/packages/nuxt/src/core/app.ts:258
      const code = nuxt.vfs[plugin.src] ?? await fsp.readFile(plugin.src!, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5303eef997c882b Filesystem access.
repo/packages/nuxt/src/core/cache.ts:52
      await writeFile(buildIdCacheFile, nuxt.options.buildId)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7876032510360577 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:86
  const cachedBuildId = (await readFile(buildIdCacheFile, 'utf-8')).trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1920d48be9787b3b Filesystem access.
repo/packages/nuxt/src/core/cache.ts:246
    const data = await fd.readFile()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e67bf86a2e26a9e Filesystem access.
repo/packages/nuxt/src/core/cache.ts:280
  const files = parseTar(await readFile(cacheFile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02c87c002e402616 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:306
      await fd.writeFile(file.data!)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82251eefa0370671 Filesystem access.
repo/packages/nuxt/src/core/cache.ts:323
  await writeFile(cacheFile, tarData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #661d945f4da4b875 Environment-variable access.
repo/packages/nuxt/src/core/nuxt.ts:891
  if (options.telemetry !== false && !process.env.NUXT_TELEMETRY_DISABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec83d2f53a800793 Environment-variable access.
repo/packages/nuxt/src/core/perf.ts:141
const SLOW_HOOK_THRESHOLD_MS = Number(process.env.NUXT_PERF_SLOW_HOOK_MS) || 50

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #286abc87602cc030 Filesystem access.
repo/packages/nuxt/src/core/perf.ts:707
      writeFileSync(reportPath, JSON.stringify(report, null, 2), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e42d205e4b73d66d Filesystem access.
repo/packages/nuxt/src/core/perf.ts:708
      writeFileSync(tracePath, JSON.stringify({ traceEvents: this.getTraceEvents() }), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b5ce39330704d1f Filesystem access.
repo/packages/nuxt/src/core/schema.ts:150
      await writeFile(
        resolve(nuxt.options.buildDir, 'schema/nuxt.schema.json'),
        JSON.stringify(schema, null, 2),
        'utf8',
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21fdc9b1f7034b34 Filesystem access.
repo/packages/nuxt/src/core/schema.ts:180
      await writeFile(typesPath, types, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cd672f9b7ec6fc8 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:13
    = process.env.https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7ffb3959c7108cf Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:14
      || process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91027169c61d0c9c Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:15
      || process.env.http_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ced74ad56a3a6e3 Environment-variable access.
repo/packages/nuxt/src/core/utils/proxy.ts:16
      || process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71bb46039e63ba74 Filesystem access.
repo/packages/nuxt/src/pages/module.ts:313
        const dts = await readFile(declarationFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6aee6485ab7d82ac Filesystem access.
repo/packages/nuxt/src/pages/utils.ts:164
      const fileContent = vfs[route.file] ?? fs.readFileSync(ctx.fullyResolvedPaths?.has(route.file) ? route.file : await resolvePath(route.file), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/kit

npm first-party
expand_more 12 low-confidence finding(s)
low env_fs production #b98d938b7f793080 Filesystem access.
repo/packages/kit/src/ignore.ts:66
    const contents = readFileSync(nuxtignoreFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bdd7263b9d0e4ba Filesystem access.
repo/packages/kit/src/module/install.test.ts:16
    await writeFile(join(prereleaseModule, 'package.json'), JSON.stringify({
      name: 'prerelease-module',
      version: '2.0.0-beta.1',
      type: 'module',
      exports: './index.js',
    }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #129a0c6c931bfb0d Filesystem access.
repo/packages/kit/src/module/install.test.ts:22
    await writeFile(join(prereleaseModule, 'index.js'), `
export default Object.assign(() => {}, {
  getMeta: () => ({
    name: 'prerelease-module',
    configKey: 'prereleaseModule'
  })
})
    `)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f889be0f43e29aad Filesystem access.
repo/packages/kit/src/module/install.ts:337
      buildTimeModuleMeta = JSON.parse(await fsp.readFile(moduleMetadataPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #029550b2cc46a1c1 Environment-variable access.
repo/packages/kit/src/runtime-config.ts:20
    envExpansion: nuxt.options.nitro.experimental?.envExpansion ?? !!process.env.NITRO_ENV_EXPANSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #795e667942956f88 Filesystem access.
repo/packages/kit/src/template.ts:652
    fsp.writeFile(appTsConfigPath, JSON.stringify(tsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec7aca4cd4189778 Filesystem access.
repo/packages/kit/src/template.ts:653
    fsp.writeFile(legacyTsConfigPath, JSON.stringify(legacyTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b513bdfeee7e05aa Filesystem access.
repo/packages/kit/src/template.ts:654
    fsp.writeFile(nodeTsConfigPath, JSON.stringify(nodeTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c998ebea446d845f Filesystem access.
repo/packages/kit/src/template.ts:655
    fsp.writeFile(sharedTsConfigPath, JSON.stringify(sharedTsConfig, null, 2)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f45824b47a31f18 Filesystem access.
repo/packages/kit/src/template.ts:656
    fsp.writeFile(declarationPath, declaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e6b4f1ffe9e3520 Filesystem access.
repo/packages/kit/src/template.ts:657
    fsp.writeFile(nodeDeclarationPath, nodeDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c123e33096f526a Filesystem access.
repo/packages/kit/src/template.ts:658
    fsp.writeFile(sharedDeclarationPath, sharedDeclaration),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nitro-server

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #646835684495b496 Filesystem access.
repo/packages/nitro-server/src/index.ts:461
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify({}))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75e5938903a0f47e Filesystem access.
repo/packages/nitro-server/src/index.ts:494
        await fsp.writeFile(join(tempDir, 'latest.json'), JSON.stringify({
          id: buildId,
          timestamp: buildTimestamp,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8e744951185e508 Filesystem access.
repo/packages/nitro-server/src/index.ts:498
        await fsp.writeFile(join(tempDir, `meta/${buildId}.json`), JSON.stringify(manifest))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #201a809c72c5bf2d Filesystem access.
repo/packages/nitro-server/src/index.ts:882
    let projectConfiguration = await readFile(join(cacheDir, 'chrome-workspace.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80fb82f341c6bd30 Filesystem access.
repo/packages/nitro-server/src/index.ts:889
      await writeFile(join(cacheDir, 'chrome-workspace.json'), JSON.stringify(projectConfiguration), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7868cd1a0c57b12 Filesystem access.
repo/packages/nitro-server/src/index.ts:993
          nitro.options.virtual['#build/dist/server/server.mjs'] = () => memfs.readFileSync(join(nuxt.options.buildDir, 'dist/server/server.mjs'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78c38c3cc9b5ea9f Filesystem access.
repo/packages/nitro-server/src/index.ts:1108
      return readFileSync(spaLoadingTemplate, 'utf-8').trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #392e4a934d5d8a95 Environment-variable access.
repo/packages/nitro-server/src/runtime/utils/renderer/build-files.ts:73
    if (import.meta.dev && process.env.NUXT_VITE_NODE_OPTIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/schema

npm first-party
expand_more 10 low-confidence finding(s)
low env_fs production #ac69326647c91a16 Environment-variable access.
repo/packages/schema/src/config/app.ts:33
        return process.env.NUXT_APP_BASE_URL || '/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64b68946c6ada451 Environment-variable access.
repo/packages/schema/src/config/app.ts:41
        return process.env.NUXT_APP_BUILD_ASSETS_DIR || '/_nuxt/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b706dd641d1a0981 Environment-variable access.
repo/packages/schema/src/config/app.ts:50
        return process.env.NUXT_APP_CDN_URL || (typeof val === 'string' ? val : '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43bb9b88b9abfb58 Environment-variable access.
repo/packages/schema/src/config/common.ts:142
          perf: process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ff96f08c85e414d Environment-variable access.
repo/packages/schema/src/config/common.ts:147
        if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f355b751811e52bd Environment-variable access.
repo/packages/schema/src/config/common.ts:148
          (val as NuxtDebugOptions).perf = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fe18896683dc4b8 Environment-variable access.
repo/packages/schema/src/config/common.ts:153
      if (process.env.NUXT_DEBUG_PERF) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c014436f3dc42f0d Environment-variable access.
repo/packages/schema/src/config/common.ts:154
        const perf: boolean | 'quiet' = process.env.NUXT_DEBUG_PERF === 'quiet' ? 'quiet' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e24f5c9e7a624627 Environment-variable access.
repo/packages/schema/src/config/dev.ts:8
    port: Number(process.env.NUXT_PORT || process.env.NITRO_PORT || process.env.PORT || 3000),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7951e84267735c43 Environment-variable access.
repo/packages/schema/src/config/dev.ts:9
    host: process.env.NUXT_HOST || process.env.NITRO_HOST || process.env.HOST || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/ui-templates

npm first-party
expand_more 10 low-confidence finding(s)
low env_fs production #6579e1bc39eb47b8 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:27
      const contents = await fsp.readFile(r(page, 'index.html'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15f2974e2d99a785 Filesystem access.
repo/packages/ui-templates/lib/dev.ts:29
      const messages = JSON.parse(await fsp.readFile(r(page, 'messages.json'), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce03b09f6d52d67c Filesystem access.
repo/packages/ui-templates/lib/prerender.ts:16
    await fsp.writeFile(file.replace('.js', '/index.html'), updated)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21b5e8a9d71ffe78 Filesystem access.
repo/packages/ui-templates/lib/render.ts:47
        let html = readFileSync(fileName, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e72fc3c172f33a53 Filesystem access.
repo/packages/ui-templates/lib/render.ts:68
          const svg = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7d32363654d5241 Filesystem access.
repo/packages/ui-templates/lib/render.ts:83
          let contents = readFileSync(join(outputDir, src), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5adc6767d7e7fbf9 Filesystem access.
repo/packages/ui-templates/lib/render.ts:99
        const messages = JSON.parse(readFileSync(r(`templates/${templateName}/messages.json`), 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d431ccee24fa1a2c Filesystem access.
repo/packages/ui-templates/lib/render.ts:193
        writeFileSync(fileName.replace('/index.html', '.ts'), functionalCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be87d991c1d77dc Filesystem access.
repo/packages/ui-templates/lib/render.ts:194
        writeFileSync(fileName.replace('/index.html', '.vue'), vueCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7ec89f692d460fd Environment-variable access.
repo/packages/ui-templates/vite.config.ts:18
    outDir: process.env.OUTPUT_DIR || 'dist',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/vite

npm first-party
expand_more 11 low-confidence finding(s)
low env_fs production #1c0867e4ff7d46a6 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:73
      const clientManifest = nuxt.options.dev ? devClientManifest : JSON.parse(readFileSync(manifestFile, 'utf-8')) as ViteClientManifest

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4553830b1d28401a Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:106
          await writeFile(resolve(serverDist, 'client.manifest.mjs'), manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cd27a143f286576 Filesystem access.
repo/packages/vite/src/plugins/client-manifest.ts:107
          await writeFile(resolve(serverDist, 'client.precomputed.mjs'), precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c961f6ce5f30f28 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:29
          readFile(id, 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fbe45b18c7a3fe9 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:30
          readFile(id + '.map.json', 'utf-8').catch(() => undefined),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0edc8f38b16dbd81 Filesystem access.
repo/packages/vite/src/plugins/sourcemap-preserver.ts:71
        await writeFile(dest, JSON.stringify({
          file: chunk.map.file,
          mappings: chunk.map.mappings,
          names: chunk.map.names,
          sources: chunk.map.sources,
          sourcesContent: chunk.map.sourcesContent,
          version: chunk.map.version,
        }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5f9fc2a3bccc49d Environment-variable access.
repo/packages/vite/src/plugins/vite-node.ts:342
        process.env.NUXT_VITE_NODE_OPTIONS = JSON.stringify(viteNodeServerOptions)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eec4f749e1bf7f6 Environment-variable access.
repo/packages/vite/src/utils/logger.ts:45
    if (typeof msg === 'string' && !process.env.DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d0d1efb2499fc0f Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:16
    await writeFile(join(fixtureDir, 'app/app.vue'), '<template><div/></template>')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0ae20b73cdca66c Filesystem access.
repo/packages/vite/src/utils/transpile.test.ts:17
    await writeFile(join(fixtureDir, 'nuxt.config.ts'), `
export default defineNuxtConfig({
  modules: [
    (_, nuxt) => {
      nuxt.options.build.transpile.push('my-async-package')
    },
  ],
})
`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52ba24bfa4a90712 Environment-variable access.
repo/packages/vite/src/vite-node.ts:9
  const envVar = process.env.NUXT_VITE_NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/webpack

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #3dbc0bdf75e98606 Filesystem access.
repo/packages/webpack/src/plugins/ssr-styles.ts:51
    const src = readFileSync(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5f25ae07006a00e Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:170
        await writeFile(join(this.serverDist, 'client.manifest.mjs'), this.manifestCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21ed6973a2bdbf18 Filesystem access.
repo/packages/webpack/src/plugins/vue/client.ts:171
        await writeFile(join(this.serverDist, 'client.precomputed.mjs'), this.precomputedCode, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

pkg-pr-new

npm dependency
high pii_flow dependency Excluded from app score #57718a7c87495724 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:215 · flow /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:215
            checkResponse = await fetch(new URL("/check", apiUrl), {
              method: "POST",
              body: JSON.stringify({
                owner,
                repo,
                key,
              }),
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #ecb8c67e40855bb5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:317 · flow /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:317
              const resource = await fetch(longDepUrl, {
                signal: controller.signal,
              });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #cc7cffdc61ff42e3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:523 · flow /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:523
                const createMultipartRes = await fetch(createMultipart, {
                  method: "POST",
                  headers: {
                    "sb-key": key,
                    "sb-name": name.slice("package:".length),
                    "sb-sha": sha,
                  },
                });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #1be0509c1889436a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:549 · flow /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:549
                  const uploadMultipartRes = await fetch(uploadMultipart, {
                    method: "PUT",
                    headers: {
                      key: uploadKey,
                      id: uploadId,
                      "part-number": `${i + 1}`,
                    },
                    body: chunk,
                  });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #6b95cfd66652345a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:568 · flow /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:568
                const completeMultipartRes = await fetch(completeMultipart, {
                  method: "POST",
                  headers: {
                    key: uploadKey,
                    id: uploadId,
                    "uploaded-parts": JSON.stringify(uploadedParts),
                  },
                });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d47f6fcf89973a74 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/index.ts:590 · flow /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:42 → /tmp/closeopen-xp4bpqqm/pkgs/npm/[email protected]/index.ts:590
          const res = await fetch(publishUrl, {
            method: "POST",
            headers: {
              "sb-sha": sha,
              "sb-comment": comment,
              "sb-compact": `${isCompact}`,
              "sb-key": key,
              "sb-shasums": JSON.stringify(shasums),
              "sb-run-id": GITHUB_RUN_ID,
              "sb-bin": `${isBinaryApplication}`,
              "sb-package-manager": selectedPackageManager.join(","),
              "sb-only-templates": `${isOnlyTemplates}`,
              "sb-comment-with-sha": `${isCommentWithSha}`,
              "sb-comment-with-dev": `${isCommentWithDev}`,
            },
            body: formData,
          });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #77a8e3a57a9103d3 Environment-variable access.
pkgs/npm/[email protected]/index.ts:42
const apiUrl = process.env.API_URL ?? API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #845648c4030bc8f5 Environment-variable access.
pkgs/npm/[email protected]/index.ts:186
          if (!process.env.TEST && process.env.GITHUB_ACTIONS !== "true") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45d98d556279d232 Environment-variable access.
pkgs/npm/[email protected]/index.ts:240
          if (process.env.GITHUB_EVENT_NAME !== "pull_request") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b397f26e2114e34 Filesystem access.
pkgs/npm/[email protected]/index.ts:380
              const gitignoreContent = await fs.readFile(gitignorePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd6f9a32084a45d9 Filesystem access.
pkgs/npm/[email protected]/index.ts:394
              const file = await fs.readFile(path.join(templateDir, filePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e59d8092c65a967 Filesystem access.
pkgs/npm/[email protected]/index.ts:495
              const buffer = await fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe934c720009aa90 Filesystem access.
pkgs/npm/[email protected]/index.ts:659
            await fs.writeFile(jsonFilePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ddbefd4275c0858 Filesystem access.
pkgs/npm/[email protected]/index.ts:714
      .update(await fs.readFile(path.resolve(p, filename)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0080af426752cb00 Filesystem access.
pkgs/npm/[email protected]/index.ts:754
  return () => fs.writeFile(pJsonPath, pJsonContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #224bceb25fe9b42e Filesystem access.
pkgs/npm/[email protected]/index.ts:812
    return await fs.readFile(p, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #530719681461321e Environment-variable access.
pkgs/npm/[email protected]/tsup.config.ts:12
    API_URL: JSON.stringify(process.env.API_URL ?? "https://localhost:3000"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@babel/core

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #5cda6a231315ad5c Filesystem access.
pkgs/npm/@[email protected]/lib/config/files/index.js:20
    return fn(filepath, yield* readFile(filepath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7862972e3fae796 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/files/index.js:326
  const targetPath = process.env.BABEL_SHOW_CONFIG_FOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e44f7dad158984c Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:315
  return process.env.BABEL_ENV || process.env.NODE_ENV || defaultValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdd2981e2e163284 Environment-variable access.
pkgs/npm/@[email protected]/lib/index-shared.js:1761
  if (typeof process !== "undefined" && process.env.BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bdac8f729fa194d Filesystem access.
pkgs/npm/@[email protected]/lib/transform-file.js:12
  const code = yield* readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71697d2dda6f9a81 Filesystem access.
pkgs/npm/@[email protected]/lib/transformation/read-input-source-map-file.js:65
    const inputMapContent = fs.readFileSync(inputMapPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@nuxt/cli

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #99ca06ed494a86ac Environment-variable access.
pkgs/npm/@[email protected]/bin/nuxi.mjs:10
if (nodeModule.enableCompileCache && !process.env.NODE_DISABLE_COMPILE_CACHE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef994d4fcb490692 Environment-variable access.
pkgs/npm/@[email protected]/bin/nuxi.mjs:15
      process.env.NODE_COMPILE_CACHE ||= directory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@nuxt/friendly-errors-webpack-plugin

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #110e22a4ff947200 Environment-variable access.
pkgs/npm/@[email protected]/src/reporters/base.js:36
        if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@parcel/watcher

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #80aada7eee8a3398 Environment-variable access.
pkgs/npm/@[email protected]/scripts/build-from-source.js:5
if (process.env.npm_config_build_from_source === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@rspack/core

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #34e0f45c1ab160f0 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:209
else if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1ff23912e257634 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:258
  if (/\bgfs4\b/i.test(process.env.NODE_DEBUG || '')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c01ea1687090133 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:271
if (process.env.TEST_GRACEFUL_FS_GLOBAL_PATCH && !fs.__patched) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8c8444246d54c98 Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:760
var platform = process.env.GRACEFUL_FS_PLATFORM || process.platform

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ce0b4f9a241253e Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3032
	+process.env.WATCHPACK_WATCHER_LIMIT || (IS_OSX ? 20 : 10000);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb60f716fb47b82b Environment-variable access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3035
	process.env.WATCHPACK_RECURSIVE_WATCHER_LOGGING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #552dbec489462f44 Filesystem access.
pkgs/npm/@[email protected]/compiled/watchpack/index.js:3490
module.exports = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/compiler-core

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #94369f283dcf9da0 Environment-variable access.
pkgs/npm/@[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/language-core

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #5b106b28b98eb51e Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:18
            return host.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c241d1047ac488d Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:51
                return host.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96d570c8087ff7ad Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:174
        const packageJsonPath = this.ts.findConfigFile(folder, fileName => this.readFile(fileName) !== undefined, 'node_modules/vue/package.json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2529257d4fdc6722 Filesystem access.
pkgs/npm/@[email protected]/lib/compilerOptions.js:178
        const packageJsonContent = this.readFile(packageJsonPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@vue/shared

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #780e8ded1939a1dd Environment-variable access.
pkgs/npm/@[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

autoprefixer

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #643c74f3fade6ac8 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:559
      } else if (typeof process.env.AUTOPREFIXER_GRID !== 'undefined') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcc51f28c3da1ce6 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:560
        if (process.env.AUTOPREFIXER_GRID === 'autoplace') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chokidar

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #063001cb1a921d62 Environment-variable access.
pkgs/npm/[email protected]/index.js:284
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ff653c402296eaf Environment-variable access.
pkgs/npm/[email protected]/index.js:294
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

esbuild

npm dependency
expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #5965a37ccd2a9339 Filesystem access.
pkgs/npm/[email protected]/install.js:26
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fc1bb23b3e2611c Environment-variable access.
pkgs/npm/[email protected]/install.js:29
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d771b2a47a591d9 Filesystem access.
pkgs/npm/[email protected]/install.js:89
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e498adadf8dd678c Filesystem access.
pkgs/npm/[email protected]/install.js:186
    fs2.writeFileSync(path2.join(installDir, "package.json"), "{}");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b84895b272658fc Filesystem access.
pkgs/npm/[email protected]/install.js:192
    binaryIntegrityCheck(pkg, subpath, fs2.readFileSync(installedBinPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3938ad0b6fcf05c Filesystem access.
pkgs/npm/[email protected]/install.js:217
  fs2.writeFileSync(toPath, `#!/usr/bin/env node
require('child_process').execFileSync(${pathString}, process.argv.slice(2), { stdio: 'inherit' });
`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13cd6f08c501bffd Filesystem access.
pkgs/npm/[email protected]/install.js:221
  const code = fs2.readFileSync(libMain, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30d0662aef410ad5 Filesystem access.
pkgs/npm/[email protected]/install.js:222
  fs2.writeFileSync(libMain, `var ESBUILD_BINARY_PATH = ${pathString};
${code}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df794d61847e0a0c Filesystem access.
pkgs/npm/[email protected]/install.js:250
    fs2.writeFileSync(binPath, bytes);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d68b0e062fb3329 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1020
            fs3.readFile(response.code, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.code = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #623588f34226082f Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1031
            fs3.readFile(response.map, (err, contents) => {
              if (err !== null) {
                callback(err, null);
              } else {
                response.map = contents;
                next();
              }
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c91d47471cc4a77f Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1057
      start = () => fs3.writeFile(input, next);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab89f168ef913967 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1714
            contents = streamIn.readFileSync(match[1], "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2df4a89109bd4910 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1886
var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1df6d832fbf42b8 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:1889
var ESBUILD_BINARY_PATH = process.env.ESBUILD_BINARY_PATH || ESBUILD_BINARY_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7c6db6063792569 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2080
var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1420c4b3b3a104ba Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2084
if (process.env.ESBUILD_WORKER_THREADS !== "0") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6537487a9ce5e229 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2122
      let contents = fs2.readFileSync(tempFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #459c22590f21bb8d Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2135
      fs2.writeFileSync(tempFile, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f2f6f841316be23 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2145
      fs2.readFile(tempFile, "utf8", (err, contents) => {
        try {
          fs2.unlink(tempFile, () => callback(err, contents));
        } catch {
          callback(err, contents);
        }
      });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42ac39c209ee18f7 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:2159
      fs2.writeFile(tempFile, contents, (err) => err !== null ? callback(null) : callback(tempFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a221e63681e50561 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:2380
    maxBuffer: +process.env.ESBUILD_MAX_BUFFER || 16 * 1024 * 1024

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #5105f1156867b377 Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e8cd668fde1d1ee Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ed9393690d4c2f4 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a1a2063f0000203 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8264a8f1b946af2 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbdb26a2e947374c Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf3df6bb2c2e6587 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56e4d32c096d09e2 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff3a836c0b311b6 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b2ac1b8c6792949 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30305918b966cd37 Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f4e86894b1eea2a Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #143893cde920ec2a Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-plugin-import-x

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #665423fb5d47fe87 Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:658
			pkg: JSON.parse(stripBOM(node_fs.default.readFileSync(fp, { encoding: "utf8" }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b905f5a06075fca Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:1369
		const content = node_fs.default.readFileSync(filepath, { encoding: "utf8" });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e081dc931d4939da Environment-variable access.
pkgs/npm/[email protected]/lib/index.cjs:2029
	const client = process.env.npm_config_user_agent?.split("/")[0];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d75dc95e4781a9c Filesystem access.
pkgs/npm/[email protected]/lib/index.cjs:4384
		return JSON.parse(node_fs.default.readFileSync(jsonPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9df3ba38dc199ed6 Filesystem access.
pkgs/npm/[email protected]/lib/rules/no-extraneous-dependencies.js:16
        return JSON.parse(fs.readFileSync(jsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7022b02e5110b5d Filesystem access.
pkgs/npm/[email protected]/lib/utils/export-map.js:68
        const content = fs.readFileSync(filepath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49b170c5f5d5c0c0 Environment-variable access.
pkgs/npm/[email protected]/lib/utils/npm-client.js:14
    const client = process.env.npm_config_user_agent?.split('/')[0];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10aff4df9a58b3ad Filesystem access.
pkgs/npm/[email protected]/lib/utils/read-pkg-up.js:13
            pkg: JSON.parse(stripBOM(fs.readFileSync(fp, { encoding: 'utf8' }))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fork-ts-checker-webpack-plugin

npm dependency
expand_more 16 low-confidence finding(s)
low env_fs dependency Excluded from app score #a00bf8a46b0607b7 Filesystem access.
pkgs/npm/[email protected]/lib/formatter/code-frame-formatter.js:14
        const source = issue.file && fs_extra_1.default.existsSync(issue.file) && fs_extra_1.default.readFileSync(issue.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19a28fd9f9f50747 Environment-variable access.
pkgs/npm/[email protected]/lib/rpc/rpc-worker.js:81
    return JSON.parse(process.env[WORKER_DATA_ENV_KEY] || '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b074079aff73e61 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/file-system.d.ts:2
import type { Dirent, Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d9803e305ebf6c4 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/mem-file-system.js:46
        return memfs_1.fs
            .readFileSync(real_file_system_1.realFileSystem.normalizePath(path), { encoding: encoding })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03eda72197b65da8 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/mem-file-system.js:67
    memfs_1.fs.writeFileSync(real_file_system_1.realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33fc728eb236df56 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:35
            ? real_file_system_1.realFileSystem.readFile(path, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a63c80b19d7ce8e Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:36
            : mem_file_system_1.memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3485207caf8bc318 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:39
        return real_file_system_1.realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85ea927654513b64 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/passive-file-system.js:42
        return mem_file_system_1.memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b69ded72e700791 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/real-file-system.js:98
            readFileCache.set(normalizedPath, fs.readFileSync(normalizedPath, { encoding: encoding }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7de6e393ea26e578 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/file-system/real-file-system.js:152
    fs.writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcc99a2ff6d51357 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/host/watch-solution-builder-host.js:28
            system_1.system.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c287c03874f004ab Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:45
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a7b667f9edcb3a0 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:52
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dae71367fbd763f7 Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:213
                const content = passive_file_system_1.passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12caaa0007c5e28e Filesystem access.
pkgs/npm/[email protected]/lib/typescript/worker/lib/system.js:215
                    mem_file_system_1.memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

happy-dom

npm dependency
expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #9030b2a2b897940c Filesystem access.
pkgs/npm/[email protected]/lib/fetch/Fetch.js:8
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42c53cfb62d8b4f6 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/Fetch.js:293
            buffer = await FS.promises.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3d816a3353d2911 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/SyncFetch.js:4
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7960abfa2d7ca1b0 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/SyncFetch.js:246
            buffer = FS.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb42e1e440d48fd9 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:2
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81bc8ddcb9e097c2 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:42
                promises.push(FS.promises
                    .readFile(Path.join(absoluteDirectory, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dffe569417a0c04c Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:49
                        return FS.promises
                            .readFile(Path.join(absoluteDirectory, file.split('.')[0] + '.data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b83af4ec334e894 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:129
                        promises.push(FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.json`), json));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6483c3dad99dbe09 Filesystem access.
pkgs/npm/[email protected]/lib/fetch/cache/response/ResponseCacheFileSystem.js:131
                            promises.push(FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.data`), cachedResponse.response.body));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdea9c0826da0002 Filesystem access.
pkgs/npm/[email protected]/lib/module/ModuleURLUtility.js:5
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #505e69fd390d347a Filesystem access.
pkgs/npm/[email protected]/lib/module/ModuleURLUtility.js:101
                packageJson = JSON.parse(FS.readFileSync(Path.join(nodeModulesDirectory, packageName, 'package.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb234f6b5cbc2dee Filesystem access.
pkgs/npm/[email protected]/src/fetch/Fetch.ts:12
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbbabc62db854c94 Filesystem access.
pkgs/npm/[email protected]/src/fetch/Fetch.ts:380
			buffer = await FS.promises.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98e8046028d49aa9 Filesystem access.
pkgs/npm/[email protected]/src/fetch/SyncFetch.ts:6
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9ab64d4eaa081fb Filesystem access.
pkgs/npm/[email protected]/src/fetch/SyncFetch.ts:326
			buffer = FS.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e137fd57fd70f368 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:3
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8157df1cdeae56cb Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:53
					FS.promises
						.readFile(Path.join(absoluteDirectory, file), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb6b3cf6c3c966d3 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:61
								return FS.promises
									.readFile(Path.join(absoluteDirectory, file.split('.')[0] + '.data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7af8292c4841b4ad Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:157
							FS.promises.writeFile(Path.join(absoluteDirectory, `${hash}.json`), json)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ba6e4d2a5771bb5 Filesystem access.
pkgs/npm/[email protected]/src/fetch/cache/response/ResponseCacheFileSystem.ts:162
								FS.promises.writeFile(
									Path.join(absoluteDirectory, `${hash}.data`),
									cachedResponse.response.body
								)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dcb80df00904c28 Filesystem access.
pkgs/npm/[email protected]/src/module/ModuleURLUtility.ts:7
import FS from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81e866a2d2048d28 Filesystem access.
pkgs/npm/[email protected]/src/module/ModuleURLUtility.ts:128
					FS.readFileSync(Path.join(nodeModulesDirectory, packageName, 'package.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

jiti

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #2e4bceabf7a00a89 Environment-variable access.
pkgs/npm/[email protected]/lib/jiti-cli.mjs:15
if (nodeModule.enableCompileCache && !process.env.NODE_DISABLE_COMPILE_CACHE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d81aec9b497f4773 Filesystem access.
pkgs/npm/[email protected]/lib/jiti-hooks.mjs:45
  const rawSource = await readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b1a913c6e505e6e Filesystem access.
pkgs/npm/[email protected]/lib/jiti-hooks.mjs:121
    return JSON.parse(await readFile(packageJsonPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #c881c0a396ec1b18 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:194
      fs.writeFileSync(options.output, lintResultString);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bece69e7f9bb9e9 Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:278
  const ignoreText = fs.readFileSync(ignorePath, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e198f46fa9059bd Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:323
        const originalText = fs.readFileSync(file, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b249f08f472783fa Filesystem access.
pkgs/npm/[email protected]/markdownlint.js:326
          fs.writeFileSync(file, fixedText, fsOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

memfs

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #1b6943d798c1c8d0 Filesystem access.
pkgs/npm/[email protected]/demo/runkit.js:3
fs.writeFileSync('/hello.txt', 'Hello World');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c2f8aecd78fe8a75 Filesystem access.
pkgs/npm/[email protected]/demo/runkit.js:5
console.log(fs.readFileSync('/hello.txt', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

oxc-transform

npm dependency
expand_more 33 low-confidence finding(s)
low env_fs dependency Excluded from app score #613327f67cbf3e4d Filesystem access.
pkgs/npm/[email protected]/index.js:10
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03c7c26dc5012220 Filesystem access.
pkgs/npm/[email protected]/index.js:32
    return readFileSync('/usr/bin/ldd', 'utf-8').includes('musl')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6064113a6542ac64 Environment-variable access.
pkgs/npm/[email protected]/index.js:68
  if (process.env.NAPI_RS_NATIVE_LIBRARY_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64721fd87c9cf0dd Environment-variable access.
pkgs/npm/[email protected]/index.js:70
      return require(process.env.NAPI_RS_NATIVE_LIBRARY_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e58d0d53a42a7e95 Environment-variable access.
pkgs/npm/[email protected]/index.js:84
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07676e691c64f9d4 Environment-variable access.
pkgs/npm/[email protected]/index.js:100
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #198941a4bfeedbc6 Environment-variable access.
pkgs/npm/[email protected]/index.js:121
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #205bc877fbbe4926 Environment-variable access.
pkgs/npm/[email protected]/index.js:137
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5098c27b1c315550 Environment-variable access.
pkgs/npm/[email protected]/index.js:154
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a6d95bae229f6c5 Environment-variable access.
pkgs/npm/[email protected]/index.js:170
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19a3c3bee15c68fb Environment-variable access.
pkgs/npm/[email protected]/index.js:189
      if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85f426bae4043159 Environment-variable access.
pkgs/npm/[email protected]/index.js:205
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80432b32120ac450 Environment-variable access.
pkgs/npm/[email protected]/index.js:221
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #781e85fcff33b12c Environment-variable access.
pkgs/npm/[email protected]/index.js:241
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f15f47be84b96a77 Environment-variable access.
pkgs/npm/[email protected]/index.js:257
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e3fb50b19117ef7 Environment-variable access.
pkgs/npm/[email protected]/index.js:278
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c8ae462c0bbd8b1 Environment-variable access.
pkgs/npm/[email protected]/index.js:294
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b00930121df4fd4 Environment-variable access.
pkgs/npm/[email protected]/index.js:312
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00df0de652ff39fa Environment-variable access.
pkgs/npm/[email protected]/index.js:328
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2904d579c2cdb466 Environment-variable access.
pkgs/npm/[email protected]/index.js:346
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #447b06ee57d685c4 Environment-variable access.
pkgs/npm/[email protected]/index.js:362
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62c10207906ab0ba Environment-variable access.
pkgs/npm/[email protected]/index.js:380
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fabf55fc6ca48ac5 Environment-variable access.
pkgs/npm/[email protected]/index.js:396
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #885b37d7f155cced Environment-variable access.
pkgs/npm/[email protected]/index.js:414
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3ad8edccd5cb5f7 Environment-variable access.
pkgs/npm/[email protected]/index.js:430
          if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf2eefd706d00ab4 Environment-variable access.
pkgs/npm/[email protected]/index.js:447
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6b11f0a703d5775 Environment-variable access.
pkgs/npm/[email protected]/index.js:463
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b01fb1f6ca226153 Environment-variable access.
pkgs/npm/[email protected]/index.js:483
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3fb4df00819b1c0 Environment-variable access.
pkgs/npm/[email protected]/index.js:499
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a03cf9263ab9a263 Environment-variable access.
pkgs/npm/[email protected]/index.js:515
        if (bindingPackageVersion !== '0.137.0' && process.env.NAPI_RS_ENFORCE_VERSION_CHECK && process.env.NAPI_RS_ENFORCE_VERSION_CHECK !== '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f979fcb972e7f7b3 Environment-variable access.
pkgs/npm/[email protected]/index.js:540
  process.env.NAPI_RS_FORCE_WASI === 'true' || process.env.NAPI_RS_FORCE_WASI === 'error'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89fef74a3fa983bf Environment-variable access.
pkgs/npm/[email protected]/index.js:568
  if (process.env.NAPI_RS_FORCE_WASI === 'error' && !wasiBinding) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64077785e987fb77 Filesystem access.
pkgs/npm/[email protected]/webcontainer-fallback.cjs:4
const pkg = JSON.parse(fs.readFileSync(require.resolve("oxc-transform/package.json"), "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

playwright-core

npm dependency
expand_more 44 low-confidence finding(s)
low env_fs dependency Excluded from app score #31c785c8928a9a9b Environment-variable access.
pkgs/npm/[email protected]/lib/bootstrap.js:13
if (process.env.PW_INSTRUMENT_MODULES) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11bed220664bbba6 Environment-variable access.
pkgs/npm/[email protected]/lib/server/electron/loader.js:59
  process.env.PLAYWRIGHT_LEGACY_SCREENSHOT ? "" : "--enable-features=CDPScreenshotNewSurface",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91763a4cdf47dd5c Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:1780
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e63445138d882de4 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5457
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ddace6980d0e0ac Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5948
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #710c04c0cf8f2d63 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:5955
      if (process.env.CHOKIDAR_PRINT_FSEVENTS_REQUIRE_ERROR) console.error(error);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9702546f157d856 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6345
    var fs2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f083f48836d1b817 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6582
        const envPoll = process.env.CHOKIDAR_USEPOLLING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3221642630d8af7f Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:6593
        const envInterval = process.env.CHOKIDAR_INTERVAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d58c4763b35b05b Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7092
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b36da5d24d0347f Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7179
    await import_fs.default.promises.writeFile(file, JSON.stringify(descriptor, null, 2), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #321a019486a9222f Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7188
    const content = await import_fs.default.promises.readFile(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #802be74185b952d9 Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7199
    const content = import_fs.default.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a69d3c4c1a8c1bf Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7213
    return process.env.PWTEST_SERVER_REGISTRY || registryDirectory;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72eb134a1691e82a Filesystem access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7243
      descriptor = JSON.parse(import_fs.default.readFileSync(file, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #445956289ef908e1 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7281
    return process.env.XDG_CACHE_HOME || import_path2.default.join(import_os.default.homedir(), ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe042d28529173c2 Environment-variable access.
pkgs/npm/[email protected]/lib/serverRegistry.js:7285
    return process.env.LOCALAPPDATA || import_path2.default.join(import_os.default.homedir(), "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8660af938c8e6081 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:35
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0eb0829f79e77e24 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:44
  if (process.env.PWTEST_CLI_CHANNEL_SCAN_DISABLED_FOR_TEST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #06ab856be55d22fe Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:72
    contents = await import_fs.default.promises.readFile(import_path.default.join(userDataDir, "DevToolsActivePort"), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #619ca7d062c147a2 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:99
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #606576fff4c839df Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:104
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome Beta", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b2c4037cf6102e58 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:109
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome Dev", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #13a9d33267031d9f Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:114
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Google", "Chrome SxS", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #848d816a386cdfdd Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:119
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0c5ac36e4e6f9ccc Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:124
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge Beta", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7ad56cc7ed9c1a16 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:129
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge Dev", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #99ae65430caf4034 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/channelSessions.js:134
    "win32": import_path.default.join(process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local"), "Microsoft", "Edge SxS", "User Data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c850dfc605cbc36e Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/output.js:191
    if (process.env.PWTEST_PRINT_DASHBOARD_PID_FOR_TEST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #985a72d2adc90854 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:80
      if (process.env.CLAUDECODE || process.env.COPILOT_CLI)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1836f156793bb0ae Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/program.js:301
  const pidFilterEnv = process.env.PWTEST_KILL_ALL_PID_FILTER_FOR_TEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #91be62ee27a5068b Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:40
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #55c4a00754df5c68 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:81
      const data = await import_fs.default.promises.readFile(fileName, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dfdbc0f34f2ed96d Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:120
  if (process.env.PWTEST_DAEMON_SESSION_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #291de6c90fb9b803 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:121
    return process.env.PWTEST_DAEMON_SESSION_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0cd9d6eb6983fd50 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:124
    localCacheDir = process.env.XDG_CACHE_HOME || import_path.default.join(import_os.default.homedir(), ".cache");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #430fa5834ba0ef5f Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:128
    localCacheDir = process.env.LOCALAPPDATA || import_path.default.join(import_os.default.homedir(), "AppData", "Local");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #171ffe7bc97cd277 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:135
  const version = process.env.PLAYWRIGHT_CLI_VERSION_FOR_TEST || import_package.packageJSON.version;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ac05ca25319a84e3 Environment-variable access.
pkgs/npm/[email protected]/lib/tools/cli-client/registry.js:163
  return sessionName || process.env.PLAYWRIGHT_CLI_SESSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #942947d3279ab1d4 Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/session.js:35
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e31c3d92449f6c8a Filesystem access.
pkgs/npm/[email protected]/lib/tools/cli-client/session.js:174
          const errLogContent = import_fs.default.readFileSync(errLog, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #619cc78058244f8a Filesystem access.
pkgs/npm/[email protected]/lib/tools/utils/extension.js:36
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ebc1b9d192372fc7 Filesystem access.
pkgs/npm/[email protected]/lib/tools/utils/extension.js:59
    const prefs = await import_fs.default.promises.readFile(import_path.default.join(profileDir, "Preferences"), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51f59325775c87de Filesystem access.
pkgs/npm/[email protected]/types/types.d.ts:19
import { ReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postcss

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #ed2ae6b4f64d4055 Environment-variable access.
pkgs/npm/[email protected]/lib/lazy-result.js:218
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #783b6bde9b2d88a8 Environment-variable access.
pkgs/npm/[email protected]/lib/lazy-result.js:440
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f04333bbfbe3252 Environment-variable access.
pkgs/npm/[email protected]/lib/no-work-result.js:114
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b00e593ed08becb Environment-variable access.
pkgs/npm/[email protected]/lib/parse.js:13
    if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaf2b7a9bd71d48a Environment-variable access.
pkgs/npm/[email protected]/lib/postcss.js:41
      if (process.env.LANG && process.env.LANG.startsWith('cn')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bd13efffe880c6f Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:3
let { existsSync, readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3aa9ece3d67d93cc Filesystem access.
pkgs/npm/[email protected]/lib/previous-map.js:97
      return readFileSync(path, 'utf-8').toString().trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #793b3ac23c952442 Environment-variable access.
pkgs/npm/[email protected]/lib/processor.js:30
        if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

postcss-url

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #74e25ce18fbc7be4 Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99a835fe7012720f Filesystem access.
pkgs/npm/[email protected]/src/lib/get-file.js:10
        fs.readFile(filePath, (err, data) => {
            if (err) {
                reject(err);
            }
            resolve(data);
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e50a6f1bb8816e71 Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96a86b7e7ae7b95d Filesystem access.
pkgs/npm/[email protected]/src/type/copy.js:22
        fs.writeFile(dest, file.contents, { flag: 'wx' }, (err) => {
            if (err) {
                err.code === 'EEXIST' ? resolve() : reject(err);
            }
            resolve();
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency
expand_more 74 low-confidence finding(s)
low env_fs dependency Excluded from app score #105401f726cbcb08 Environment-variable access.
pkgs/npm/[email protected]/bin/prettier.cjs:66
if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbedc6cf706e6991 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:5609
    var debug = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c56acc903382237 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6176
    if (process.env.npm_package_name === "pseudomap" && process.env.npm_lifecycle_script === "test")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75e655f4ef337b78 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6177
      process.env.TEST_PSEUDOMAP = "true";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df05f8c7c7d1e170 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6178
    if (typeof Map === "function" && !process.env.TEST_PSEUDOMAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #669bb68e3eb29132 Environment-variable access.
pkgs/npm/[email protected]/index.mjs:6520
    var hasSymbol = typeof Symbol === "function" && process.env._nodeLRUCacheForceNoSymbol !== "1";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59832d8683adc70a Filesystem access.
pkgs/npm/[email protected]/index.mjs:7655
            fs4.readFile(file, "utf8", function(err, data) {
              if (err) {
                reject(err);
                return;
              }
              resolve3(parseString2(data));
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e78ce6597d535ef Filesystem access.
pkgs/npm/[email protected]/index.mjs:7668
      return parseString2(fs4.readFileSync(file, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b93b91fc1cd49b4 Filesystem access.
pkgs/npm/[email protected]/index.mjs:8004
              fs4.readFile(name, "utf8", function(err, data) {
                resolve3({
                  name,
                  contents: err ? "" : data
                });
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3165ac899b5decb Filesystem access.
pkgs/npm/[email protected]/index.mjs:8020
          file = fs4.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba0579d1619df9cd Filesystem access.
pkgs/npm/[email protected]/index.mjs:10382
import * as fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b0a1bbfa074777e Environment-variable access.
pkgs/npm/[email protected]/index.mjs:11485
  return typeof process === "object" && (process.env.FORCE_COLOR === "0" || process.env.FORCE_COLOR === "false") ? false : import_picocolors4.default.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfe3dd962e9633c0 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12540
import fs2 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb8e12e94abb91a0 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12546
    return await fs2.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64e2e2f6ab1a2170 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12697
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f5d82479aafd675 Filesystem access.
pkgs/npm/[email protected]/index.mjs:12707
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4767d5e80ef3b660 Filesystem access.
pkgs/npm/[email protected]/index.mjs:13059
    string = fs3.readFileSync(path6.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54d913a077cfe02c Environment-variable access.
pkgs/npm/[email protected]/index.mjs:16485
      if (process.env.PRETTIER_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35cb0936b2b24c85 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:10
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #715b6029ef55c5f1 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:15
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99e61ec7cca7a7d0 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:371
  return dist_default.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #711b33afc7146685 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:516
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #389e697b1d1d3db0 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:526
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb8583180a929d73 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:878
    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #272c6d7b570d3da1 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1878
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32c3ec72e20b2d56 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1955
          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22f4e132eeb83055 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1961
          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3855ce662b8ec71 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:54
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ffcc3e98da2a896 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:96
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0b3a159b0b95b3d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:107
      const buffer2 = attempt(() => fs2.readFileSync(path18), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c156ee3dde363f38 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:116
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4dd01017a33a4e6 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:612
import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #966b165256d822dc Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:627
              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d684e67d1d519d02 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:633
              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #735c64f45e2e6ed5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2515
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #539c2e08a098bf8d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2525
    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c625567b7752ed75 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:2743
import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e292ba46f5f7a4a Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:3607
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48f64df451d12547 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:4855
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f9776a1b3dcfcc5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5794
import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f45aa3d89d2309b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5820
          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ad23ee939a54b21 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5835
          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c214d5761e7fbd5 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:5850
          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d90563f1ae27a40 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6238
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f6fd69f3ad01515 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6252
        return fs9.readFile(filePath, "utf8").then(parse_default2).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65baac6106197970 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6582
import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d286943ac62a0068 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:6594
      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a32f9d969fe0411 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10466
import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c811d5db972b7ce Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10488
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6cef00700369a2d Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10493
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4e58adf3d82fb81 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10499
        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a3c58bd604786d7 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10515
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #918706a5ad31dd07 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:10521
        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e26224ca5930045 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11366
import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efbd84c88a369c5b Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11559
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa162342d148aee2 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:11567
  return dist_default36.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #663d8b5877c308b0 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12330
import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33e6f25e51ee6055 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12395
  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ef5b5e653568b32 Filesystem access.
pkgs/npm/[email protected]/internal/experimental-cli.mjs:12400
  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4933702af3436210 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1233
import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #999510ee51a1992c Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1554
import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fafb3f64d45d3e83 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1778
import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f3f31ea92a34fa1 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1786
import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01e88bd25444c74f Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1794
import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78dfff59554d6319 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1888
    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e05431b55554887 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1906
import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb5e49fa1fbac42f Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1910
import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06d0e63374b5fa51 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:1914
import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae77784e80e69e88 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4302
      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546b43eab432b5f1 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4506
        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #860807d9fa4db58f Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:4894
        const buffer = fs6.readFileSync(absolutePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87aa8511c243bac9 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5188
import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08d60556cd154d6e Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5449
  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54dda67e6b4de091 Filesystem access.
pkgs/npm/[email protected]/internal/legacy-cli.mjs:5805
      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

semver

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #3222599b8c28267d Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:6
  process.env.NODE_DEBUG &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #334a754beb8ccdb7 Environment-variable access.
pkgs/npm/[email protected]/internal/debug.js:7
  /\bsemver\b/i.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sherif

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #048679939ddc27ba Filesystem access.
pkgs/npm/[email protected]/index.js:4
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

svgo

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #61d03dce6dd23ce7 Filesystem access.
pkgs/npm/[email protected]/lib/svgo-node.js:2
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dbb6b8ec32be6a9 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0280d4b43d567581 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:12
const PKG = JSON.parse(await fs.promises.readFile(pkgPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9041d40c9a6bf9dd Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:378
  return fs.promises.readFile(file, 'utf8').then(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f914e76f8745f223 Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:452
  return fs.promises
    .writeFile(output, data, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e62ce24f4941c8a Filesystem access.
pkgs/npm/[email protected]/lib/svgo/coa.js:517
    return fs.promises.writeFile(
      path.resolve(output, path.basename(input)),
      data,
      'utf8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-checker-rspack-plugin

npm dependency
expand_more 26 low-confidence finding(s)
low env_fs dependency Excluded from app score #0e69c939b596222d Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:156
        if (stats && stats.isFile()) readFileCache.set(normalizedPath, external_node_fs_default().readFileSync(normalizedPath, {
            encoding: encoding
        }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f2a906aa6096504 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:202
    external_node_fs_default().writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03a9b26b87832557 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:263
    if (stats && stats.isFile()) return external_memfs_namespaceObject.fs.readFileSync(realFileSystem.normalizePath(path), {
        encoding: encoding
    }).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9831e866f58dfaf2 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:281
    external_memfs_namespaceObject.fs.writeFileSync(realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd127dd92b83243a Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:316
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b3227203f7c09f7 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:317
    if (fsStats) return realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0e951199655ce70 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:318
    if (memStats) return memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de922cabd0c932a3 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:361
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b0e5783f03c3b37 Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:368
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4c93d3724e9f75f Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:503
                const content = passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e984a9cc8ff898f Filesystem access.
pkgs/npm/[email protected]/lib/getDependenciesWorker.js:505
                    memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2913a02268c9010 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:271
        if (stats && stats.isFile()) readFileCache.set(normalizedPath, external_node_fs_default().readFileSync(normalizedPath, {
            encoding: encoding
        }).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7db7a7772d24419 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:317
    external_node_fs_default().writeFileSync(normalizedPath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c0b572ba21ec931 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:378
    if (stats && stats.isFile()) return external_memfs_namespaceObject.fs.readFileSync(realFileSystem.normalizePath(path), {
        encoding: encoding
    }).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f3451a870abdb53 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:396
    external_memfs_namespaceObject.fs.writeFileSync(realFileSystem.normalizePath(path), data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e908c2e847084efb Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:431
    if (fsStats && memStats) return fsStats.mtimeMs > memStats.mtimeMs ? realFileSystem.readFile(path, encoding) : memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cb375a5649afb80 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:432
    if (fsStats) return realFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c248b3b3ff48f6ec Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:433
    if (memStats) return memFileSystem.readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28762051f4722975 Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:476
        return getReadFileSystem(path).readFile(path, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a4b3522d21e404c Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:483
        getWriteFileSystem(path).writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #063928cbeec3b78b Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:618
                const content = passiveFileSystem.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3afa673e0ed4cb6e Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:620
                    memFileSystem.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb8fc41e6adf36de Filesystem access.
pkgs/npm/[email protected]/lib/getIssuesWorker.js:994
            system.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58e6e10e62c64f45 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:145
            return "object" == typeof process && ("0" === process.env.FORCE_COLOR || "false" === process.env.FORCE_COLOR) ? false : picocolors.isColorSupported;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c00c0688514dee5 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:2609
    const defaultPlatform = 'object' == typeof process && process ? 'object' == typeof process.env && process.env && process.env.__MINIMATCH_TESTING_PLATFORM__ || process.platform : 'posix';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #949eec3e7ac8809c Filesystem access.
pkgs/npm/[email protected]/lib/index.js:4385
            const source = issue.file && external_node_fs_default().existsSync(issue.file) && external_node_fs_default().readFileSync(issue.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #1f796ff9b2492e26 Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cd51ea9f18f6197 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d78b4480c4f59276 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #387bcb84c28a2396 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9919776ea4c5636 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c952749da5207b6 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d2c7ba28b4f9b0b Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87b18e2189fe05c9 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee8a8085830849b0 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25b5ba46e3288be9 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

undici

npm dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #837b98dd1b99ab7d Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:67
  const llhttpWasmData = process.env.JEST_WORKER_ID ? require('../llhttp/llhttp-wasm.js') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93cd43086a1d40ba Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:74
  if (process.env.UNDICI_NO_WASM_SIMD === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c0636f427c97c2e Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/client-h1.js:76
  } else if (process.env.UNDICI_NO_WASM_SIMD === '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #407ff0c3b4e3d45b Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:26
    const HTTP_PROXY = httpProxy ?? process.env.http_proxy ?? process.env.HTTP_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #444e047870b9fe1a Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:33
    const HTTPS_PROXY = httpsProxy ?? process.env.https_proxy ?? process.env.HTTPS_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36bc634f663f6d3a Environment-variable access.
pkgs/npm/[email protected]/lib/dispatcher/env-http-proxy-agent.js:142
    return process.env.no_proxy ?? process.env.NO_PROXY ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8965d264f47b3ca Environment-variable access.
pkgs/npm/[email protected]/lib/mock/pending-interceptors-formatter.js:23
        colors: !disableColors && !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b2f87c0d12198ac Filesystem access.
pkgs/npm/[email protected]/lib/mock/snapshot-recorder.js:424
      const data = await readFile(resolve(path), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94538556c513d0bc Filesystem access.
pkgs/npm/[email protected]/lib/mock/snapshot-recorder.js:470
    await writeFile(resolvedPath, JSON.stringify(data, null, 2), { flush: true })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8255374a2ad2bc8a Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:7
  ? transcode(readFileSync('./undici-fetch.js'), 'utf8', 'latin1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #422d345c399e0fcf Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:8
  : readFileSync('./undici-fetch.js')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #6e27c36dfdcc1f68 Filesystem access.
pkgs/npm/[email protected]/scripts/strip-comments.js:10
writeFileSync('./undici-fetch.js', buffer.toString('latin1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

unstorage

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #625669fd3dcb34a0 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:38
      return readFile(r(key), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #673aa7df44f8edda Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:41
      return readFile(r(key));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dad374982357a1e Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:51
      return writeFile(r(key), value, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41dfa5e0956a0850 Filesystem access.
pkgs/npm/[email protected]/drivers/fs-lite.mjs:57
      return writeFile(r(key), value);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b24374f784af823 Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:49
      return readFile(r(key), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8856bb5adac171ab Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:52
      return readFile(r(key));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0d77156ad268feb Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:62
      return writeFile(r(key), value, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bcd6c725f323ba4 Filesystem access.
pkgs/npm/[email protected]/drivers/fs.mjs:68
      return writeFile(r(key), value);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #207bfc8c83719bc5 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.cjs:24
  return _nodeFs.promises.writeFile(path, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79b83f1694154259 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.cjs:27
  return _nodeFs.promises.readFile(path, encoding).catch(ignoreNotfound);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08941af174dc095c Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.mjs:11
  return fsPromises.writeFile(path, data, encoding);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de210502fadad526 Filesystem access.
pkgs/npm/[email protected]/drivers/utils/node-fs.mjs:14
  return fsPromises.readFile(path, encoding).catch(ignoreNotfound);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1488f6ebcf31615 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:19
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #148bca9070274ef5 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:20
          opts.url = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6308a1198e2cba7 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:27
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #944762a9619862ba Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.cjs:28
          opts.token = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed0a98a46247fa73 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:13
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9a344f19faa55aa Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:14
          opts.url = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59f4f535525b17da Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:24
        if (envPrefix && process.env[envName]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5969dc933d90a21 Environment-variable access.
pkgs/npm/[email protected]/drivers/vercel-kv.mjs:25
          opts.token = process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vite

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #24a93216e2402ff0 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:6
  if (!process.env.DEBUG_DISABLE_SOURCE_MAP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb3fb338f390717a Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:36
  process.env.DEBUG = `${

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a22dcab95622f93 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:37
    process.env.DEBUG ? process.env.DEBUG + ',' : ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93722f8ae7ef1d08 Environment-variable access.
pkgs/npm/[email protected]/bin/vite.js:43
      process.env.VITE_DEBUG_FILTER = filter

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vue

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #a81759459fad90f3 Environment-variable access.
pkgs/npm/[email protected]/index.js:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

vue-router

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #bc35da22ae373a2f Environment-variable access.
pkgs/npm/[email protected]/index.cjs:3
if (process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

webpack

npm dependency
expand_more 29 low-confidence finding(s)
low env_fs dependency Excluded from app score #f512996c07d50630 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:901
							(this.outputFileSystem).writeFile(targetPath, content, (err) => {
								if (err) return callback(err);

								// information marker that the asset has been emitted
								compilation.emittedAssets.add(file);

								// cache the information that the Source has been written to that location
								const newGeneration =
									targetFileGeneration === undefined
										? 1
										: targetFileGeneration + 1;
								/** @type {CacheEntry} */
								(cacheEntry).writtenTo.set(targetPath, newGeneration);
								this._assetEmittingWrittenFiles.set(targetPath, newGeneration);
								this.hooks.assetEmitted.callAsync(
									file,
									{
										content,
										source,
										outputPath,
										compilation,
										targetPath
									},
									callback
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4856d2d50f1b9b59 Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:996
								return /** @type {OutputFileSystem} */ (
									this.outputFileSystem
								).readFile(targetPath, (err, existingContent) => {
									if (
										err ||
										!content.equals(/** @type {Buffer} */ (existingContent))
									) {
										return doWrite(content);
									}
									return alreadyWritten();
								});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb6beec4167fdfea Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:1141
			(this.outputFileSystem).writeFile(
				/** @type {string} */ (this.recordsOutputPath),
				JSON.stringify(
					this.records,
					(n, value) => {
						if (
							typeof value === "object" &&
							value !== null &&
							!Array.isArray(value)
						) {
							const keys = Object.keys(value);
							if (!isSorted(keys)) {
								return sortObject(value, keys);
							}
						}
						return value;
					},
					2
				),
				callback
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #970ce91c36ce044a Filesystem access.
pkgs/npm/[email protected]/lib/Compiler.js:1227
			(this.inputFileSystem).readFile(
				/** @type {string} */
				(this.recordsInputPath),
				(err, content) => {
					if (err) return callback(err);

					try {
						this.records =
							/** @type {Records} */
							(parseJson(/** @type {Buffer} */ (content).toString("utf8")));
					} catch (parseErr) {
						return callback(
							new Error(
								`Cannot parse records: ${
									/** @type {Error} */ (parseErr).message
								}`
							)
						);
					}

					return callback(null);
				}
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dccc3646aa92b635 Environment-variable access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:447
					process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #883f3902c947977a Environment-variable access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:448
						? process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #621eadc6859600a1 Filesystem access.
pkgs/npm/[email protected]/lib/DotenvPlugin.js:465
			fs.readFile(file, (err, content) => {
				if (err) reject(err);
				else resolve(/** @type {Buffer} */ (content).toString() || "");
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa9255bd420799b3 Environment-variable access.
pkgs/npm/[email protected]/lib/EnvironmentPlugin.js:50
					process.env[key] !== undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e81777ec0cdff86 Environment-variable access.
pkgs/npm/[email protected]/lib/EnvironmentPlugin.js:51
						? process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b614b25e5d8ab64 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:2209
								this.fs.readFile(path, (err, content) => {
									if (err) return callback(err);
									try {
										const context = dirname(this.fs, path);
										const source = /** @type {Buffer} */ (content).toString();
										const [imports] = lexer.parse(source);
										/** @type {Set<string>} */
										const added = new Set();
										for (const imp of imports) {
											try {
												// import.meta
												if (imp.d === -2) {
													continue;
												}

												/** @type {string | null} */
												const dependency =
													imp.n ||
													parseString(source.slice(imp.s, imp.e).trim());

												if (!dependency) {
													continue;
												}

												// We should not track Node.js build dependencies
												if (dependency.startsWith("node:")) continue;
												if (builtinModules.has(dependency)) continue;
												// Avoid extra jobs for identical imports
												if (added.has(dependency)) continue;

												push({
													type: RBDT_RESOLVE_ESM_FILE,
													context,
													path: dependency,
													expected: imp.d > -1 ? false : undefined,
													issuer: job
												});
												added.add(dependency);
											} catch (err1) {
												logger.warn(
													`Parsing of ${path} for build dependencies failed at 'import(${source.slice(
														imp.s,
														imp.e
													)})'.\n` +
														"Build dependencies behind this expression are ignored and might cause incorrect cache invalidation."
												);
												logger.debug(pathToString(job));
												logger.debug(/** @type {Error} */ (err1).stack);
											}
										}
									} catch (err2) {
										logger.warn(
											`Parsing of ${path} for build dependencies failed and all dependencies of this file are ignored, which might cause incorrect cache invalidation..`
										);
										logger.debug(pathToString(job));
										logger.debug(/** @type {Error} */ (err2).stack);
									}
									process.nextTick(callback);
								});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #884920dc5d70bd25 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:2284
						this.fs.readFile(packageJson, (err, content) => {
							if (err) {
								if (err.code === "ENOENT") {
									resolveMissing.add(packageJson);
									const parent = dirname(this.fs, packagePath);
									if (parent !== packagePath) {
										push({
											type: RBDT_DIRECTORY_DEPENDENCIES,
											context: undefined,
											path: parent,
											expected: undefined,
											issuer: job
										});
									}
									callback();
									return;
								}
								return callback(err);
							}
							resolveFiles.add(packageJson);
							/** @type {JsonObject} */
							let packageData;
							try {
								packageData = JSON.parse(
									/** @type {Buffer} */
									(content).toString("utf8")
								);
							} catch (parseErr) {
								return callback(/** @type {Error} */ (parseErr));
							}
							const depsObject = packageData.dependencies;
							const optionalDepsObject = packageData.optionalDependencies;
							/** @type {Set<string>} */
							const allDeps = new Set();
							/** @type {Set<string>} */
							const optionalDeps = new Set();
							if (typeof depsObject === "object" && depsObject) {
								for (const dep of Object.keys(depsObject)) {
									allDeps.add(dep);
								}
							}
							if (
								typeof optionalDepsObject === "object" &&
								optionalDepsObject
							) {
								for (const dep of Object.keys(optionalDepsObject)) {
									allDeps.add(dep);
									optionalDeps.add(dep);
								}
							}
							for (const dep of allDeps) {
								push({
									type: RBDT_RESOLVE_DIRECTORY,
									context: packagePath,
									path: dep,
									expected: !optionalDeps.has(dep),
									issuer: job
								});
							}
							callback();
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d00a3f9cd792908c Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:3676
		this.fs.readFile(path, (err, content) => {
			if (err) {
				if (err.code === "EISDIR") {
					this._fileHashes.set(path, "directory");
					return callback(null, "directory");
				}
				if (err.code === "ENOENT") {
					this._fileHashes.set(path, null);
					return callback(null, null);
				}
				if (err.code === "ERR_FS_FILE_TOO_LARGE") {
					/** @type {Logger} */
					(this.logger).warn(`Ignoring ${path} for hashing as it's very large`);
					this._fileHashes.set(path, "too large");
					return callback(null, "too large");
				}
				return callback(/** @type {WebpackError} */ (err));
			}

			const hash = createHash(this._hashFunction);

			hash.update(/** @type {string | Buffer} */ (content));

			const digest = hash.digest("hex");

			this._fileHashes.set(path, digest);

			callback(null, digest);
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #651f199969ac0de9 Filesystem access.
pkgs/npm/[email protected]/lib/FileSystemInfo.js:4419
			this.fs.readFile(packageJsonPath, (err, content) => {
				if (err) {
					if (err.code === "ENOENT" || err.code === "ENOTDIR") {
						// no package.json or path is not a directory
						this.fs.readdir(path, (err, elements) => {
							if (
								!err &&
								/** @type {string[]} */ (elements).length === 1 &&
								/** @type {string[]} */ (elements)[0] === "node_modules"
							) {
								// This is only a grouping folder e.g. used by yarn
								// we are only interested in existence of this special directory
								this._managedItems.set(path, "*nested");
								return callback(null, "*nested");
							}
							/** @type {Logger} */
							(this.logger).warn(
								`Managed item ${path} isn't a directory or doesn't contain a package.json (see snapshot.managedPaths option)`
							);
							return callback();
						});
						return;
					}
					return callback(/** @type {WebpackError} */ (err));
				}
				/** @type {JsonObject} */
				let data;
				try {
					data = JSON.parse(/** @type {Buffer} */ (content).toString("utf8"));
				} catch (parseErr) {
					return callback(/** @type {WebpackError} */ (parseErr));
				}
				if (!data.name) {
					/** @type {Logger} */
					(this.logger).warn(
						`${packageJsonPath} doesn't contain a "name" property (see snapshot.managedPaths option)`
					);
					return callback();
				}
				const info = `${data.name || ""}@${data.version || ""}`;
				this._managedItems.set(path, info);
				callback(null, info);
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7305a87f3c6b6130 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:8
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85827f32302b3c12 Filesystem access.
pkgs/npm/[email protected]/lib/config/defaults.js:1477
			const packageInfo = JSON.parse(fs.readFileSync(pkgPath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f663d1c66927690 Environment-variable access.
pkgs/npm/[email protected]/lib/config/defaults.js:2450
		(infrastructureLogging.stream).isTTY && process.env.TERM !== "dumb";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae2eb804d89e5f67 Filesystem access.
pkgs/npm/[email protected]/lib/dll/DllReferencePlugin.js:73
					(compiler.inputFileSystem).readFile(manifest, (err, result) => {
						if (err) return callback(err);
						/** @type {CompilationDataItem} */
						const data = {
							path: manifest,
							data: undefined,
							error: undefined
						};
						// Catch errors parsing the manifest so that blank
						// or malformed manifest files don't kill the process.
						try {
							data.data =
								/** @type {DllReferencePluginOptionsManifest} */
								(
									/** @type {unknown} */
									(parseJson(/** @type {Buffer} */ (result).toString("utf8")))
								);
						} catch (parseErr) {
							// Store the error in the params so that it can
							// be added as a compilation error later on.
							const manifestPath = makePathsRelative(
								compiler.context,
								manifest,
								compiler.root
							);
							data.error = new DllManifestError(
								manifestPath,
								/** @type {Error} */ (parseErr).message
							);
						}
						compilationData.set(params, data);
						return callback();
					});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cc005d27bb8c7d3 Filesystem access.
pkgs/npm/[email protected]/lib/dll/LibManifestPlugin.js:137
								intermediateFileSystem.writeFile(targetPath, buffer, callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #721a08c25a674871 Filesystem access.
pkgs/npm/[email protected]/lib/ids/SyncModuleIdsPlugin.js:63
				fs.readFile(this.options.path, (err, buffer) => {
					if (err) {
						if (err.code !== "ENOENT") {
							return callback(err);
						}
						return callback();
					}
					/** @type {JSONContent} */
					const json = JSON.parse(/** @type {Buffer} */ (buffer).toString());
					/** @type {Map<string, string | number | null>} */
					data = new Map();
					for (const key of Object.keys(json)) {
						data.set(key, json[key]);
					}
					dataChanged = false;
					return callback();
				});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78286fe88ac6f441 Filesystem access.
pkgs/npm/[email protected]/lib/ids/SyncModuleIdsPlugin.js:94
				fs.writeFile(this.options.path, JSON.stringify(json), callback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #822cae4445beaa77 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/FileUriPlugin.js:43
						loaderContext.fs.readFile(resourcePath, (err, result) => {
							if (err) return callback(err);
							loaderContext.addDependency(resourcePath);
							callback(null, result);
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e8c4ed8db7ef68c Environment-variable access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:496
			this.options.proxy || process.env.http_proxy || process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2aeb7e2639a0476 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:589
							intermediateFs.readFile(lockfileLocation, (err, buffer) => {
								if (err && err.code !== "ENOENT") {
									compilation.missingDependencies.add(lockfileLocation);
									return callback(err);
								}
								compilation.fileDependencies.add(lockfileLocation);
								compilation.fileSystemInfo.createSnapshot(
									compiler.fsStartTime,
									buffer ? [lockfileLocation] : [],
									[],
									buffer ? [] : [lockfileLocation],
									{ timestamp: true },
									(err, s) => {
										if (err) return callback(err);
										const lockfile = buffer
											? Lockfile.parse(buffer.toString("utf8"))
											: new Lockfile();
										lockfileCache = {
											lockfile,
											snapshot: /** @type {Snapshot} */ (s)
										};
										callback(null, lockfile);
									}
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #107750176caf7bbe Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:693
							intermediateFs.writeFile(filePath, result.content, (err) => {
								if (err) return callback(err);
								callback(null, result);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd65522028d7d406 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1202
									fs.readFile(filePath, (err, result) => {
										if (err) {
											if (err.code === "ENOENT") return doFetch();
											return callback(err);
										}
										const content = /** @type {Buffer} */ (result);
										/**
										 * Continue with cached content.
										 * @param {Buffer | undefined} _result result
										 * @returns {void}
										 */
										const continueWithCachedContent = (_result) => {
											if (!upgrade) {
												// When not in upgrade mode, we accept the result from the lockfile cache
												return callback(null, { entry, content });
											}
											return doFetch(content);
										};
										if (!verifyIntegrity(content, entry.integrity)) {
											/** @type {Buffer | undefined} */
											let contentWithChangedEol;
											let isEolChanged = false;
											try {
												contentWithChangedEol = Buffer.from(
													content.toString("utf8").replace(/\r\n/g, "\n")
												);
												isEolChanged = verifyIntegrity(
													contentWithChangedEol,
													entry.integrity
												);
											} catch (_err) {
												// ignore
											}
											if (isEolChanged) {
												if (!warnedAboutEol) {
													const explainer = `Incorrect end of line sequence was detected in the lockfile cache.
The lockfile cache is protected by integrity checks, so any external modification will lead to a corrupted lockfile cache.
When using git make sure to configure .gitattributes correctly for the lockfile cache:
  **/*webpack.lock.data/** -text
This will avoid that the end of line sequence is changed by git on Windows.`;
													if (frozen) {
														logger.error(explainer);
													} else {
														logger.warn(explainer);
														logger.info(
															"Lockfile cache will be automatically fixed now, but when lockfile is frozen this would result in an error."
														);
													}
													warnedAboutEol = true;
												}
												if (!frozen) {
													// "fix" the end of line sequence of the lockfile content
													logger.log(
														`${filePath} fixed end of line sequence (\\r\\n instead of \\n).`
													);
													intermediateFs.writeFile(
														filePath,
														/** @type {Buffer} */
														(contentWithChangedEol),
														(err) => {
															if (err) return callback(err);
															continueWithCachedContent(
																/** @type {Buffer} */
																(contentWithChangedEol)
															);
														}
													);
													return;
												}
											}
											if (frozen) {
												return callback(
													new Error(
														`${
															entry.resolved
														} integrity mismatch, expected content with integrity ${
															entry.integrity
														} but got ${computeIntegrity(content)}.
Lockfile corrupted (${
															isEolChanged
																? "end of line sequence was unexpectedly changed"
																: "incorrectly merged? changed by other tools?"
														}).
Run build with un-frozen lockfile to automatically fix lockfile.`
													)
												);
											}
											// "fix" the lockfile entry to the correct integrity
											// the content has priority over the integrity value
											entry = {
												...entry,
												integrity: computeIntegrity(content)
											};
											storeLockEntry(lockfile, url, entry);
										}
										continueWithCachedContent(result);
									});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f497836285f52bcc Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1257
													intermediateFs.writeFile(
														filePath,
														/** @type {Buffer} */
														(contentWithChangedEol),
														(err) => {
															if (err) return callback(err);
															continueWithCachedContent(
																/** @type {Buffer} */
																(contentWithChangedEol)
															);
														}
													);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62d26dcc41911a49 Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1410
							intermediateFs.readFile(lockfileLocation, (err, buffer) => {
								if (err && err.code !== "ENOENT") {
									writeDone();
									return callback(err);
								}
								const lockfile = buffer
									? Lockfile.parse(buffer.toString("utf8"))
									: new Lockfile();
								for (const [key, value] of /** @type {LockfileUpdates} */ (
									lockfileUpdates
								)) {
									lockfile.entries.set(key, value);
								}
								intermediateFs.writeFile(
									tempFile,
									lockfile.toString(),
									(err) => {
										if (err) {
											writeDone();
											return (
												/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
												(intermediateFs.unlink)(tempFile, () => callback(err))
											);
										}
										intermediateFs.rename(tempFile, lockfileLocation, (err) => {
											if (err) {
												writeDone();
												return (
													/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
													(intermediateFs.unlink)(tempFile, () => callback(err))
												);
											}
											writeDone();
											callback();
										});
									}
								);
							});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5245b39efb0e7d2b Filesystem access.
pkgs/npm/[email protected]/lib/schemes/HttpUriPlugin.js:1423
								intermediateFs.writeFile(
									tempFile,
									lockfile.toString(),
									(err) => {
										if (err) {
											writeDone();
											return (
												/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
												(intermediateFs.unlink)(tempFile, () => callback(err))
											);
										}
										intermediateFs.rename(tempFile, lockfileLocation, (err) => {
											if (err) {
												writeDone();
												return (
													/** @type {NonNullable<IntermediateFileSystem["unlink"]>} */
													(intermediateFs.unlink)(tempFile, () => callback(err))
												);
											}
											writeDone();
											callback();
										});
									}
								);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20bfe980fdafb2d3 Filesystem access.
pkgs/npm/[email protected]/lib/util/fs.js:681
	fs.readFile(p, (err, buf) => {
		if (err) return callback(err);
		/** @type {JsonObject} */
		let data;
		try {
			data = JSON.parse(/** @type {Buffer} */ (buf).toString("utf8"));
		} catch (err1) {
			return callback(/** @type {Error} */ (err1));
		}
		return callback(null, data);
	});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

webpack-bundle-analyzer

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #f9b7110099b05be6 Filesystem access.
pkgs/npm/[email protected]/lib/parseUtils.js:253
  const content = fs.readFileSync(bundlePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d326bd7919d906d Filesystem access.
pkgs/npm/[email protected]/lib/template.js:36
  return fs.readFileSync(assetPath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #614aeb16ec128e1a Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:71
  return `${process.env.npm_package_name || "Webpack Bundle Analyzer"} [${currentTime}]`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a93e3af91be006eb Filesystem access.
pkgs/npm/[email protected]/lib/viewer.js:266
  fs.writeFileSync(reportFilepath, reportHtml);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c4572cd5a76a00a Filesystem access.
pkgs/npm/[email protected]/lib/viewer.js:304
  await fs.promises.writeFile(reportFilename, JSON.stringify(chartData));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @vue/compiler-sfc prod — dist-only: no readable source
  • css-loader prod — dist-only: no readable source
  • esbuild-loader prod — dist-only: no readable source
  • exsolve prod — dist-only: no readable source
  • file-loader prod — dist-only: no readable source
  • knitwork prod — dist-only: no readable source
  • mlly prod — dist-only: no readable source
  • ohash prod — dist-only: no readable source
  • postcss-loader prod — dist-only: no readable source
  • unplugin prod — dist-only: no readable source
  • url-loader prod — dist-only: no readable source
  • vue-loader prod — dist-only: no readable source
  • webpackbar prod — dist-only: no readable source
  • @vitejs/plugin-vue prod — dist-only: no readable source
  • pkg-types prod — dist-only: no readable source
  • vite-node prod — dist-only: no readable source
  • vite-plugin-checker prod — dist-only: no readable source
  • @dxup/nuxt prod — dist-only: no readable source
  • @nuxt/nitro-server prod — dist-only: no readable source
  • cookie-es prod — dist-only: no readable source
  • @nuxt/vite-builder prod — dist-only: no readable source
  • errx prod — dist-only: no readable source
  • impound prod — dist-only: no readable source
  • nanotar prod — dist-only: no readable source
  • oxc-walker prod — dist-only: no readable source
  • perfect-debounce prod — dist-only: no readable source
  • uncrypto prod — dist-only: no readable source
  • unrouting prod — dist-only: no readable source
  • lru-cache prod — dist-only: no readable source
  • vue-devtools-stub prod — dist-only: no readable source
  • nypm prod — dist-only: no readable source
  • rc9 prod — dist-only: no readable source
  • hook-augmenting-module prod — no javascript source

Development

  • @arethetypeswrong/cli dev — dist-only: no readable source
  • @codspeed/core dev — dist-only: no readable source
  • @eslint/markdown dev — dist-only: no readable source
  • @codspeed/vitest-plugin dev — dist-only: no readable source
  • @nuxt/eslint-config dev — dist-only: no readable source
  • @nuxt/kit dev — dist-only: no readable source
  • @typescript-eslint/parser dev — dist-only: no readable source
  • @vitest/coverage-v8 dev — dist-only: no readable source
  • @vue/test-utils dev — dist-only: no readable source
  • acorn dev — dist-only: no readable source
  • changelogen dev — dist-only: no readable source
  • eslint-plugin-perfectionist dev — dist-only: no readable source
  • eslint-typegen dev — dist-only: no readable source
  • get-port-please dev — dist-only: no readable source
  • magic-string dev — dist-only: no readable source
  • ofetch dev — dist-only: no readable source
  • rolldown-string dev — dist-only: no readable source
  • rollup dev — dist-only: no readable source
  • std-env dev — dist-only: no readable source
  • tinyexec dev — dist-only: no readable source
  • tinyglobby dev — dist-only: no readable source
  • ufo dev — dist-only: no readable source
  • h3-next dev — no resolvable version
  • @vitejs/plugin-vue-jsx dev — dist-only: no readable source
  • rollup-plugin-visualizer dev — dist-only: no readable source
  • @nuxt/ui-templates dev — dist-only: no readable source
  • c12 dev — dist-only: no readable source
  • compatx dev — dist-only: no readable source
  • hookable dev — dist-only: no readable source
  • scule dev — dist-only: no readable source
  • unctx dev — dist-only: no readable source
  • unimport dev — dist-only: no readable source
  • untyped dev — dist-only: no readable source
  • vue-sfc-transformer dev — dist-only: no readable source
  • @unocss/reset dev — no javascript source
  • beasties dev — dist-only: no readable source
  • htmlnano dev — dist-only: no readable source
  • unocss dev — dist-only: no readable source
  • @vue/devtools-api dev — dist-only: no readable source