Close Open Privacy Scan

link https://github.com/nestjs/nest

bolt Snapshot: commit 7c65045

science engine v1

schedule 2026-06-26T15:11:12.382038+00:00

App Privacy Score

42 /100

High privacy risk — possible application leak

High risk · 489 finding(s)

Dependency score: 12 (High risk)

bar_chart Score Breakdown

pii_flow −45

telemetry −10

env_fs −3

list Scan Summary

2 high 13 medium 474 low

First-party packages: 1

Dependency packages: 37

Ecosystem: npm

swap_horiz Potential data exfiltration in application code

External domains: studio.apollographql.com

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:5 → repo/scripts/wait-for-rabbitmq.js:30

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:5 → repo/scripts/wait-for-rabbitmq.js:34

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:5 → repo/scripts/wait-for-rabbitmq.js:39

hub Dependency data flows (7)

high nats tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/examples/nats-req.js:40 → pkgs/npm/[email protected]/examples/nats-req.js:79

high coveralls dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:9 → pkgs/npm/[email protected]/lib/sendToCoveralls.js:19

medium @apollo/server dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:132 → pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:184

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:33

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:36

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:37

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:38

</> First-Party Code

first-party (npm)

npm first-party

medium pii_flow production #d1544dc93b646318 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:30 · flow /tmp/closeopen-xzcxtzs9/repo/scripts/wait-for-rabbitmq.js:5 → /tmp/closeopen-xzcxtzs9/repo/scripts/wait-for-rabbitmq.js:30

      console.log(`[rabbitmq] Ready at ${url}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #243215a53bcfc5fb — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:34 · flow /tmp/closeopen-xzcxtzs9/repo/scripts/wait-for-rabbitmq.js:5 → /tmp/closeopen-xzcxtzs9/repo/scripts/wait-for-rabbitmq.js:34

      console.log(`[rabbitmq] Waiting for ${url}...`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #3f4758068a99e304 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:39 · flow /tmp/closeopen-xzcxtzs9/repo/scripts/wait-for-rabbitmq.js:5 → /tmp/closeopen-xzcxtzs9/repo/scripts/wait-for-rabbitmq.js:39

  console.error(
    `[rabbitmq] Timed out waiting for ${url} after ${timeoutMs}ms.`,
  );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #f059e5d076fa6173 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

repo/tools/benchmarks/src/autocannon/run.ts:30

      autocannon.track(instance);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 36 low-confidence finding(s)

low env_fs production #085b7b6a2eece956 — Filesystem access.

repo/integration/inspector/e2e/graph-inspector.spec.ts:7

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73cfb20466bdc3f2 — Filesystem access.

repo/integration/inspector/e2e/graph-inspector.spec.ts:34

    const snapshot = readFileSync(
      join(__dirname, 'fixtures', 'pre-init-graph.json'),
      'utf-8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ffe8d5f8dc945a7 — Filesystem access.

repo/integration/inspector/e2e/graph-inspector.spec.ts:62

    const snapshot = readFileSync(
      join(__dirname, 'fixtures', 'post-init-graph.json'),
      'utf-8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d5c40cf874e1d83 — Filesystem access.

repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:5

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd4d898b0119a1c2 — Filesystem access.

repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:19

    key = fs
      .readFileSync(path.join(__dirname, '../src/tcp-tls/privkey.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ab58d4fa9840aed — Filesystem access.

repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:22

    cert = fs
      .readFileSync(path.join(__dirname, '../src/tcp-tls/ca.cert.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f89bf59b62fc5cdc — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.controller.ts:19

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45a39b1f142c11d6 — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.controller.ts:36

          fs
            .readFileSync(path.join(__dirname, 'ca.cert.pem'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14b85ddfff14b21a — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.module.ts:12

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3271c79145d0df4 — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.module.ts:15

const caCert = fs.readFileSync(path.join(__dirname, 'ca.cert.pem')).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5d492d76af62d34 — Filesystem access.

repo/integration/send-files/e2e/express.spec.ts:7

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #191cea387738de17 — Filesystem access.

repo/integration/send-files/e2e/express.spec.ts:17

const readme = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d9f369f1f1e3415 — Filesystem access.

repo/integration/send-files/e2e/fastify.spec.ts:7

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6aa785d0d1f966c4 — Filesystem access.

repo/integration/send-files/e2e/fastify.spec.ts:11

const readme = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efc343c17922ef70 — Filesystem access.

repo/integration/send-files/src/app.service.ts:3

import { createReadStream, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4db648cc6c74b6ab — Filesystem access.

repo/integration/send-files/src/app.service.ts:21

    return new StreamableFile(readFileSync(join(process.cwd(), 'Readme.md')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #040267806fe4a7b2 — Filesystem access.

repo/integration/send-files/src/app.service.ts:33

    const file = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c39cd11bc42d76a5 — Environment-variable access.

repo/packages/common/utils/cli-colors.util.ts:3

export const isColorAllowed = () => !process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c956de009eaccd89 — Environment-variable access.

repo/packages/core/injector/injector.ts:1288

    return !!process.env.NEST_DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc6390fb846a5840 — Environment-variable access.

repo/packages/core/injector/instance-wrapper.ts:566

    return !!process.env.NEST_DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f95469afa3ee359d — Filesystem access.

repo/packages/platform-fastify/interfaces/external/fastify-static-options.interface.ts:7

import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c490299c47516a43 — Filesystem access.

repo/sample/25-dynamic-modules/src/config/config.service.ts:3

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #223fd26b7fa8529a — Environment-variable access.

repo/sample/25-dynamic-modules/src/config/config.service.ts:13

    const filePath = `${process.env.NODE_ENV || 'development'}.env`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ff43d1122081598 — Filesystem access.

repo/sample/25-dynamic-modules/src/config/config.service.ts:15

    this.envConfig = dotenv.parse(fs.readFileSync(envFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccfdf0a7495b1bbf — Environment-variable access.

repo/sample/26-queues/src/app.module.ts:10

        host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62c3e38b9a6f65e2 — Environment-variable access.

repo/sample/26-queues/src/app.module.ts:11

        port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e39886b4eea047c1 — Filesystem access.

repo/sample/28-sse/src/app.controller.ts:3

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f500dac21777f98c — Filesystem access.

repo/sample/28-sse/src/app.controller.ts:14

      .send(readFileSync(join(__dirname, 'index.html')).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6144a4a541d205fb — Filesystem access.

repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:3

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b159da193e8380e — Filesystem access.

repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:28

        file: readFileSync('./package.json').toString(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #078fb5288e7a06c5 — Filesystem access.

repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:42

        file: readFileSync('./resources/nestjs.jpg').toString(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87bb5025fe1dd3b6 — Environment-variable access.

repo/sample/36-hmr-esm/src/main.ts:11

  await app.listen(process.env.PORT ?? 3000);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc630a2ccc337516 — Environment-variable access.

repo/scripts/wait-for-rabbitmq.js:5

const url = process.env.RABBITMQ_URL || 'amqp://localhost:5672';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8e873bb880f1471 — Environment-variable access.

repo/scripts/wait-for-rabbitmq.js:12

  process.env.RABBITMQ_WAIT_TIMEOUT_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22015b0ab562f3e8 — Environment-variable access.

repo/scripts/wait-for-rabbitmq.js:16

  process.env.RABBITMQ_WAIT_INTERVAL_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d73957a826f6df0 — Filesystem access.

repo/tools/gulp/util/task-helpers.ts:1

import { readdirSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

coveralls

npm dependency

high pii_flow dependency Excluded from app score #bedda96f6f5021c7 — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:19 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/[email protected]/lib/sendToCoveralls.js:9 → /tmp/closeopen-xzcxtzs9/pkgs/npm/[email protected]/lib/sendToCoveralls.js:19

    request.post({
      url,
      form: {
        json: str
      }
    }, (err, response, body) => {
      cb(err, response, body);
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 114 low-confidence finding(s)

low env_fs dependency Excluded from app score #c1f868def82dffad — Filesystem access.

pkgs/npm/[email protected]/lib/convertLcovToCoveralls.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1f868def82dffad — Filesystem access.

pkgs/npm/[email protected]/lib/convertLcovToCoveralls.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f26ca30426755e6f — Filesystem access.

pkgs/npm/[email protected]/lib/convertLcovToCoveralls.js:33

  const source = fs.readFileSync(filepath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5585d3572823fdef — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5585d3572823fdef — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9042b3f5c27374f — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:26

  const head = fs.readFileSync(path.join(dir, '.git', 'HEAD'), 'utf-8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d5e3416dd01dd82 — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:43

    return fs.readFileSync(ref, 'utf-8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff7f1a883d5211e — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:49

  const packedRefsText = fs.readFileSync(packedRefs, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7db299d1e97150ab — Filesystem access.

pkgs/npm/[email protected]/lib/getOptions.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7db299d1e97150ab — Filesystem access.

pkgs/npm/[email protected]/lib/getOptions.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d34f0d9114b0fe50 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:13

  let git_commit = process.env.COVERALLS_GIT_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #674e63f783a1399f — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:14

  let git_branch = process.env.COVERALLS_GIT_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b058152b85f78a9 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:19

  const match = (process.env.CI_PULL_REQUEST || '').match(/(\d+)$/);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #288e5e81e781d3dd — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:25

  if (process.env.TRAVIS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a7e79906ab73b66 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:27

    options.service_number = process.env.TRAVIS_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7842a272b6f0686a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:28

    options.service_job_id = process.env.TRAVIS_JOB_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d623c588a145d487 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:29

    options.service_pull_request = process.env.TRAVIS_PULL_REQUEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11d60e65873a3230 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:31

    git_branch = process.env.TRAVIS_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f05ebaa65c74192 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:34

  if (process.env.DRONE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #061eb4ffd48dc7e0 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:36

    options.service_job_id = process.env.DRONE_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a03e01e2737d5b2 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:37

    options.service_pull_request = process.env.DRONE_PULL_REQUEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be9f0cf472b33f8b — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:38

    git_committer_name = process.env.DRONE_COMMIT_AUTHOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf9955959312af35 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:39

    git_committer_email = process.env.DRONE_COMMIT_AUTHOR_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcc20e5ae1b24df6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:40

    git_commit = process.env.DRONE_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7937faeb3e78e58 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:41

    git_branch = process.env.DRONE_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcaa3a23641fc3ff — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:42

    git_message = process.env.DRONE_COMMIT_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e577651a657f50d4 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:45

  if (process.env.JENKINS_URL || process.env.JENKINS_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e577651a657f50d4 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:45

  if (process.env.JENKINS_URL || process.env.JENKINS_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45dfc35169d882f2 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:47

    options.service_job_id = process.env.BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d85f46cc7709c14 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:48

    options.service_pull_request = process.env.CHANGE_ID || process.env.ghprbPullId;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d85f46cc7709c14 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:48

    options.service_pull_request = process.env.CHANGE_ID || process.env.ghprbPullId;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8dfaa9afac9ce3f — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:49

    git_committer_name = process.env.CHANGE_AUTHOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca074525cbed7968 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:50

    git_committer_email = process.env.CHANGE_AUTHOR_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37da1b2602dbb1b4 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:51

    git_commit = process.env.GIT_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee123f919498f43c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:52

    git_branch = process.env.CHANGE_BRANCH || process.env.GIT_BRANCH || process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee123f919498f43c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:52

    git_branch = process.env.CHANGE_BRANCH || process.env.GIT_BRANCH || process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee123f919498f43c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:52

    git_branch = process.env.CHANGE_BRANCH || process.env.GIT_BRANCH || process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3bfc648d7ec10c4 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:55

  if (process.env.CIRCLECI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e322a302cd2c7b3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:57

    options.service_number = process.env.CIRCLE_WORKFLOW_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb5838765e5077b5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:58

    options.service_job_number = process.env.CIRCLE_BUILD_NUM;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32714014bb66f09d — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:60

    if (process.env.CI_PULL_REQUEST) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60a9262203f9c796 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:61

      const pr = process.env.CI_PULL_REQUEST.split('/pull/');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a92036c1d1415bbb — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:65

    git_commit = process.env.CIRCLE_SHA1;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe881258a584a720 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:66

    git_branch = process.env.CIRCLE_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #699dbfd9eadbcd46 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:69

  if (process.env.CI_NAME && process.env.CI_NAME === 'codeship') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #699dbfd9eadbcd46 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:69

  if (process.env.CI_NAME && process.env.CI_NAME === 'codeship') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f35e5c25a7a857f5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:71

    options.service_job_id = process.env.CI_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0da221ed5be2be0f — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:72

    git_commit = process.env.CI_COMMIT_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #896476b1e235106a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:73

    git_branch = process.env.CI_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c83f6bd75a17cca — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:74

    git_committer_name = process.env.CI_COMMITTER_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f8a1c3b226887b8 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:75

    git_committer_email = process.env.CI_COMMITTER_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cad3fbc1977309aa — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:76

    git_message = process.env.CI_COMMIT_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cec38057726f9cf3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:79

  if (process.env.WERCKER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64622a233e57096a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:81

    options.service_job_id = process.env.WERCKER_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6867610ed8f3cd56 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:82

    git_commit = process.env.WERCKER_GIT_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a9f8c1960d45130 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:83

    git_branch = process.env.WERCKER_GIT_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d0928218ddd53e5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:86

  if (process.env.GITLAB_CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6242be9bbf14342 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:88

    options.service_job_number = process.env.CI_BUILD_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4260b2e0f9039732 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:89

    options.service_job_id = process.env.CI_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #026b228fd5d94cd3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:90

    options.service_pull_request = process.env.CI_MERGE_REQUEST_IID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b05c26e26d66aab9 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:91

    git_commit = process.env.CI_BUILD_REF;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #623526403ecdadef — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:92

    git_branch = process.env.CI_BUILD_REF_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da86b00559ae346a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:95

  if (process.env.APPVEYOR) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfdef43fc2079e00 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:97

    options.service_job_number = process.env.APPVEYOR_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c89bb4743a1722ad — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:98

    options.service_job_id = process.env.APPVEYOR_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da7655d6992a453e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:99

    git_commit = process.env.APPVEYOR_REPO_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4e8abbe4b51fb66 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:100

    git_branch = process.env.APPVEYOR_REPO_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0ccf3e1db35497b — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:103

  if (process.env.SURF_SHA1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37451a062be22a5a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:105

    git_commit = process.env.SURF_SHA1;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8db56813ffdd90a5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:106

    git_branch = process.env.SURF_REF;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e4d3321f9281523 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:109

  if (process.env.BUILDKITE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7999e40fa80b8a31 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:111

    options.service_job_number = process.env.BUILDKITE_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b01ee327e3ac9e9c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:112

    options.service_job_id = process.env.BUILDKITE_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd7d29a4f5b553d5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:113

    options.service_pull_request = process.env.BUILDKITE_PULL_REQUEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffc5fce29fc0b692 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:114

    git_commit = process.env.BUILDKITE_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7bfa0ecac1c0e74 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:115

    git_branch = process.env.BUILDKITE_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18e762bce2e74015 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:116

    git_committer_name = process.env.BUILDKITE_BUILD_CREATOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #130576f76d59eb77 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:117

    git_committer_email = process.env.BUILDKITE_BUILD_CREATOR_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2bf7cda493aab0d — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:118

    git_message = process.env.BUILDKITE_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2810001e97e1271c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:121

  if (process.env.SEMAPHORE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14c840052df03aca — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:123

    options.service_job_id = process.env.SEMAPHORE_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59236be1be89d7f3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:124

    git_commit = process.env.REVISION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75d8542099f69c5c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:125

    git_branch = process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e82f5635657a2b7c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:128

  if (process.env.TF_BUILD) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81145262e967dbdb — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:130

    options.service_job_id = process.env.BUILD_BUILDID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bc48ec4f806aba2 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:131

    options.service_pull_request = process.env.SYSTEM_PULLREQUEST_PULLREQUESTNUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee1e06aa35868657 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:132

    git_commit = process.env.BUILD_SOURCEVERSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9b5e73c7c71a0fc — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:133

    git_branch = process.env.BUILD_SOURCEBRANCHNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb955ac39df8723e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:136

  if (process.env.CF_BRANCH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d31b98194bb4da9 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:138

    options.service_job_id = process.env.CF_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e68b916bc81e9923 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:139

    options.service_pull_request = process.env.CF_PULL_REQUEST_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce20900023b59e67 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:140

    git_commit = process.env.CF_REVISION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f66e513c74fe7933 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:141

    git_branch = process.env.CF_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37479b842dd8fcbd — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:142

    git_committer_name = process.env.CF_COMMIT_AUTHOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #765db54c9b8c94e8 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:143

    git_message = process.env.CF_COMMIT_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f6a13dfcdfdaea6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:146

  options.run_at = process.env.COVERALLS_RUN_AT || JSON.stringify(new Date()).slice(1, -1);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c568d40e5c80dd54 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:148

  if (process.env.COVERALLS_SERVICE_NUMBER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ba5f26ad2013bd6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:149

    options.service_number = process.env.COVERALLS_SERVICE_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8d07668883077ec — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:152

  if (process.env.COVERALLS_SERVICE_JOB_NUMBER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b38ef1f35a2331b — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:153

    options.service_job_number = process.env.COVERALLS_SERVICE_JOB_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbf1922ada56dd5e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:156

  if (process.env.COVERALLS_SERVICE_JOB_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abe2a4fb8884586f — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:157

    options.service_job_id = process.env.COVERALLS_SERVICE_JOB_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60f7766a1c41e8df — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:168

  if (process.env.COVERALLS_PARALLEL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e275e5d8779c18c9 — Filesystem access.

pkgs/npm/[email protected]/lib/getOptions.js:177

        return yaml.safeLoad(fs.readFileSync(yml, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53e667fbcf67da2b — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:196

  if (process.env.COVERALLS_REPO_TOKEN) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86dfc91dceab75e2 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:197

    options.repo_token = process.env.COVERALLS_REPO_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15d8a56932733f29 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:206

  if (process.env.COVERALLS_SERVICE_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7baa7646ecbe9100 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:207

    options.service_name = process.env.COVERALLS_SERVICE_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #420cb24fe2a1cdcd — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:210

  if (process.env.COVERALLS_FLAG_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b960a97f0cfd8307 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:211

    options.flag_name = process.env.COVERALLS_FLAG_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ff9b2f845f9ad71 — Environment-variable access.

pkgs/npm/[email protected]/lib/logger.js:9

  if (index.options.verbose || process.env.NODE_COVERALLS_DEBUG === 1 || process.env.NODE_COVERALLS_DEBUG === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ff9b2f845f9ad71 — Environment-variable access.

pkgs/npm/[email protected]/lib/logger.js:9

  if (index.options.verbose || process.env.NODE_COVERALLS_DEBUG === 1 || process.env.NODE_COVERALLS_DEBUG === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84d3308bf522fe70 — Environment-variable access.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:8

  if (process.env.COVERALLS_ENDPOINT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e37acb68b2358f5 — Environment-variable access.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:9

    urlBase = process.env.COVERALLS_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nats

npm dependency

high pii_flow tooling Excluded from app score unknown #505fc25660e7c002 — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/examples/nats-req.js:79 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/[email protected]/examples/nats-req.js:40 → /tmp/closeopen-xzcxtzs9/pkgs/npm/[email protected]/examples/nats-req.js:79

    await nc.request(
      subject,
      sc.encode(payload),
      { timeout: argv.t, headers: hdrs },
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 15 low-confidence finding(s)

low env_fs tooling Excluded from app score unknown #b98edc280d482db1 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-pub.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b98edc280d482db1 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-pub.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #388fcd330f978357 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-pub.js:38

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e8ee68abef5bfaaf — Filesystem access.

pkgs/npm/[email protected]/examples/nats-rep.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e8ee68abef5bfaaf — Filesystem access.

pkgs/npm/[email protected]/examples/nats-rep.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #39b24ea0e81bc26c — Filesystem access.

pkgs/npm/[email protected]/examples/nats-rep.js:34

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dd0f0c8bdf3067eb — Filesystem access.

pkgs/npm/[email protected]/examples/nats-req.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dd0f0c8bdf3067eb — Filesystem access.

pkgs/npm/[email protected]/examples/nats-req.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f1dd731f248fe950 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-req.js:40

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #87c8372ea8b9b20d — Filesystem access.

pkgs/npm/[email protected]/examples/nats-sub.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #87c8372ea8b9b20d — Filesystem access.

pkgs/npm/[email protected]/examples/nats-sub.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #feb41350c034fab1 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-sub.js:32

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc75de6b799597f0 — Filesystem access.

pkgs/npm/[email protected]/lib/src/node_transport.js:46

const { readFile, existsSync } = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc75de6b799597f0 — Filesystem access.

pkgs/npm/[email protected]/lib/src/node_transport.js:46

const { readFile, existsSync } = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c0e8bf6cd5dbf80 — Filesystem access.

pkgs/npm/[email protected]/lib/src/node_transport.js:174

            readFile(fn, (err, data) => {
                if (err) {
                    return d.reject(err);
                }
                d.resolve(data);
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@fastify/static

npm dependency

medium pii_flow dependency Excluded from app score #2cdbae3d21cc176f — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:33 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:33

  console.log(`benchmark server listening on http://127.0.0.1:${port}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #b2aabe49955e1407 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:36 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:36

  console.log(`  npx autocannon -c 100 -d 10 http://127.0.0.1:${port}/static/index.css`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #3c8d347efc4df3c0 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:37 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:37

  console.log(`  npx autocannon -c 100 -d 10 http://127.0.0.1:${port}/app/1.2.3/index.css`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #2de4080c906c1ca0 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:38 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/example/server-benchmark.js:38

  console.log(`  npx autocannon -c 100 -d 10 http://127.0.0.1:${port}/nested/public/index.css`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #401676506d733a9a — Environment-variable access.

pkgs/npm/@[email protected]/example/server-benchmark.js:5

const fastifyStatic = require(process.env.PLUGIN_PATH || '../')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c2a4accbef463ca — Environment-variable access.

pkgs/npm/@[email protected]/example/server-benchmark.js:8

const port = Number(process.env.PORT || 3000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

graphql

npm dependency

medium telemetry dependency Excluded from app score #f2042187fa05ff3b — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.js:284

                        info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #b78bc66f5539654f — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.js:293

            info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #97307f627dfb6621 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.mjs:268

                        info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #764e87f40ae2f99e — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.mjs:277

            info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

@apollo/server

npm dependency

medium pii_flow dependency Excluded from app score #ce3dd63f19621b78 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:184 · flow /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:132 → /tmp/closeopen-xzcxtzs9/pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:184

          logger.info(
            'Apollo schema reporting: reporting a new schema to Studio! See your graph at ' +
              `https://studio.apollographql.com/graph/${encodeURI(
                graphRef,
              )}/ with server info ${JSON.stringify(schemaReport)}`,
          );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 7 low-confidence finding(s)

low env_fs dependency Excluded from app score #adc4b3385eda8ed5 — Environment-variable access.

pkgs/npm/@[email protected]/src/ApolloServer.ts:218

    const nodeEnv = config.nodeEnv ?? process.env.NODE_ENV ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c426e255af50e3e9 — Environment-variable access.

pkgs/npm/@[email protected]/src/ApolloServer.ts:974

      const enabledViaEnvVar = process.env.APOLLO_SCHEMA_REPORTING === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #633d2e447c77b732 — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:132

        platform: process.env.APOLLO_SERVER_PLATFORM || 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b53b8ce4b07202ff — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:136

        userVersion: process.env.APOLLO_SERVER_USER_VERSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85874cd779ee5e7e — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:139

          process.env.APOLLO_SERVER_ID || process.env.HOSTNAME || os.hostname(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85874cd779ee5e7e — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:139

          process.env.APOLLO_SERVER_ID || process.env.HOSTNAME || os.hostname(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29bbfe083b1fff62 — Environment-variable access.

pkgs/npm/@[email protected]/src/standalone/index.ts:76

        if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@commitlint/cli

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs dependency Excluded from app score #4732ad7f67297d8c — Environment-variable access.

pkgs/npm/@[email protected]/lib/cli.js:357

        return process.env[flags.env];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #465798a582330584 — Environment-variable access.

pkgs/npm/@[email protected]/lib/cli.js:379

            return process.env.GIT_PARAMS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #099af6f6c4501208 — Environment-variable access.

pkgs/npm/@[email protected]/lib/cli.js:382

            return process.env.HUSKY_GIT_PARAMS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@eslint/eslintrc

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #942c10d3cd777726 — Filesystem access.

pkgs/npm/@[email protected]/lib/config-array-factory.js:154

    return fs.readFileSync(filePath, "utf8").replace(/^\ufeff/u, "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@fastify/view

npm dependency

expand_more 4 low-confidence finding(s)

low env_fs dependency Excluded from app score #e25e8bbab3b8ac81 — Environment-variable access.

pkgs/npm/@[email protected]/benchmark/express.js:3

process.env.NODE_ENV = 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a6d80c03962c7a6 — Environment-variable access.

pkgs/npm/@[email protected]/benchmark/setup.js:3

process.env.NODE_ENV = 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #daf8970cb70d3309 — Environment-variable access.

pkgs/npm/@[email protected]/index.js:41

  const prod = typeof opts.production === 'boolean' ? opts.production : process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e89f54f60173a614 — Filesystem access.

pkgs/npm/@[email protected]/index.js:52

      const promise = readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@grpc/grpc-js

npm dependency

expand_more 19 low-confidence finding(s)

low env_fs dependency Excluded from app score #d56f9fbe0daba4c7 — Filesystem access.

pkgs/npm/@[email protected]/src/certificate-provider.ts:18

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f36d4207e702a5fe — Environment-variable access.

pkgs/npm/@[email protected]/src/environment.ts:19

  (process.env.GRPC_NODE_USE_ALTERNATIVE_RESOLVER ?? 'false') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09bde0a260bd290c — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:51

  if (process.env.grpc_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a118e4fb273cf42 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:53

    proxyEnv = process.env.grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1548e721112e8358 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:54

  } else if (process.env.https_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #516d1f6d59e73db3 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:56

    proxyEnv = process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c28aed721787042b — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:57

  } else if (process.env.http_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b897871d3ee79a5a — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:59

    proxyEnv = process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #861d9d4801a4c5df — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:108

  let noProxyStr: string | undefined = process.env.no_grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3352f4b20f4cfa4c — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:111

    noProxyStr = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2634feabd6fb281 — Environment-variable access.

pkgs/npm/@[email protected]/src/load-balancer-outlier-detection.ts:57

  (process.env.GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION ?? 'true') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33ee8ba7a1c392e3 — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:39

  process.env.GRPC_NODE_VERBOSITY ?? process.env.GRPC_VERBOSITY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33ee8ba7a1c392e3 — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:39

  process.env.GRPC_NODE_VERBOSITY ?? process.env.GRPC_VERBOSITY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d590eb9689b0b191 — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:97

  process.env.GRPC_NODE_TRACE ?? process.env.GRPC_TRACE ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d590eb9689b0b191 — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:97

  process.env.GRPC_NODE_TRACE ?? process.env.GRPC_TRACE ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c998f29ccb5a89a3 — Filesystem access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:18

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24b51c4f59626848 — Environment-variable access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:21

  process.env.GRPC_SSL_CIPHER_SUITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b54f757ea7495e57 — Environment-variable access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:23

const DEFAULT_ROOTS_FILE_PATH = process.env.GRPC_DEFAULT_SSL_ROOTS_FILE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57b20b3d97743333 — Filesystem access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:30

      defaultRootsData = fs.readFileSync(DEFAULT_ROOTS_FILE_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/gulp

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #e8626bfdc135a570 — Filesystem access.

pkgs/npm/@[email protected]/index.d.ts:2

import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

amqplib

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs tooling Excluded from app score unknown #650dab3b2b6f7564 — Filesystem access.

pkgs/npm/[email protected]/examples/ssl.js:38

  cert: fs.readFileSync('../etc/client/cert.pem'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b7c191a37762c4f1 — Filesystem access.

pkgs/npm/[email protected]/examples/ssl.js:39

  key: fs.readFileSync('../etc/client/key.pem'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #033842e0ed22f4c8 — Filesystem access.

pkgs/npm/[email protected]/examples/ssl.js:43

  ca: [fs.readFileSync('../etc/testca/cacert.pem')],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chai

npm dependency

expand_more 8 low-confidence finding(s)

low env_fs dependency Excluded from app score #eadabe559aad796b — Environment-variable access.

pkgs/npm/[email protected]/karma.conf.js:26

  switch (process.env.CHAI_TEST_ENV) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2d4a0b8100e74f3 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:11

    auth.SAUCE_USERNAME = process.env.SAUCE_USERNAME || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61080168b54df540 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:12

    auth.SAUCE_ACCESS_KEY = process.env.SAUCE_ACCESS_KEY || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a648ed8c5d04ce0 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:16

  if (process.env.SKIP_SAUCE) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #117276448eaccdc8 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:18

  var branch = process.env.TRAVIS_BRANCH || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94cec4ec6ea48269 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:22

  var tunnel = process.env.TRAVIS_JOB_NUMBER || ts;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8c1b22115e54699 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:24

  if (process.env.TRAVIS_JOB_NUMBER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4146692c2701b842 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:25

    tags.push('travis@' + process.env.TRAVIS_JOB_NUMBER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

delete-empty

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #f05c51a478a63cc8 — Filesystem access.

pkgs/npm/[email protected]/index.js:9

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f05c51a478a63cc8 — Filesystem access.

pkgs/npm/[email protected]/index.js:9

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency

expand_more 13 low-confidence finding(s)

low env_fs dependency Excluded from app score #95821902ac4ebaac — Filesystem access.

pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129

			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c99c41676639d25 — Filesystem access.

pkgs/npm/[email protected]/lib/cli.js:133

			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #669c28fa2130b9a5 — Filesystem access.

pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281

		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a659b2c42435fd37 — Environment-variable access.

pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326

	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fddd486317f32ef — Environment-variable access.

pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330

	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a55e3d30c00e3b58 — Filesystem access.

pkgs/npm/[email protected]/lib/eslint/eslint.js:802

					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4788a17dc9c7e13a — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:44

const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #717edc1b6e06de3c — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:56

	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd999c64846ca126 — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:60

	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d982571d679ed9f — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:64

	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6576fb242313493 — Filesystem access.

pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697

				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff0ac87a7abeabdf — Filesystem access.

pkgs/npm/[email protected]/lib/services/suppressions-service.js:217

			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f80b366b1c643bc7 — Filesystem access.

pkgs/npm/[email protected]/lib/services/suppressions-service.js:240

		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-config-prettier

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #f75cbe220857e25f — Environment-variable access.

pkgs/npm/[email protected]/bin/cli.js:45

      switch (process.env.ESLINT_USE_FLAT_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #361c176abe0c3009 — Environment-variable access.

pkgs/npm/[email protected]/index.js:3

const includeDeprecated = !process.env.ESLINT_CONFIG_PRETTIER_NO_DEPRECATED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #e8fa1352fb52e13d — Environment-variable access.

pkgs/npm/[email protected]/lib/application.js:91

  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fastify

npm dependency

expand_more 6 low-confidence finding(s)

low env_fs tooling Excluded from app score unknown #4a3e6c060c066623 — Filesystem access.

pkgs/npm/[email protected]/examples/http2.js:8

    key: fs.readFileSync(path.join(__dirname, '../test/https/fastify.key')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e8aebe058ebd6492 — Filesystem access.

pkgs/npm/[email protected]/examples/http2.js:9

    cert: fs.readFileSync(path.join(__dirname, '../test/https/fastify.cert'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #21c61f717376f2d2 — Filesystem access.

pkgs/npm/[email protected]/examples/https.js:7

    key: fs.readFileSync(path.join(__dirname, '../test/https/fastify.key')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c4155df66734972a — Filesystem access.

pkgs/npm/[email protected]/examples/https.js:8

    cert: fs.readFileSync(path.join(__dirname, '../test/https/fastify.cert'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5ac16abf31b109dc — Environment-variable access.

pkgs/npm/[email protected]/scripts/validate-ecosystem-links.js:23

  return process.env.GITHUB_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #97b6ae6c4b919397 — Filesystem access.

pkgs/npm/[email protected]/scripts/validate-ecosystem-links.js:99

  const content = fs.readFileSync(ECOSYSTEM_FILE, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gulp-clean

npm dependency

expand_more 5 low-confidence finding(s)

low env_fs dependency Excluded from app score #e4cbc7ffaf9b99f6 — Filesystem access.

pkgs/npm/[email protected]/test.js:3

var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4cbc7ffaf9b99f6 — Filesystem access.

pkgs/npm/[email protected]/test.js:3

var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cacb393826a84c97 — Filesystem access.

pkgs/npm/[email protected]/test.js:24

          fs.writeFile('tmp/tree/leaf/node/leaf.js', 'console.log("leaf")', function () {
            fs.mkdir('tmp/tree/leftleaf', function () {
              fs.writeFile('tmp/tree/leftleaf/leaf1.js', 'console.log("leaf")', function () {
                callback();
              });
            });
          });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86f4962d8a33415d — Filesystem access.

pkgs/npm/[email protected]/test.js:26

              fs.writeFile('tmp/tree/leftleaf/leaf1.js', 'console.log("leaf")', function () {
                callback();
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27fa99f07b039248 — Filesystem access.

pkgs/npm/[email protected]/test.js:39

    fs.writeFile('tmp/test.js', content, function () {
      stream.on('data', noop);
      stream.on('end', function () {
        fs.exists('tmp/test.js', function (exists) {
          expect(exists).to.be.false;
          done();
        });
      });

      stream.write(new utils.File({
        cwd: cwd,
        base: cwd + '/tmp/',
        path: cwd + '/tmp/test.js',
        contents: new Buffer(content)
      }));

      stream.end();
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gulp-sourcemaps

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs dependency Excluded from app score #07cfa4ce8054d405 — Filesystem access.

pkgs/npm/[email protected]/src/init/index.internals.js:65

              sourceContent = stripBom(fs.readFileSync(absPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #613e36491d909b60 — Filesystem access.

pkgs/npm/[email protected]/src/init/index.internals.js:120

      sources.map = JSON.parse(stripBom(fs.readFileSync(mapFile, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81fd0b137c980069 — Filesystem access.

pkgs/npm/[email protected]/src/write/index.internals.js:82

            sourceMap.sourcesContent[i] = stripBom(fs.readFileSync(sourcePath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gulp-typescript

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #a33191cd5d677403 — Filesystem access.

pkgs/npm/[email protected]/release/host.js:20

            return this.fallback.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

husky

npm dependency

expand_more 9 low-confidence finding(s)

low env_fs dependency Excluded from app score #e26ecb2431f6359a — Filesystem access.

pkgs/npm/[email protected]/bin.js:2

import f, { writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b581502a0b02d3f — Filesystem access.

pkgs/npm/[email protected]/bin.js:12

	s = f.readFileSync(n)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa0efd960001d4f7 — Filesystem access.

pkgs/npm/[email protected]/bin.js:15

	w(n, JSON.stringify(o, 0, /\t/.test(s) ? '\t' : 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f14343a67382695d — Filesystem access.

pkgs/npm/[email protected]/bin.js:18

	w('.husky/pre-commit', (p.env.npm_config_user_agent?.split('/')[0] ?? 'npm') + ' test\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #718ce74f800154d7 — Filesystem access.

pkgs/npm/[email protected]/index.js:2

import f, { readdir, writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccebe2a2e812bd1f — Environment-variable access.

pkgs/npm/[email protected]/index.js:9

	if (process.env.HUSKY === '0') return 'HUSKY=0 skip install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9e15df9fe677d72 — Filesystem access.

pkgs/npm/[email protected]/index.js:20

	w(_('.gitignore'), '*')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f32ad10218c4721 — Filesystem access.

pkgs/npm/[email protected]/index.js:22

	l.forEach(h => w(_(h), `#!/usr/bin/env sh\n. "\$(dirname "\$0")/h"`, { mode: 0o755 }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #586ffb0446e6393e — Filesystem access.

pkgs/npm/[email protected]/index.js:23

	w(_('husky.sh'), msg)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ioredis

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs dependency Excluded from app score #452c365623ad1599 — Filesystem access.

pkgs/npm/[email protected]/built/utils/index.js:4

const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #452c365623ad1599 — Filesystem access.

pkgs/npm/[email protected]/built/utils/index.js:4

const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c18b11be835743e8 — Filesystem access.

pkgs/npm/[email protected]/built/utils/index.js:362

        const data = await fs_1.promises.readFile(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

kafkajs

npm dependency

expand_more 5 low-confidence finding(s)

low env_fs dependency Excluded from app score #7f53722af779cbd8 — Environment-variable access.

pkgs/npm/[email protected]/src/env.js:2

  KAFKAJS_DEBUG_PROTOCOL_BUFFERS: process.env.KAFKAJS_DEBUG_PROTOCOL_BUFFERS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cea4969f4d1f241 — Environment-variable access.

pkgs/npm/[email protected]/src/env.js:3

  KAFKAJS_DEBUG_EXTENDED_PROTOCOL_BUFFERS: process.env.KAFKAJS_DEBUG_EXTENDED_PROTOCOL_BUFFERS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d113039f2a8e54b0 — Environment-variable access.

pkgs/npm/[email protected]/src/index.js:26

  if (process.env.KAFKAJS_NO_PARTITIONER_WARNING == null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccd6b276457738c3 — Environment-variable access.

pkgs/npm/[email protected]/src/loggers/index.js:32

  const envLogLevel = (process.env.KAFKAJS_LOG_LEVEL || '').toUpperCase()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96bf4abaecc25818 — Environment-variable access.

pkgs/npm/[email protected]/src/retry/index.js:3

const isTestMode = process.env.NODE_ENV === 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lerna-changelog

npm dependency

expand_more 8 low-confidence finding(s)

low env_fs dependency Excluded from app score #a3525c7d530351f3 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:4

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3525c7d530351f3 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:4

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d07c627e6316df9 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:66

        return JSON.parse(fs.readFileSync(lernaPath)).changelog;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b10f14cfd940e4dc — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:72

        return JSON.parse(fs.readFileSync(pkgPath)).changelog;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65d0ceb4613d7765 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:80

    const pkg = JSON.parse(fs.readFileSync(pkgPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1aa1aaf47bc46ab — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:89

    const pkg = fs.existsSync(pkgPath) ? JSON.parse(fs.readFileSync(pkgPath)) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07feafa666c3f766 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:90

    const lerna = fs.existsSync(lernaPath) ? JSON.parse(fs.readFileSync(lernaPath)) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81cfc6e29c03c532 — Environment-variable access.

pkgs/npm/[email protected]/lib/github-api.js:52

        return process.env.GITHUB_AUTH || "";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lint-staged

npm dependency

expand_more 20 low-confidence finding(s)

low env_fs dependency Excluded from app score #321eb53bc71b17f4 — Filesystem access.

pkgs/npm/[email protected]/lib/cli.js:205

  const packageJsonFile = await readFile(path.join(dirname, '../package.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b27333ba21e5334c — Filesystem access.

pkgs/npm/[email protected]/lib/file.js:16

    return await fs.readFile(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df3e17b6f5c983ff — Filesystem access.

pkgs/npm/[email protected]/lib/file.js:52

  await fs.writeFile(filename, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a4b74716fb0a0dc — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:145

      readFile(this.mergeHeadFilename).then((buffer) => (this.mergeHeadBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4da468d536e38f1 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:146

      readFile(this.mergeModeFilename).then((buffer) => (this.mergeModeBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9eaae9421de30a44 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:147

      readFile(this.mergeMsgFilename).then((buffer) => (this.mergeMsgBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9984593e41f5754 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:159

        this.mergeHeadBuffer && writeFile(this.mergeHeadFilename, this.mergeHeadBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fb48ef3954f1830 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:160

        this.mergeModeBuffer && writeFile(this.mergeModeFilename, this.mergeModeBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f18f57ff87c80c0 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:161

        this.mergeMsgBuffer && writeFile(this.mergeMsgFilename, this.mergeMsgBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ab6e9d946cb2b8a — Environment-variable access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:311

    const activeIndexFile = process.env.GIT_INDEX_FILE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b135cf3fb3cace09 — Environment-variable access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:312

      ? normalizePath(process.env.GIT_INDEX_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1839085e6034fcc2 — Environment-variable access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:313

      : process.env.GIT_INDEX_FILE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa03fd15b1b9b717 — Environment-variable access.

pkgs/npm/[email protected]/lib/index.js:150

  debugLog('Unset GIT_LITERAL_PATHSPECS (was `%s`)', process.env.GIT_LITERAL_PATHSPECS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f03ed6d1e4fe2da0 — Environment-variable access.

pkgs/npm/[email protected]/lib/index.js:151

  delete process.env.GIT_LITERAL_PATHSPECS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25b34afaf2f05952 — Filesystem access.

pkgs/npm/[email protected]/lib/loadConfig.js:14

const readFile = async (filename) => fs.readFile(path.resolve(filename), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #548fc2ef786ef7ac — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:42

    debugLog('Unset GIT_DIR (was `%s`)', process.env.GIT_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bbb48e1e5830085 — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:43

    delete process.env.GIT_DIR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a2606eb645158d7 — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:44

    debugLog('Unset GIT_WORK_TREE (was `%s`)', process.env.GIT_WORK_TREE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1548bfc011ed81ac — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:45

    delete process.env.GIT_WORK_TREE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b127afe237bdbf1 — Filesystem access.

pkgs/npm/[email protected]/lib/version.js:4

  const packageJson = JSON.parse(await fs.readFile(new URL('../package.json', import.meta.url)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mocha

npm dependency

expand_more 13 low-confidence finding(s)

low env_fs dependency Excluded from app score #102a5de5405be58c — Filesystem access.

pkgs/npm/[email protected]/lib/cli/config.js:39

    require("js-yaml").load(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d48c0d74e56868d — Filesystem access.

pkgs/npm/[email protected]/lib/cli/config.js:55

      require("strip-json-comments")(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a992592ac6985c49 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:27

  const css = fs.readFileSync(path.join(srcdir, "mocha.css"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3083d9c538a81df — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:28

  const js = fs.readFileSync(path.join(srcdir, "mocha.js"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6512e0fc469ea613 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:29

  const tmpl = fs.readFileSync(
    path.join(srcdir, "lib", "browser", "template.html"),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ce78ca0b7e118e9 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:32

  fs.writeFileSync(path.join(destdir, "mocha.css"), css);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34ec7352d77c5726 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:33

  fs.writeFileSync(path.join(destdir, "mocha.js"), js);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fcc350016549a54 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:34

  fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbdce35f4d1ca66a — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:35

  fs.writeFileSync(path.join(destdir, "index.html"), tmpl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7686aefc83916cda — Filesystem access.

pkgs/npm/[email protected]/lib/cli/options.js:240

      configData = fs.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78f6ac1409b876c8 — Environment-variable access.

pkgs/npm/[email protected]/lib/cli/options.js:302

  const envConfig = parse(process.env.MOCHA_OPTIONS || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0dcec4b109e01fe6 — Environment-variable access.

pkgs/npm/[email protected]/lib/reporters/base.js:58

  (supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b4c5897a58e1583 — Filesystem access.

pkgs/npm/[email protected]/lib/reporters/json.js:90

        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mongoose

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #36e88894d3a370c0 — Environment-variable access.

pkgs/npm/[email protected]/lib/helpers/printJestWarning.js:5

if (typeof jest !== 'undefined' && !process.env.SUPPRESS_JEST_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #519efdb33f5b2aee — Filesystem access.

pkgs/npm/[email protected]/storage/disk.js:1

var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #519efdb33f5b2aee — Filesystem access.

pkgs/npm/[email protected]/storage/disk.js:1

var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mysql2

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #9ed53df2af7d8604 — Environment-variable access.

pkgs/npm/[email protected]/lib/packets/index.js:60

  if (process.env.NODE_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nyc

npm dependency

expand_more 31 low-confidence finding(s)

low env_fs dependency Excluded from app score #9faac9f8fa06ba18 — Filesystem access.

pkgs/npm/[email protected]/bin/nyc.js:10

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9faac9f8fa06ba18 — Filesystem access.

pkgs/npm/[email protected]/bin/nyc.js:10

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb0c704c61bbf7e — Environment-variable access.

pkgs/npm/[email protected]/bin/nyc.js:53

    env.BABEL_DISABLE_CACHE = process.env.BABEL_DISABLE_CACHE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7087142f0911a178 — Environment-variable access.

pkgs/npm/[email protected]/bin/nyc.js:81

    env.SPAWN_WRAP_SHIM_ROOT = process.env.SPAWN_WRAP_SHIM_ROOT || process.env.XDG_CACHE_HOME || require('os').homedir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7087142f0911a178 — Environment-variable access.

pkgs/npm/[email protected]/bin/nyc.js:81

    env.SPAWN_WRAP_SHIM_ROOT = process.env.SPAWN_WRAP_SHIM_ROOT || process.env.XDG_CACHE_HOME || require('os').homedir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #942e96721b64cf00 — Filesystem access.

pkgs/npm/[email protected]/index.js:190

        const source = await fs.readFile(filename, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b280258aa36dce92 — Filesystem access.

pkgs/npm/[email protected]/index.js:218

      const inCode = await fs.readFile(inFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72188803c5957c4b — Filesystem access.

pkgs/npm/[email protected]/index.js:226

        await fs.writeFile(outFile, outCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a738afa81404725 — Environment-variable access.

pkgs/npm/[email protected]/index.js:353

    if (!process.env.NYC_CWD) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23f1cd3a1dcaea76 — Environment-variable access.

pkgs/npm/[email protected]/index.js:375

    process.env.NYC_PROCESS_ID = this.processInfo.uuid

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df836085feaddcb7 — Filesystem access.

pkgs/npm/[email protected]/index.js:409

    fs.writeFileSync(
      coverageFilename,
      JSON.stringify(coverage),
      'utf-8'
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f54b8724aa01416f — Filesystem access.

pkgs/npm/[email protected]/index.js:514

      const report = JSON.parse(await fs.readFile(path.resolve(baseDirectory, filename)), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #054486dde9953040 — Environment-variable access.

pkgs/npm/[email protected]/lib/commands/check-coverage.js:19

  process.env.NYC_CWD = process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd73176a09405d7d — Environment-variable access.

pkgs/npm/[email protected]/lib/commands/merge.js:33

  process.env.NYC_CWD = process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3fa7a5a0f8c94ac — Filesystem access.

pkgs/npm/[email protected]/lib/commands/merge.js:44

  await fs.writeFile(argv.outputFile, JSON.stringify(map), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07272e51b036d5bb — Environment-variable access.

pkgs/npm/[email protected]/lib/commands/report.js:19

  process.env.NYC_CWD = process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba5f18c9fe1319b1 — Environment-variable access.

pkgs/npm/[email protected]/lib/config-util.js:12

  cwd = cwd || process.env.NYC_CWD || process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aea4f6d71a725ae — Filesystem access.

pkgs/npm/[email protected]/lib/fs-promises.js:3

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aea4f6d71a725ae — Filesystem access.

pkgs/npm/[email protected]/lib/fs-promises.js:3

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7ca08c23817dee0 — Environment-variable access.

pkgs/npm/[email protected]/lib/register-env.js:21

    envToCopy[env] = process.env[env]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6f958359b5928ff — Environment-variable access.

pkgs/npm/[email protected]/lib/register-env.js:26

  envToCopy[envName] = process.env[envName]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbf9f35db6c98fe8 — Filesystem access.

pkgs/npm/[email protected]/lib/source-maps.js:43

      fs.writeFileSync(mapPath, JSON.stringify(sourceMap))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a199e0f9fd2f8f6 — Filesystem access.

pkgs/npm/[email protected]/lib/source-maps.js:68

            this.loadedMaps[hash] = JSON.parse(await fs.readFile(mapPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fde06ed281c45fe — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:6

  process.env.NYC_CONFIG ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f66ba32c04f5bef — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:15

  parent: process.env.NYC_PROCESS_ID || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffeab7b1eb1f8f20 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:18

if (process.env.NYC_PROCESSINFO_EXTERNAL_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acf37f238277676b — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:19

  config._processInfo.externalId = process.env.NYC_PROCESSINFO_EXTERNAL_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f064126dacb37301 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:20

  delete process.env.NYC_PROCESSINFO_EXTERNAL_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfbed1ce8a2b6add — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:23

if (process.env.NYC_CONFIG_OVERRIDE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01902d1110e5145c — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:24

  Object.assign(config, JSON.parse(process.env.NYC_CONFIG_OVERRIDE))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97f8b257f007bc2d — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:25

  process.env.NYC_CONFIG = JSON.stringify(config)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency

expand_more 57 low-confidence finding(s)

low env_fs dependency Excluded from app score #44df4a07e19b7c68 — Environment-variable access.

pkgs/npm/[email protected]/bin/prettier.cjs:66

if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74c9d3123877cb51 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:10

import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99e432ab98036083 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:15

import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6466a3f669b61435 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:371

  return dist_default.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44ecdb6b21994810 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:516

import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #329736233b1a8a50 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:526

import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f45fe5fb837c7b0 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:878

    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72868f98ee839314 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1878

import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb383cfbb4850e0e — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1955

          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e49ab828b326ae7a — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1961

          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a50eb0822079ec1 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:54

import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #637800d62f7e9ee8 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:96

import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97e47e25a733f170 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:107

      const buffer2 = attempt(() => fs2.readFileSync(path18), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e439ed0b34c08bd5 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:116

import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c298adc3a70c29eb — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:612

import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5ded1fd85ff39e9 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:627

              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d66a57ae4257e88 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:633

              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c6831912be26b58 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:2515

import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #408695cd97074835 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:2525

    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c6598be06d901aa — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:2743

import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #189443df8c8f76f9 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:3607

import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fe69eb7d9ac37a8 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:4855

import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c166c793a12c753a — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5794

import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dc3329ca6205c38 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5820

          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25b0c96353ac30c8 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5835

          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73e00e0ccb7d0aa7 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5850

          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea12ca6808053f3f — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6238

import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8db47ece871aa6f8 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6252

        return fs9.readFile(filePath, "utf8").then(parse_default2).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23bcac1546af2db0 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6582

import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8c46aa1a14f24a1 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6594

      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e3b8d6ab36dfccd — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10466

import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf04e6e983a181f0 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10488

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1a7f832dbaf6a59 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10493

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b79afc8c8e60d267 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10499

        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac9e84f54fa2ed7e — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10515

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #941198121c81cc08 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10521

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #659b3576b49aa509 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:11366

import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77b5e3e84651e208 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:11559

import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d5880481423892f — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:11567

  return dist_default36.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4c8d23caad04a2c — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:12330

import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23174e0c409e76a3 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:12395

  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3b99ec93d867708 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:12400

  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a28fbe105182f68 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1233

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61b9e9ba2049a552 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1554

import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e88cc7f446dfcc75 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1778

import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f280bee02c04e939 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1786

import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #252a1dfe10f0e1ed — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1794

import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c39409a794d25c28 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1888

    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3663149aece31b3 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1906

import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adfaaa619f889e18 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1910

import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75b9b06d4d4df01d — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1914

import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4deffdcad06266b9 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:4302

      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81c04222eaf12d19 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:4506

        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f7e91457553d7c8 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:4894

        const buffer = fs6.readFileSync(absolutePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1910bcd7b4ab016 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:5188

import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fac958c5a697453 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:5449

  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8253a0c4a7fedef8 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:5805

      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

socket.io

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #846b0aea20bac381 — Environment-variable access.

pkgs/npm/[email protected]/client-dist/socket.io.js:2955

        r = process.env.DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-node

npm dependency

expand_more 9 low-confidence finding(s)

low env_fs dependency Excluded from app score #c67b88a4b98eb610 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c67b88a4b98eb610 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99b5d08c38ee6206 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:39

const {
  realpathSync,
  statSync,
  Stats,
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #112b0b7ce98e2c62 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:43

} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0675c0ad865c61a5 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0675c0ad865c61a5 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59260b53e249b857 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:13

    string = fs.readFileSync(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad1b60ae865322da — Environment-variable access.

pkgs/npm/[email protected]/dist-raw/node-options.js:48

  const envArgv = ParseNodeOptionsEnvVar(process.env.NODE_OPTIONS || '', errors);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1626467ce8ecc3ad — Environment-variable access.

pkgs/npm/[email protected]/dist-raw/node-options.js:99

  if(process.env.NODE_PENDING_DEPRECATION === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tsconfig-paths

npm dependency

expand_more 12 low-confidence finding(s)

low env_fs dependency Excluded from app score #899cd1f8d067476e — Environment-variable access.

pkgs/npm/[email protected]/lib/config-loader.js:30

        getEnv: function (key) { return process.env[key]; },

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73a0b9381a4ac8ea — Filesystem access.

pkgs/npm/[email protected]/lib/filesystem.js:4

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73a0b9381a4ac8ea — Filesystem access.

pkgs/npm/[email protected]/lib/filesystem.js:4

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69162872f3dbbe7f — Filesystem access.

pkgs/npm/[email protected]/lib/filesystem.js:37

    fs.readFile(path, "utf8", function (err, result) {
        // If error, assume file did not exist
        if (err || !result) {
            return callback();
        }
        var json = JSON.parse(result);
        return callback(undefined, json);
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0417913371ba3bd9 — Filesystem access.

pkgs/npm/[email protected]/lib/tsconfig-loader.js:16

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0417913371ba3bd9 — Filesystem access.

pkgs/npm/[email protected]/lib/tsconfig-loader.js:16

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06daac8cf8cbb2ef — Filesystem access.

pkgs/npm/[email protected]/lib/tsconfig-loader.js:85

        return fs.readFileSync(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd5818669a091316 — Environment-variable access.

pkgs/npm/[email protected]/src/config-loader.ts:68

    getEnv: (key: string) => process.env[key],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbe532b473d4ed10 — Filesystem access.

pkgs/npm/[email protected]/src/filesystem.ts:1

import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbacde9cba8441e9 — Filesystem access.

pkgs/npm/[email protected]/src/filesystem.ts:68

  fs.readFile(path, "utf8", (err, result) => {
    // If error, assume file did not exist
    if (err || !result) {
      return callback();
    }
    const json = JSON.parse(result);
    return callback(undefined, json);
  });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4d696f1de35c2b2 — Filesystem access.

pkgs/npm/[email protected]/src/tsconfig-loader.ts:2

import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79b11f2aeb47d38a — Filesystem access.

pkgs/npm/[email protected]/src/tsconfig-loader.ts:120

    fs.readFileSync(filename, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typeorm

npm dependency

expand_more 34 low-confidence finding(s)

low env_fs dependency Excluded from app score #264e577471b31685 — Environment-variable access.

pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:3

if ((process.env["NODE_OPTIONS"] || "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12ae3a5eb6221981 — Environment-variable access.

pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:11

                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8eb255ca53209422 — Filesystem access.

pkgs/npm/[email protected]/browser/driver/better-sqlite3/BetterSqlite3Driver.js:1

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0e5f6e550ed2ba7 — Environment-variable access.

pkgs/npm/[email protected]/browser/driver/oracle/OracleDriver.js:193

            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a0a1e6fb7848095 — Environment-variable access.

pkgs/npm/[email protected]/browser/driver/postgres/PostgresDriver.js:227

            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79a216dff656340c — Filesystem access.

pkgs/npm/[email protected]/browser/driver/sqlite/SqliteDriver.js:1

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #813f10700a27e4ca — Filesystem access.

pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:59

                    const database = PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17314af907eab539 — Filesystem access.

pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:126

                await PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb2ecba71530ad62 — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.d.ts:3

export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #461366335ec0b0cc — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:3

import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bde978fa3f1f4682 — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:8

export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8a24263fccaee7f — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:154

        return fs.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #721fcea866ee3601 — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:160

        return fs.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7747c00583f2281e — Environment-variable access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:174

        return process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42f178c5728becdf — Filesystem access.

pkgs/npm/[email protected]/browser/util/ImportUtils.js:1

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73488fd450bea2e6 — Filesystem access.

pkgs/npm/[email protected]/browser/util/ImportUtils.js:71

                const parsedPackage = JSON.parse(await fs.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fac32fbc2ba76850 — Environment-variable access.

pkgs/npm/[email protected]/cli-ts-node-esm.js:5

if ((process.env["NODE_OPTIONS"] || "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab0823b6847a64b6 — Environment-variable access.

pkgs/npm/[email protected]/cli-ts-node-esm.js:13

                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35e941f9175c65dd — Filesystem access.

pkgs/npm/[email protected]/commands/CommandUtils.js:64

        await promises_1.default.writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6191083d7d4dfe70 — Filesystem access.

pkgs/npm/[email protected]/commands/CommandUtils.js:70

        const file = await promises_1.default.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba05079a2af6595e — Filesystem access.

pkgs/npm/[email protected]/commands/InitCommand.js:76

            const packageJsonContents = await CommandUtils_1.CommandUtils.readFile(basePath + "/package.json");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37c108205add1e35 — Filesystem access.

pkgs/npm/[email protected]/commands/InitCommand.js:579

        const ourPackageJson = JSON.parse(await CommandUtils_1.CommandUtils.readFile(`${__dirname}/../package.json`));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47ee4bfea83ba858 — Environment-variable access.

pkgs/npm/[email protected]/driver/oracle/OracleDriver.js:196

            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d283b3d965ed03ed — Environment-variable access.

pkgs/npm/[email protected]/driver/postgres/PostgresDriver.js:230

            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #315cebfcf657ae42 — Filesystem access.

pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:62

                    const database = PlatformTools_1.PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f468d4bbe9099a13 — Filesystem access.

pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:129

                await PlatformTools_1.PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #160f8f4725726114 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.d.ts:3

export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cff54f53b70a658d — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:7

const fs_1 = tslib_1.__importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0eb7f8b9aaf507e9 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:13

var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0eb7f8b9aaf507e9 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:13

var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8f4e8e7ff8c5c69 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:162

        return fs_1.default.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57d7b50c564e436e — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:168

        return fs_1.default.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c8231762a03e3fb — Environment-variable access.

pkgs/npm/[email protected]/platform/PlatformTools.js:182

        return process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7078fc0f127dc35 — Filesystem access.

pkgs/npm/[email protected]/util/ImportUtils.js:75

                const parsedPackage = JSON.parse(await promises_1.default.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency

expand_more 20 low-confidence finding(s)

low env_fs dependency Excluded from app score #9d9c2f242fc10adc — Filesystem access.

pkgs/npm/[email protected]/lib/_tsserver.js:51

var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1db239eee47c7d9b — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:309

    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83e78d6215fcf43f — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:535

  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b185b8c214fea44 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47bb033f3b709bee — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:565

    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72e1423cddbc97a2 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:566

      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54d304ad6fb59beb — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54d304ad6fb59beb — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54d304ad6fb59beb — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54d304ad6fb59beb — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54d304ad6fb59beb — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #688a81438afe6d0b — Filesystem access.

pkgs/npm/[email protected]/lib/_typingsInstaller.js:44

var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8483b850240525f9 — Filesystem access.

pkgs/npm/[email protected]/lib/_typingsInstaller.js:88

    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f290eee31d2023c8 — Filesystem access.

pkgs/npm/[email protected]/lib/watchGuard.js:42

var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ws

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #d9e96b86ee9525fb — Environment-variable access.

pkgs/npm/[email protected]/lib/buffer-util.js:115

if (!process.env.WS_NO_BUFFER_UTIL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf2a3c0cebfdd753 — Environment-variable access.

pkgs/npm/[email protected]/lib/validation.js:142

} /* istanbul ignore else  */ else if (!process.env.WS_NO_UTF_8_VALIDATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

path-to-regexp prod — dist-only: no readable source

Development

@nestjs/apollo dev — dist-only: no readable source
@typescript-eslint/parser dev — dist-only: no readable source
amqp-connection-manager dev — dist-only: no readable source
cache-manager dev — dist-only: no readable source
concurrently dev — dist-only: no readable source
conventional-changelog dev — dist-only: no readable source
graphql-subscriptions dev — dist-only: no readable source
lerna dev — dist-only: no readable source
redis dev — dist-only: no readable source
typescript-eslint dev — dist-only: no readable source

verified_user Possible application data leak

App Privacy Score

bar_chart Score Breakdown

list Scan Summary

swap_horiz Potential data exfiltration in application code

</> First-Party Code

first-party (npm)

</> Dependencies

coveralls

nats

@fastify/static

graphql

@apollo/server

@commitlint/cli

@eslint/eslintrc

@fastify/view

@grpc/grpc-js

@types/gulp

amqplib

chai

delete-empty

eslint

eslint-config-prettier

express

fastify

gulp-clean

gulp-sourcemaps

gulp-typescript

husky

ioredis

kafkajs

lerna-changelog

lint-staged

mocha

mongoose

multer

mysql2

nyc

prettier

socket.io

ts-node

tsconfig-paths

typeorm

typescript

ws

Skipped dependencies