Close Open Privacy Scan

bolt Snapshot: commit ec68851
science engine v1.5
schedule 2026-07-14T06:17:29.101891+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

smart_toy MCP server detected: @ai-sdk/anthropic, @ai-sdk/openai, @google/generative-ai, @langchain/anthropic +12 more — detected in dependencies, not a safety judgment.
Incomplete scan — only 0/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

0 /100
High privacy risk — application leak confirmed

High risk · 3074 finding(s)

Dependency score: 100 (Low risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −25
egress −15
env_fs −3

list Scan Summary

90 high 557 medium 2427 low
First-party packages: 40
Dependency packages: 0
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: 169.254.169.254169.254.170.2169.254.170.23192.168.1.100a.b.app.n8n.clouda.coma.exampleaccount.box.comaccounts.google.comaccounts.spotify.comaccounts.zoho.comaccounts.zoho.com.auaccounts.zoho.com.cnaccounts.zoho.euaccounts.zoho.inacme.app.n8n.cloudactionnetwork.orgacuityscheduling.comadaptivecards.ioadb-xxx.azuredatabricks.netadb-xxx.cloud.databricks.comadb-xxxxx.xx.azure.databricks.comadoption.microsoft.comai-gateway.vercel.shairtable.comaka.msallowed.exampleanalytics.google.comanalyticsadmin.googleapis.comanalyticsdata.googleapis.comanalyticsreporting.googleapis.comanywhere.exampleapiapi-b2b.backenster.comapi-docs.deepseek.comapi-eu.dhl.comapi-free.deepl.comapi-rootapi-rs.n8n.ioapi-ssl.bitly.comapi-staging.n8n.ioapi.adalo.comapi.affinity.coapi.airtable.comapi.airtop.aiapi.anthropic.comapi.apitemplate.ioapi.atlassian.comapi.bamboohr.comapi.bannerbear.comapi.baserow.ioapi.beeminder.comapi.bitbucket.orgapi.bitwarden.comapi.botframework.comapi.box.comapi.brandfetch.ioapi.brevo.comapi.cal.comapi.calendly.comapi.clickup.comapi.clockify.meapi.cloudflare.comapi.cohere.aiapi.coingecko.comapi.convertkit.comapi.copper.comapi.currents.devapi.custom-service.comapi.datadoghq.comapi.deepl.comapi.deepseek.comapi.dropboxapi.comapi.dropcontact.ioapi.duckduckgo.comapi.egoiapp.comapi.eu.iterable.comapi.figma.comapi.firecrawl.devapi.form.ioapi.frankfurter.devapi.getflow.comapi.getgo.comapi.getmetal.ioapi.getresponse.comapi.getzep.comapi.github.comapi.gong.ioapi.google.comapi.groq.comapi.gumroad.comapi.harvestapp.comapi.helpscout.netapi.hsforms.comapi.hubapi.comapi.humantic.aiapi.hunter.ioapi.imperva.comapi.infusionsoft.comapi.intercom.ioapi.iterable.comapi.lemlist.comapi.linear.appapi.linkedin.comapi.loganalytics.azure.comapi.loganalytics.ioapi.mailcheck.coapi.mailerlite.comapi.mailjet.comapi.malcore.ioapi.medium.comapi.meethue.comapi.meraki.comapi.minimax.ioapi.minimaxi.comapi.miro.comapi.mistral.aiapi.monday.comapi.moonshot.aiapi.moonshot.cnapi.n8n.ioapi.nasa.govapi.netlify.comapi.notion.comapi.npms.ioapi.open-meteo.comapi.openai.comapi.openweathermap.orgapi.other.comapi.ouraring.comapi.peekalink.ioapi.perplexity.aiapi.phantombuster.comapi.pinecone.ioapi.pipedrive.comapi.postmarkapp.comapi.pushbullet.comapi.pushover.netapi.raindrop.ioapi.recordedfuture.comapi.search.brave.comapi.sekoia.ioapi.sendgrid.comapi.slack.comapi.smith.langchain.comapi.spotify.comapi.stripe.comapi.surveymonkey.comapi.telegram.orgapi.test.comapi.todoist.comapi.track.toggl.comapi.trello.comapi.trychroma.comapi.twilio.comapi.twitter.comapi.typeform.comapi.umbrella.comapi.uproc.ioapi.uptimerobot.comapi.venafiapi.webflow.comapi.wolframalpha.comapi.x.aiapi.xx-yy.cloud.solarwinds.comapi.zoom.usapi2.autopilothq.comapp.adalo.comapp.asana.comapp.box.comapp.clickup.comapp.daytona.ioapp.getresponse.comapp.gong.ioapp.hubspot.comapp.infisical.comapp.invoiceninja.comapp.n8n.cloudapp.nocodb.comapp.pagerduty.comapp.posthog.comapp.us1.sysdig.comappcenter.intuit.comattacker.exampleauth.atlassian.comauth.calendly.comauth.monday.comauth0.comb.comb.examplebedrockbedrock-runtimebedrock-runtime.eu-west-3.example.internalbedrock.us-east-1.amazonaws.combeta.openai.combigquery.googleapis.combitly.combrave.combuild.nvidia.comc.comcdn-rs.n8n.iocdn.jsdelivr.netcdn.simpleicons.orgcdn.tailwindcss.comchanged.iochat.googleapis.comchatgpt.comchromewebstore.google.comchromium.orgcircleci.comclaude.aicloud.google.comcloud.seatable.ioclouddocs.f5.comcloudresourcemanager.googleapis.comcn-hongkong.dashscope.aliyuncs.comcoda.iocognitiveservices.azure.comcollector.iocommentanalyzer.googleapis.comcommunity.n8n.iocompany.clearbit.comcompany.freshdesk.comconnectconnect.mailerlite.comconsole.cloud.google.comconsole.developers.google.comconsole.groq.comcontent.dropboxapi.comcontext7.comcreators.n8n.iocustom-anthropic-api.comcustom-project.firebaseio.comcustom-url.comcustom.comcustom.googleapis.comcustomer.iodashscope-intl.aliyuncs.comdashscope-us.aliyuncs.comdashscope.aliyuncs.comdata.jsdelivr.comdatatracker.ietf.orgdeepsearch.jina.aidefense.conferdeploy.netdev-123456.okta.comdev-qqkrykgkoo0p63d5.eu.auth0.comdev.drift.comdev.w3.orgdev99890.service-now.comdevdocs.drift.comdevdocs.magento.comdeveloper.1password.comdeveloper.atlassian.comdeveloper.carbonblack.comdeveloper.cisco.comdeveloper.crowdstrike.comdeveloper.helpscout.comdeveloper.mozilla.orgdeveloper.okta.comdeveloper.x.comdevelopers.generativeai.googledevelopers.google.comdevelopers.hubspot.comdevelopers.miro.comdevelopers.notion.comdevelopers.perspectiveapi.comdevelopers.virustotal.comdiscord.comdisqus.comdoc.twake.appdocs.airtop.aidocs.anthropic.comdocs.astral.shdocs.aws.amazon.comdocs.claude.comdocs.cohere.comdocs.convertapi.comdocs.currents.devdocs.databricks.comdocs.datadoghq.comdocs.dfir-iris.orgdocs.dynatrace.comdocs.fortinet.comdocs.getgrist.comdocs.github.comdocs.google.comdocs.googleapis.comdocs.imperva.comdocs.mattermost.comdocs.microsoft.comdocs.mistral.aidocs.mongodb.comdocs.n8n.iodocs.oasis-open.orgdocs.opencti.iodocs.oracle.comdocs.rapid7.comdocs.searxng.orgdocs.sekoia.iodocs.snowflake.comdocs.stripe.comdocs.sysdig.comdocs.test.comdocs.trellix.comdocs.x.aidocumentation.solarwinds.comdod-graph.microsoft.usdriftapi.comdrive.google.comdummyjson.comdynamic-templates.n8n.iodynamodb.eu-central-1.amazonaws.comeditor-baseeks-pod-identity.amazonaws.comemailembeddings-dashboard-api.jina.aien.wikipedia.orgenterprise.n8n.ioevil.comevil.exampleexample.agilecrm.comexample.atlassian.netexample.n8n.cloudexample.nonexistentexternal.comfacebook.comfeeds.bbci.co.ukfirebase.googleapis.comfirestore.googleapis.comfirst.comfoo.app.n8n.cloudformio.form.iogateway.seven.iogenerativelanguage.googleapis.comghost.orggithub.comgitlab.comgmail.comgoogle.comgoogleads.googleapis.comgraph.facebook.comgraph.microsoft.comgraph.microsoft.usgraphql.emelia.iogumroad.comhelp.adalo.comhelp.getharvest.comhelp.zscaler.comhn.algolia.comhnrss.orghostnamehttpbin.orghuggingface.coiam.amazonaws.comicalendar.orgicon.test.comid.getharvest.comidentity.bitwarden.comidentity.xero.cominsight.rapid7.comintegrate.api.nvidia.cominternal-production.app.n8n.cloudinvoicing.cojeroen.github.iojina.aijira.company.comjira.localjslib.k6.iojson-schema.orgkafka.apache.orgkf.kobotoolbox.orglambdalambda.cn-north-1.amazonaws.com.cnlambda.us-east-1.amazonaws.comlanguage.googleapis.comlearn.microsoft.comlegitimate-client.comlicense.n8n.iolinear.applinkedin.comlogin.mailchimp.comlogin.microsoftonline.comlogin.microsoftonline.uslogin.partner.microsoftonline.cnlogin.salesforce.comlogin.xero.commail.google.commalcore.readme.iomalicious-site.commalicious.commanagement.azure.commanual.bubble.iomarketplace.gohighlevel.commarketplace.leadconnectorhq.commarketplace.zoom.usmatrix-client.matrix.orgmatrix.orgmattermost.internal.n8n.iomcp.gmail.commcp.linear.appmcp.notion.commcp.slack.commedium.commicrosoft.commicrosoftgraph.chinacloudapi.cnmiro.commock-upload-url.commock.auth.servicemodels.devmoment.github.iomonitor.azure.commy-instance.app.n8n.cloudmy-mcp-endpoint.aimy-mcp-server.aimy-n8n.app.n8n.cloudmy-organization.odoo.commy-site.commy.demio.commy.instance.app.n8n.cloudmybusiness.googleapis.commybusinessaccountmanagement.googleapis.commybusinessbusinessinformation.googleapis.commycompany.my.salesforce.commydeployment.es.us-central1.gcp.cloud.es.iomydeployment.kb.us-central1.gcp.cloud.es.iomyinstance.app.n8n.cloudmyproxyn.examplen8n-community.typeform.comn8n-helpdesk.zammad.comn8n-org.myfreshworks.comn8n-preview-service.internal.n8n.cloudn8n-tunnel.myhost.comn8n.erpnext.comn8n.freshservice.comn8n.grafana.netn8n.host.comn8n.ion8n.localn8n.local.evil.comn8n.rocket.chatn8niostorageaccount.blob.core.windows.netname.mautic.netnavigated.comnew-url.comnew.comnewsapi.orgno.comnominatim.openstreetmap.orgnotify-api.line.menotify-bot.line.menumbersapi.comoauth.pipedrive.comoauth.platform.intuit.comoauth2.googleapis.comold-url.comold.comollama.aiopenrouter.aiorbit.loveoriginal.iootel.observability.acmeother-app.comother.comotx.alienvault.comoverride-url.compeople.googleapis.comph.n8n.ioplatform.kimi.aiplatform.minimax.ioplatform.openai.complugins.twake.appportal.airtop.aiportal.azure.comproxy.internalpublic-api.lonescale.compublic-api.wordpress.compublic.api.comqdrant.techqualysapi.qualys.comqualysguard.qg2.apps.qualys.comr.jina.airaindrop.ioraw.githubusercontent.comregistry.npmjs.orgrekognitionreqbin.comrest.gohighlevel.comrest.messagebird.coms.jina.ais3s3.amazonaws.comsafe.comsame.comschema-registry-domainschemas.xmlsoap.orgsdk-templates.n8n.iosearx.test.comsecond.comsecure.helpscout.netsentry.ioserpapi.comservices.leadconnectorhq.comsheets.googleapis.comshuffler.iosigned.comsignin.infusionsoft.comslack.comslides.googleapis.comslsa.devsnsspawned.comsqssqs.mycompany.devsqs.us-west-2.mycompany.devssmstage-app.n8n.cloudstaging-subscription.n8n.iostatic.linear.appstorage.azure.comstorage.googleapis.comstripe.comstssts.cn-north-1.amazonaws.com.cnsts.eu-west-1.amazonaws.comsts.us-east-1.amazonaws.comsts.us-gov-west-1.amazonaws.comsts.windows.netsubdomain.app.gong.iosubscription.n8n.iosupabase.comsupport.airtable.comsupport.google.comt.comtabtab1.comtaiga.yourdomain.comtarget.comtelegram.metelemetry.n8n.iotenant.exampletenant123.sharepoint.comtest-base-urltest-n8n-base-urltest-oauth2.atlassian.nettest-project.europe-west1-firebase.cloudfunctions.nettest-project.firebaseio.comtest-project.undefinedtest-search.search.windows.nettest-url.comtest.api.n8n.iotest.app.n8n.cloudtest.comtest.docs.n8n.iotest.endpoint.comtest.localtest.n8n.iotest.salesforce.comtodoist.comtranslation.googleapis.comtrello.comtwist.comtwitter.comupdated.comupdated.ioupload.box.comupload.googleapis.comupload.wikimedia.orgurlscan.ious-east-1.console.aws.amazon.comv2.convertapi.comvalid-url.comvisibilityvpce-0abc.sqs.not-a-region.vpce.amazonaws.comvpce-0abc123-usw2-az1.sqs.us-west-2.vpce.amazonaws.comvpce-0abc123.bedrock-runtime.us-east-1.vpce.amazonaws.comvpce-0abc123.sqs.cn-north-1.vpce.amazonaws.com.cnvpce-0abc123.sqs.not-a-region.vpce.amazonaws.comvpce-0abc123.sqs.us-gov-west-1.vpce.amazonaws.comvpce-0abc123.sqs.us-west-2.vpce.amazonaws.comvpce-abc.bedrock.us-east-1.vpce.amazonaws.comweaviate.iowebexapis.comwebflow.comwebhook-basewekan.yourdomain.comwesteurope.api.cognitive.microsoft.comwiki.jenkins.ioworkspace.app.n8n.cloudwww.api.comwww.beeminder.comwww.dropbox.comwww.elastic.cowww.eventbrite.comwww.eventbriteapi.comwww.ex.comwww.facebook.comwww.figma.comwww.filescan.iowww.formstack.comwww.google.comwww.googleapis.comwww.home-assistant.iowww.hybrid-analysis.comwww.ibm.comwww.linkedin.comwww.localeplanet.comwww.mist.comwww.mongodb.comwww.mydomain.comwww.n8n.iowww.notion.sowww.npmjs.comwww.odoo.comwww.pushbullet.comwww.qwencloud.comwww.reddit.comwww.solarwinds.comwww.strava.comwww.theverge.comwww.typescriptlang.orgwww.unpkg.comwww.virustotal.comwww.w3.orgwww.website.comwww.youtube-nocookie.comwww.youtube.comwww.zabbix.comx.exampleyes.comyour-cluster.weaviate.cloudyour-ipam-serveryour-search-service.search.windows.netyour-tenant.auth0.comyour_account.supabase.coyourdomain.comyourzulipdomain.zulipchat.comzoom.us例え.jp

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/keycloak.ts:509 repo/packages/testing/containers/services/keycloak.ts:520
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/ngrok.ts:48 repo/packages/testing/containers/services/ngrok.ts:85
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:40 repo/packages/testing/playwright/reporters/metrics-reporter.ts:75
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87 repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49 repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59 repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:225 repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:223
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/instance-seeding/seedInstance.mjs:10 repo/scripts/instance-seeding/seedInstance.mjs:228
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/license/license.service.ts:78 repo/packages/cli/src/license/license.service.ts:71
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:172 repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:283 repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28 repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76 repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:380 repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401
high first-party (npm): packages/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/oauth/oauth.service.ts:1067 repo/packages/cli/src/oauth/oauth.service.ts:1096
high first-party (npm): packages/core User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/azure-blob.manager.ts:64 repo/packages/core/src/binary-data/azure-blob.manager.ts:66
high first-party (npm): packages/core User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/object-store.manager.ts:78 repo/packages/core/src/binary-data/object-store.manager.ts:80
high first-party (npm): packages/@n8n/cli User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/cli/src/client.ts:49 repo/packages/@n8n/cli/src/client.ts:90
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:334 repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:148 repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:105 repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264 repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328 repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:41 repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:31 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:29 repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:25 repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:29 repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:208 repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:48 repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:591 repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:28 repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:172 repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:36 repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:126 repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:37 repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:23 repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:187 repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:90 repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:432 repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:958 repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1019 repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:556 repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:45 repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:55 repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:47 repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:35 repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:23 repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:32 repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:109 repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:248 repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:33 repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:137 repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:86 repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:36 repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:56 repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:51 repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:65 repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:30 repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:79 repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:111 repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:26 repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:43 repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:24 repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:25 repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:44 repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:293 repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299
high first-party (npm): packages/nodes-base User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:33 repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53
high first-party (npm): packages/@n8n/instance-ai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:222 repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219
high first-party (npm): packages/@n8n/instance-ai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:75 repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:74
high first-party (npm): packages/@n8n/instance-ai User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:94 repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:91
high first-party (npm): packages/@n8n/computer-use User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/computer-use/src/gateway-client.ts:308 repo/packages/@n8n/computer-use/src/gateway-client.ts:302
high first-party (npm): packages/frontend/editor-ui User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8 repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25
medium first-party (npm) Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45

</> First-Party Code

first-party (npm): packages/frontend/editor-ui

npm first-party
high pii_flow production #7b12fc09ba8099ea User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25 · flow /tmp/closeopen-eiu3royx/repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8 → /tmp/closeopen-eiu3royx/repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:25
		const response = await fetch(POPULARITY_ENDPOINT, {
			signal: AbortSignal.timeout(5000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #08eeabd93209258b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useAutocompleteTelemetry.ts:93
		telemetry.track('User autocompleted code', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c4817b1f5850cafe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCalloutHelpers.ts:81
			telemetry.track('User clicked on RAG callout', {
				node_type: options.telemetry.nodeType ?? null,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3d659adafe27170e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCalloutHelpers.ts:85
			telemetry.track('User inserted tutorial template', {
				template: templateId,
				source: options.telemetry.source,
				node_type: options.telemetry.nodeType ?? null,
				section: options.telemetry.section ?? null,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a011aae7729a95be Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:285
		telemetry.track('User tidied up canvas', {
			source,
			target,
			nodes_count: result.nodes.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #10521ef201605cc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:608
			telemetry.track('User deleted workflow note', {
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3f56be4f8ffd2d8c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:613
			telemetry.track('User deleted node', {
				node_type: node.type,
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #abd624ae8f34b398 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:1230
		telemetry.track('User inserted workflow note', {
			workflow_id: workflowDocumentStore.value.workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b29e8094e058472e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:2956
						telemetry.track('User pasted nodes', {
							workflow_id: workflowDocumentStore.value.workflowId,
							node_graph_string: nodeGraph,
						});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #de1a6cc38bd35fe0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:2961
						telemetry.track('User duplicated nodes', {
							workflow_id: workflowDocumentStore.value.workflowId,
							node_graph_string: nodeGraph,
						});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #587d8e515d1105ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:2966
						telemetry.track('User imported workflow', {
							source,
							workflow_id: workflowDocumentStore.value.workflowId,
							node_graph_string: nodeGraph,
						});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #feb020fe53693f4a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:3279
		telemetry.track('User copied nodes', {
			node_types: workflowData.nodes.map((node) => node.type),
			workflow_id: workflowDocumentStore.value.workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #70e393743e8169ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:3353
		telemetry.track('User clicked chat open button', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bb6371c73fd957d7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCanvasOperations.ts:3538
		telemetry.track('User inserted workflow template', {
			source: 'workflow',
			template_id: tryToParseNumber(templateId),
			wf_template_repo_session_id: templatesStore.previousSessionId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1457d3fc56454ce3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useCollectionOverhaul.ts:6
	const postHogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c5704729d823ccac Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useErrorHandler.ts:3
import { captureException } from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8bdddb7c76551771 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useFreeAiCredits.ts:79
			telemetry.track('User claimed OpenAI credits', { source });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #40851c6b071e6957 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useGlobalEntityCreation.ts:460
			telemetry.track('User clicked sidebar add variable button');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #09f81fee082ba2e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useGlobalEntityCreation.ts:465
			telemetry.track('User clicked sidebar add data table button');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6bb93395688a568a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useHistoryHelper.ts:90
			telemetry.track(`User hit ${type}`, { commands_length: 1, commands: [command.name] });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0bd6d380246c6cff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useHistoryHelper.ts:92
			telemetry.track(`User hit ${type}`, {
				commands_length: command.commands.length,
				commands: command.commands.map((c) => c.name),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #daa897cd334be434 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useHistoryHelper.ts:102
			telemetry?.track('User hit undo in NDV', { node_type: activeNode.type });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #62a5f70d7968e0ab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useNodeExecution.ts:427
			telemetry.track('User clicked execute node button', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f7f4d197a90693b4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useNodeHelpers.ts:798
			telemetry.track('User set node enabled status', {
				node_type: node.type,
				is_enabled: node.disabled,
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5061a5aa3cc28569 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePageRedirectionHelper.ts:63
		telemetry.track('User clicked upgrade CTA', {
			source,
			isTrial: userIsTrialing,
			deploymentType,
			trialDaysLeft,
			executionsLeft,
			workflowsLeft,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #de4214e3beab8807 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePinnedData.ts:241
		telemetry.track('Ndv data pinning success', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cbbc902cafaa9c71 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePinnedData.ts:255
		telemetry.track('Ndv data pinning failure', {
			pinning_source: source,
			node_type: targetNode?.type,
			push_ref: rootStore.pushRef,
			data_size: stringSizeInBytes(data.value),
			view: displayMode,
			run_index: runIndex,
			error_type: errorType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #aac7b33207927bd2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePinnedData.ts:307
		telemetry.track('User unpinned ndv data', {
			node_type: targetNode?.type,
			push_ref: rootStore.pushRef,
			run_index: runIndex,
			source,
			data_size: stringSizeInBytes(data.value),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4676138d34cf5dc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePostMessageHandler.ts:176
		telemetry.track('User opened read-only execution', {
			workflow_id: data.workflowData.id,
			execution_mode: data.mode,
			execution_finished: data.finished,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2e3a2a6cac326876 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/executionFinished.ts:121
			telemetry.track('User executed test AI workflow', {
				status: data.status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9ce3e3de57d1f3f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/executionFinished.ts:140
			telemetry.track('User executed tutorial template', {
				template: templateId,
				status: data.status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #75099c17313dcf8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/executionFinished.ts:401
		telemetry.track('Instance FE emitted paired item error', eventData);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #12245e99b5fa94dc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/usePushConnection/handlers/trackNodeExecution.ts:23
		telemetry.track('Manual exec errored', {
			error_title: pushData.data.error.message,
			node_type: node?.type,
			node_type_version: node?.typeVersion,
			node_id: node?.id,
			node_graph_string: JSON.stringify(
				TelemetryHelpers.generateNodesGraph(
					workflowDocumentStore.serialize(),
					workflowHelpers.getNodeTypes(),
					{
						isCloudDeployment: settingsStore.isCloudDeployment,
					},
				).nodeGraph,
			),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e3e23de4d60370ff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useRunWorkflow.ts:651
		telemetry.track('User clicked execute workflow button', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #53cddcc995f277c1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useToast.ts:82
			telemetry.track('Instance FE emitted error', {
				error_title: params.title,
				error_message: messageForTelemetry,
				caused_by_credential: causedByCredential(messageForTelemetry),
				workflow_id: workflowDocumentStore.value.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ec44aa34ad2e0d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useToast.ts:177
		telemetry.track('Instance FE emitted error', {
			error_title: title,
			error_description: message,
			error_message: error.message,
			caused_by_credential: causedByCredential(error.message),
			workflow_id: workflowDocumentStore.value.workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9f860cf542def490 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowActivate.ts:200
		telemetry.track('User set workflow active status', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e5f1f19836d04816 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowExtraction.ts:526
		telemetry.track('User started nodes to sub-workflow extraction', {
			node_count: nodeCount,
			success,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #40f7a0822036cc91 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowExtraction.ts:533
		telemetry.track('User extracted nodes to sub-workflow', {
			node_count: nodeCount,
			success,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #84291c35e4c84d69 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowInitialization.ts:352
				telemetry.track(
					`User opened workflow from onboarding template with ID ${workflowData.meta.onboardingId}`,
					{ workflow_id: id },
				);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4f588f83fac0ac1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowSaving.ts:264
					telemetry.track('User attempted to save locked workflow', {
						workflowId: currentWorkflow,
						sharing_role: getWorkflowProjectRole(currentWorkflow),
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6f50aae228392f52 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/composables/useWorkflowSaving.ts:523
				telemetry.track('User saved new workflow from template', {
					template_id: tryToParseNumber(String(templateId)),
					workflow_id: workflowData.id,
					wf_template_repo_session_id: templatesStore.previousSessionId,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e15fa46e1e1bb582 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/init.ts:234
	const postHogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4bbeabec74da14e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/sentry.test.ts:1
import type * as Sentry from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #471f5d90fb1a7968 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/sentry.ts:4
import * as Sentry from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #79ef4c6aa0c9ef8e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry.test.ts:194
			telemetry.track(event, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c74cb0f70fdd6cc5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry.test.ts:217
			telemetry.track(event, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bc9f787229df3541 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:69
		this.track('Session started', { session_id: rootStore.pushRef });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8499e8a9dfb2c59e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:115
		this.rudderStack.track(event, updatedProperties, {
			context: {
				// provide a fake IP address to instruct RudderStack to not use the user's IP address
				ip: '0.0.0.0',
			},
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3b1589d2d1d2bf69 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:123
			usePostHog().capture(event, updatedProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a5cdc7198e8cc665 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:176
					this.track('Ai code generation finished', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1a028ddc051f94e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:190
					this.track('Ai Transform code generation finished', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2f9acc77ce8b3cd5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/plugins/telemetry/index.ts:208
				this.track('User toggled n8n reference option', {
					node: nodeType,
					toValue: change.value,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ffa4f449f9a80b9e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:212
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #daf89a544d3af4c2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:217
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9eebf4567d16b0c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:225
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c94663dc2b289ed7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.test.ts:238
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #41488c1ddaf5f794 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.ts:256
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a3e53b381b20d2bf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/router.ts:306
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #69018633b1075b65 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/favorites.store.ts:71
			telemetry.track('User toggled favorite', {
				action: 'removed',
				resource_type: resourceType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0a7e695217cde493 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/favorites.store.ts:79
			telemetry.track('User toggled favorite', {
				action: 'added',
				resource_type: resourceType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ba8340047168441 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/logs.store.ts:92
		telemetry.track('User toggled log view sub pane', {
			pane: 'input',
			newState: wasOpen ? 'hidden' : 'visible',
			isSubNode: isSubNodeSelected.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7cb8a3914eae4639 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/logs.store.ts:113
		telemetry.track('User toggled log view sub pane', {
			pane: 'output',
			newState: wasOpen ? 'hidden' : 'visible',
			isSubNode: isSubNodeSelected.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8dd066812b8992ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:119
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #497b75cf72adca95 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:120
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5a464268ff570892 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:127
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5b9a109b8e8b6c85 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:128
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #426fed4e9e0ae832 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:152
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35be8aa33ac90470 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:153
			posthog.init(flags);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f0776a48abc40496 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:155
			expect(posthog.getVariant('test')).toEqual(flags[TEST]);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b08024d8afbcac13 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:168
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d86a5bc472c893b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:169
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #66b3e3532efbc836 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:183
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d829e3563aea91d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:184
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df68617212f2e44f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:194
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8ae07b02c20a466f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:196
			posthog.capture('Test event', { test: 'value' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fdfdd5f444c51f76 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:204
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dc77ac5a174aa1ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:206
			posthog.capture('Test event', {
				test: 'value',
				$groups: {
					organization: 'n8n',
				},
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7c991520e3423ba8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:226
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9fb0672dca30e70c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:227
			posthog.init(flags);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8c6dcf28dffdb913 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:232
			expect(posthog.getVariant('test')).toEqual('override');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df5d16a059d7ed41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:246
			const posthog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6f71e30436fe0457 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:247
			posthog.init();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ed216d4c67fa737b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:249
			expect(posthog.hasPendingFeatureFlags()).toBe(true);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #85056f1f39d8da00 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:253
			const waitForFlags = posthog.waitForFeatureFlags().then(() => {

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #86971d96f51affc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:263
			expect(posthog.hasPendingFeatureFlags()).toBe(false);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e564c2dcfc3a7578 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.test.ts:264
			expect(posthog.getVariant('test')).toEqual('variant');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a70a1a7dc1762b41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/posthog.store.ts:147
		telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
			name,
			variant,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2c8ead37513a514c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/ui.store.ts:596
		telemetry.track('User clicked to open community node update modal', {
			source,
			package_name: packageName,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b3a706605331c0bf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/ui.store.ts:646
		telemetry.track('User toggled sidebar', {
			expanded: !sidebarMenuCollapsed.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2724ed3ec8ba6572 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/app/stores/versions.store.ts:213
								telemetry.track("User clicked on what's new notification", {
									article_id: articleId,
								});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eca7e04b761bca28 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:27
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4db26b91ea51561 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:71
			telemetry.track('User created AI templates starter collection', {
				source,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #10adbc3a2f668518 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:77
			telemetry.track('User dismissed AI templates starter collection callout');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #24f3727237024c66 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:81
			telemetry.track('User opened AI template workflow', {
				template,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2352ba4aeffd5df6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/aiTemplatesStarterCollection/stores/aiTemplatesStarterCollection.store.ts:87
			telemetry.track('User executed AI template', {
				template,
				status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #51f504b42c3278bd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:16
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d0cb21a19f0ea6a7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:52
			telemetry.track('App selection page viewed');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #87d2cb9ca4530e2a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:56
			telemetry.track('App selection search performed', {
				search_term: searchTerm,
				result_count: resultCount,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b7445ddf7770da7b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/credentialsAppSelection/stores/credentialsAppSelection.store.ts:67
			telemetry.track('App selection completed', {
				connected_count: connectedCount.value,
				connected_apps: connectedApps,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9bee597843c0a455 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/emptyStateBuilderPrompt/stores/emptyStateBuilderPrompt.store.ts:25
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35cc2ab8391933ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/emptyStateBuilderPrompt/stores/emptyStateBuilderPrompt.store.ts:66
			telemetry.track('User submitted empty state builder prompt', {
				prompt_length: prompt.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #381a15290eb1f779 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/emptyStateBuilderPrompt/stores/emptyStateBuilderPrompt.store.ts:103
			telemetry.track('User imported workflow from empty state', {
				node_count: workflowData.nodes?.length ?? 0,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #323c0e51a03fe329 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/enhancedHitlGmail/useEnhancedHitlGmailExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fcb783b664976c26 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/enhancedHitlSlack/useEnhancedHitlSlackExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4710774de7f5e3ac Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/enhancedHitlTelegram/useEnhancedHitlTelegramExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e803071e0f2df48d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/evaluationsWizardSidepanel/useEvaluationsWizardSidepanelExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fb1eabd2e1973d5f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:12
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #55a411a2a2c5163a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:29
			telemetry.track('MCP expose all workflows confirmed', getTelemetryPayload());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #710a6eeb92568adc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:33
			telemetry.track('MCP expose all workflows declined', getTelemetryPayload());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6013c16449f222f8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/exposeAllWorkflowsToMcp/stores/exposeAllWorkflowsToMcp.store.ts:37
			telemetry.track('MCP expose all workflows modal dismissed', getTelemetryPayload());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #de6adaafd5577a03 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiBrowserCredentialSetup/useInstanceAiBrowserCredentialSetupExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4a60177a22ddea9e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiBrowserUse/useInstanceAiBrowserUseExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dee7cf6e66f19e55 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiComputerUse/useInstanceAiComputerUseExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9d543000dc907f0b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiMcpConnections/useInstanceAiMcpConnectionsExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e8732789f08c9dfd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiPersonalizedPromptSuggestions/useInstanceAiPersonalizedPromptSuggestionsExperiment.ts:9
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #306e7d0243809e6e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiProactiveAgent/useInstanceAiProactiveAgentExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #77b57aedfab6c76a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiPromptSuggestionsV2/useInstanceAiPromptSuggestionsV2Experiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a37c66dd28f5da6b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiSplitEmptyState/useInstanceAiSplitEmptyStateExperiment.ts:6
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a6878f5a0edd04c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/instanceAiTemplateExamples/useInstanceAiTemplateExamplesExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eb01d8d92fe153f9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/n8nCreditsCredentialSelection/useN8nCreditsCredentialSelectionExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f0c75b59ffa9dfd2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:68
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9ccdf5611e34c1ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:99
		telemetry.track('User was recommended personalized templates', {
			templateIds,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c9303d1260ac7fd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:105
		telemetry.track('User clicked on personalized template callout', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8df2465605f6353f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplates/stores/personalizedTemplates.store.ts:111
		telemetry.track('User dismissed personalized template callout', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #94abd14f463c1e9b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:14
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f538781838e54990 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:74
		telemetry.track('User clicked on personalization card');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4084526fabda8e9c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:78
		telemetry.track('User viewed personalization modal');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ab907222def59454 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:82
		telemetry.track('User viewed personalization tooltip');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d08e0ce12169a189 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:86
		telemetry.track('User dismissed personalization tooltip');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #74b1bbfd13122744 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:90
		telemetry.track('User clicked on template from modal', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1ffe266bebf04c4a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:96
		telemetry.track('User clicked on templates repo from modal');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #09c36f579664d96c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/personalizedTemplatesV3/stores/personalizedTemplatesV3.store.ts:120
			telemetry.track(TELEMETRY_EVENTS.IS_PART_OF_EXPERIMENT, {
				name: PERSONALIZED_TEMPLATES_V3.name,
				variant,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #479833a48b462af2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:27
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9ff3d92b0c049db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:49
			telemetry.track('User created ready to run workflows', {
				source,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8a87d9bc6e8ecbfe Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:55
			telemetry.track('User dismissed ready to run workflows callout');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9a02a29257565719 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:59
			telemetry.track('User opened ready to run workflow', {
				template,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e836b87da66144ef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflows/stores/readyToRunWorkflows.store.ts:65
			telemetry.track('User executed ready to run workflow', {
				template,
				status,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #58272d33a1f54c2a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/readyToRunWorkflowsV2/stores/readyToRunWorkflowsV2.store.ts:14
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7fc8d9141856a6f7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/resourceCenter/stores/resourceCenter.store.ts:20
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ed341d1faff6ade5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/resourceCenter/stores/resourceCenter.store.ts:69
		telemetry.track('User visited resource center');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #26ff5aada6854f3d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/resourceCenter/stores/resourceCenter.store.ts:73
		telemetry.track('User clicked on resource center tile', { section, type, id });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ffe2d1f568ca1871 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/sidebarExpanded/useSidebarExpandedExperiment.ts:7
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fb1f19b5471db5db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:28
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #76c3764ce3c7d5c0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:72
			telemetry.track(
				'MCP onboarding entry point viewed',
				getTelemetryPayload({
					surface,
					entry_point: entryPoint,
					mcp_access_enabled: mcpAccessEnabled,
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5cf5e1b3ad3150b9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:89
			telemetry.track(
				'MCP onboarding opportunity viewed',
				getTelemetryPayload({
					surface,
					entry_point: entryPoint,
					eligible: true,
					surface_available: surfaceAvailable,
					suppressed_by: suppressedBy,
					mcp_access_enabled: mcpAccessEnabled,
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5f21db7ed4a2e4e3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:106
			telemetry.track(
				'MCP onboarding opened',
				getTelemetryPayload({
					surface,
					...(payload.entryPoint ? { entry_point: payload.entryPoint } : {}),
					...(payload.mcpAccessEnabled !== undefined
						? { mcp_access_enabled: payload.mcpAccessEnabled }
						: {}),
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cffaab842d3013b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:126
			telemetry.track(
				'MCP onboarding dismissed',
				getTelemetryPayload({
					surface,
					...(payload.activeClient ? { active_client: payload.activeClient } : {}),
					...(payload.enabledDuringThisOpen !== undefined
						? { enabled_during_this_open: payload.enabledDuringThisOpen }
						: {}),
					...(payload.mcpAccessEnabled !== undefined
						? { mcp_access_enabled: payload.mcpAccessEnabled }
						: {}),
				}),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c4d311d101bdb3db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:142
			telemetry.track('MCP onboarding enable clicked', getTelemetryPayload({ surface }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4c35ebd1c3acab0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:146
			telemetry.track('MCP onboarding enabled', getTelemetryPayload({ surface }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ed3f195b37283c8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:150
			telemetry.track(
				'MCP onboarding enable failed',
				getTelemetryPayload({ surface, error_type: errorType }),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1af13dfc48d1cb9b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:160
			telemetry.track('MCP onboarding client selected', getTelemetryPayload({ surface, client }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1e63a8b09f305676 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:168
			telemetry.track(
				'MCP onboarding setup shown',
				getTelemetryPayload({ surface, client, setup_type: setupType }),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #641911d149fea370 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/surfaceMcpToNewCloudUsers/stores/surfaceMcpToNewCloudUsers.store.ts:179
			telemetry.track(
				'MCP onboarding copied parameter',
				getTelemetryPayload({ surface, client, parameter }),
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #63f3c4831bdf07f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:17
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #148732dc6654ce21 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:59
			telemetry.track('User clicked on node minicard', {
				tool,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7c0b97083cc8d847 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:65
			telemetry.track('User visited template recommendation modal tab', {
				tool,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d85adfa6561d27a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:71
			telemetry.track('User clicked on template recommendation tile', {
				templateId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ed2e7d8b392c1b8f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:77
			telemetry.track('User clicked on template recommendation video', {
				name,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a199002d352e750f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/templateRecoV2/stores/templateRecoV2.store.ts:83
			telemetry.track('User clicked on template recommendation see more', {
				type,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #43c154b3e5b83492 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/utils.ts:34
		usePostHog().getVariant(EXTRA_TEMPLATE_LINKS_EXPERIMENT.name) ===

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #769bde6ec9e2050f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/experiments/utils.ts:79
	useTelemetry().track('User clicked on templates', {
		role: useCloudPlanStore().currentUserCloudInfo?.role,
		active_workflow_count: useWorkflowsListStore().activeWorkflows.length,
		source,
	});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b45bae46f990a973 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentCreate.ts:57
		telemetry.track('User created agent', {
			agent_id: agent.id,
			source: options.telemetrySource,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a49ffaa9b5c16314 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentTelemetry.ts:31
			telemetry.track(event, props);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dbe9b8f1c8d7f062 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:39
		telemetry.track(
			'User started adding agent tool',
			withAgent({ tool_type: toolType, source: 'manual' }),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dd0027035bbc94f5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:47
		telemetry.track(
			'User added agent tool',
			withAgent({
				tool_type: ref.type,
				has_approval: ref.requireApproval ?? false,
				...identityProps(ref),
			}),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #be7e14491337062c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:59
		telemetry.track(
			'User added agent tool',
			withAgent({
				tool_type: 'mcpServer',
				has_approval: false,
				server_name: server.name,
				authentication: server.authentication,
			}),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fea61e0719d7a975 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:72
		telemetry.track(
			'User edited agent tool',
			withAgent({ tool_type: ref.type, ...identityProps(ref) }),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a324ea93f4ac7450 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/agents/composables/useAgentToolTelemetry.ts:80
		telemetry.track(
			'User removed agent tool',
			withAgent({ tool_type: ref.type, ...identityProps(ref) }),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c88454d627472785 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.test.ts:103
		posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1bda478565da04c2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:280
			telemetry.track('Assistant session started', {
				chat_session_id: currentSessionId.value,
				task: chatSessionTask.value,
				node_type: chatSessionError.value?.node.type,
				credential_type: chatSessionCredType.value?.name,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f9665dd6960653b9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:610
			telemetry.track('User executed node after assistant suggestion', {
				task: chatSessionTask.value,
				chat_session_id: currentSessionId.value,
				success: false,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3b2306cffd2bfbd3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:621
			telemetry.track('User executed node after assistant suggestion', {
				task: chatSessionTask.value,
				chat_session_id: currentSessionId.value,
				success: true,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5343217431220b9e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:696
		telemetry.track('User sent message in Assistant', {
			message,
			is_quick_reply: isQuickReply,
			chat_session_id: currentSessionId.value,
			message_number: usersMessages.value.length,
			task: chatSessionTask.value,
			allow_sending_parameter_values: allowSendingParameterValues.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ee8eea0e0336018d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/assistant.store.ts:733
		telemetry.track('User opened assistant', {
			source,
			task,
			has_existing_session,
			instance_id: rootStore.instanceId,
			workflow_id: workflowId,
			canvas_status: canvasStatus,
			node_type: chatSessionError.value?.node?.type,
			error: chatSessionError.value?.error,
			chat_session_id: currentSessionId.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7aea8c0dd960f643 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.test.ts:172
		posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a3ee62994575d8d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:272
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #659824e87691a1ea Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:510
		telemetry.track('End of response from builder', {
			user_message_id: userMessageId,
			workflow_id: routeWorkflowId.value,
			session_id: trackingSessionId.value,
			tab_visible: document.visibilityState === 'visible',
			code_builder: isCodeBuilder.value,
			mode: builderMode.value,
			...(planApproved ? { plan_approved: true } : {}),
			...getWorkflowModifications(currentStreamingMessage.value),
			...payload,
			...getTodosToTrack(),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6581666ad7d71933 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:797
		telemetry.track('User submitted builder message', trackingPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #07271c09a8af4dcd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:804
			telemetry.track('ai.focusedNodes.chatSent', {
				focused_count: focusedCount,
				has_deictic_ref: hasDeicticRef,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #751c4de4c59090a3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.store.ts:1543
		telemetry.track('Workflow builder journey', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9c90eeee66048a33 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/builder.utils.ts:41
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e791e771f256fce6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/chatPanel.store.ts:45
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #050e2b238a1ca7b6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/composables/useAskModeCoachmark.ts:23
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ee63566bf9381d84 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/composables/useReviewChanges.ts:41
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a85e582bf51cd694 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:30
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #74ca0ae71834921f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:121
			telemetry.track('ai.focusedNodes.added', {
				source,
				node_count: nodeTypes.length,
				node_types: nodeTypes,
				...(source === 'mention' && options?.mentionQueryLength !== undefined
					? { mention_query_length: options.mentionQueryLength }
					: {}),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8297b99c30a6078d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:191
			telemetry.track('ai.focusedNodes.removed', {
				method,
				removed_count: 1,
				remaining_count: confirmedNodes.value.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #043ee4b62e3cc05a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:204
			telemetry.track('ai.focusedNodes.removed', {
				method: 'clear_all',
				removed_count: previousCount,
				remaining_count: 0,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a1c8bcde13ffac15 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:258
			telemetry.track('ai.focusedNodes.removed', {
				method: 'clear_all',
				removed_count: previousCount,
				remaining_count: confirmedNodes.value.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f2b1ebf907e4661a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:273
				telemetry.track('ai.focusedNodes.removed', {
					method: 'workflow_changed',
					removed_count: previousCount,
					remaining_count: 0,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1815595cc0716e0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/assistant/focusedNodes.store.ts:301
				telemetry.track('ai.focusedNodes.removed', {
					method: 'node_deleted',
					removed_count: deletedConfirmedCount,
					remaining_count: confirmedNodes.value.length,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2ef6028e090402a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:632
		telemetry.track('User sent chat hub message', {
			...flattenModel(agent.model),
			is_custom: agent.model.provider === 'custom-agent',
			chat_session_id: sessionId,
			mode,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0408cd57b152a314 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:757
		telemetry.track('User edited chat hub message', {
			...flattenModel(agent.model),
			is_custom: agent.model.provider === 'custom-agent',
			chat_session_id: sessionId,
			chat_message_id: editId,
			mode,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4ec5949d2a8bb1c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:832
		telemetry.track('User regenerated chat hub message', {
			...flattenModel(agent.model),
			is_custom: agent.model.provider === 'custom-agent',
			chat_session_id: sessionId,
			chat_message_id: retryId,
			mode,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #744b8e6498350fff Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chat.store.ts:1026
		telemetry.track('User created agent', { ...flattenModel(payload) });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #27d9a010ab00fc16 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chatHubPanel.store.ts:21
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c7a57881fec8f7d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chatHubPanel.store.ts:42
		telemetry.track('User opened floating chat panel', { source: 'canvas' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2fe759c67f7e1fcd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/chatHubPanel.store.ts:62
		telemetry.track('User popped out floating chat panel', { source: 'canvas' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f3293b114d892aaa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/chatHub/components/AgentEditorModal.test.ts:539
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #184cd14253b341e4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/evaluation.ee/components/WizardSidepanel/useWizardPersistence.ts:196
			telemetry.track('User ran evaluation', {
				workflow_id: workflowId,
				run_id: dispatched?.testRunId ?? null,
				metric_count: wizardStore.selectedMetricKeys.length,
				custom_check_count: wizardStore.customChecks.length,
				slice_mode: wizardStore.isSliceMode,
				trigger,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b0d022cf0816036b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/evaluation.ee/composables/useEvalCollectionsFlag.ts:19
	const postHog = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7d7a877b6af9d2c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/composables/useInstanceAiHandoffCapability.ts:132
		telemetry.track('Instance AI opened from editor', {
			source,
			workflow_id: workflowId,
			execution_id: executionId ?? null,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d9146afb39a94d93 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/composables/useInstanceAiHandoffCapability.ts:144
			telemetry.track('Instance AI opened from editor', {
				source,
				workflow_id: null,
				execution_id: null,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #263aaf27f91a0b96 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/composables/useInstanceAiHandoffCapability.ts:171
		telemetry.track('Instance AI opened from editor', {
			source,
			workflow_id: null,
			execution_id: null,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f6dd33e51592ef00 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.store.ts:188
			telemetry.track('User launched Instance AI thread', {
				thread_id: result.thread.id,
				instance_id: rootStore.instanceId,
				source: launch.source,
				origin: launch.origin,
				...(typeof templateId === 'string' || typeof templateId === 'number'
					? { template_id: templateId }
					: {}),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d578a339e96aef9e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:429
			telemetry.track('User viewed new builder workflow', {
				thread_id: threadId,
				instance_id: rootStore.instanceId,
				workflow_id: workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #343a63dca32d5bc6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:471
			telemetry.track('Builder generation stalled', { thread_id: threadId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #08ed76d05fb96f0c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:603
					telemetry.track('User finished providing input', {
						thread_id: threadId,
						input_thread_id: conf.inputThreadId ?? '',
						instance_id: rootStore.instanceId,
						type: 'approval',
						provided_inputs: [
							{
								label: conf.message,
								options: ['approve', 'deny', 'approve_always'],
								option_chosen: 'approve_auto',
							},
						],
						skipped_inputs: [],
						auto_resolved: true,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #626f80d9f28518b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAi.threadRuntime.ts:1004
		telemetry.track('User sent builder message', {
			thread_id: threadId,
			instance_id: rootStore.instanceId,
			is_first_message: isFirstMessage,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #433898c3a034f702 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiBrowserUse.telemetry.ts:7
			telemetry.track('Instance AI Connect Browser Use modal opened');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3de76555072c5a62 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiBrowserUse.telemetry.ts:10
			telemetry.track('Instance AI Install Chrome Browser Extension button clicked');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1adb27a6ac664839 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiBrowserUse.telemetry.ts:13
			telemetry.track('Instance AI Open Browser Use Extension button clicked');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bc297b958b1541ed Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:8
			telemetry.track('Instance AI tools list opened');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f8219ff325f72e48 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:11
			telemetry.track('Instance AI mcp settings opened', { server_slug: serverSlug });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #baff4587ea996473 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:14
			telemetry.track('Instance AI mcp first credential connection start', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #54110425487a0e41 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:19
			telemetry.track('Instance AI mcp credential dropdown opened', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5fb61726b8c10b9d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:24
			telemetry.track('Instance AI mcp existing credential selected', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b4e0db46746fc8ee Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:29
			telemetry.track('Instance AI mcp new credential connection start', {
				server_slug: serverSlug,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #26f34e3c5acad78d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiMcp.telemetry.ts:34
			telemetry.track('Instance AI mcp tool filter settings updated', {
				server_slug: serverSlug,
				inclusion_mode: inclusionMode,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #244fabb7839e0a31 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:76
			telemetry.track('Instance AI prompt suggestions shown', createBasePayload(context));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3caf68b0773676ba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:80
			telemetry.track('Instance AI quick examples opened', {
				...createBasePayload(context),
				suggestion_id: context.suggestionId,
				position: context.position,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #66cdbfe56a0b2c43 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:88
			telemetry.track('Instance AI prompt suggestions cycled', {
				...context.telemetryPayload,
				suggestion_catalog_version: resolveSuggestionCatalogVersion(context),
				visible_suggestion_ids: context.visibleSuggestionIds,
				cycle_count: context.cycleCount,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f54f273eb5b91bcf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:97
			telemetry.track('Instance AI prompt suggestion selected', {
				...createBasePayload(context),
				suggestion_id: context.suggestionId,
				suggestion_kind: context.suggestionKind,
				position: context.position,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #575c31f0f820fc82 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/instanceAiPromptSuggestions.telemetry.ts:106
			telemetry.track('Instance AI prompt suggestion submitted', {
				...createBasePayload(context),
				suggestion_id: context.suggestionId,
				suggestion_kind: context.suggestionKind,
				position: context.position,
				prompt_modified: context.promptModified,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4a81c560d8a227d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/useResponseFeedback.ts:116
			telemetry.track('User rated workflow generation', {
				thread_id: threadId,
				response_id: responseId,
				helpful: payload.rating === 'up',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efd61a7f6477f0ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/useResponseFeedback.ts:128
			telemetry.track('User submitted workflow generation feedback', {
				thread_id: threadId,
				response_id: responseId,
				feedback: payload.feedback,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #416938f7bdc722db Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/workflowSetup/composables/useWorkflowSetupTelemetry.ts:141
		telemetry.track('Instance AI workflow setup step shown', getStepTelemetryPayload(step));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #418a88d89e6f2f0b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/workflowSetup/composables/useWorkflowSetupTelemetry.ts:152
		telemetry.track(
			'Instance AI workflow setup step handled',
			getStepTelemetryPayload(step, outcome),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9e6327a576a1b1f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/workflowSetup/composables/useWorkflowSetupTelemetry.ts:198
		telemetry.track('User finished providing input', {
			...getSetupTelemetryContext(),
			provided_inputs: provided,
			skipped_inputs: skipped,
			explicitly_skipped_inputs: explicitlySkipped,
			num_tasks: deps.sections.value.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cfb993ca6b78f2e6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/mcpAccess/composables/useMcp.ts:7
		telemetry.track('User gave MCP access to workflow', { workflow_id: workflowId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4760ec7573f0a3d4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ai/mcpAccess/composables/useMcp.ts:11
		telemetry.track('User toggled MCP access', { state: enabled });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6d0b2b46103c71f6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:142
			telemetry.track('User deleted data table column', {
				column_id: columnId,
				column_type: columnToDelete.cellDataType,
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #524737c729fdb6fc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:181
			telemetry.track('User renamed data table column', {
				column_id: columnId,
				column_type: columnToRename.cellDataType,
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b6f49b396849b120 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:212
			telemetry.track('User added data table column', {
				column_id: newColumn.id,
				column_type: newColumn.type,
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eee9596b0646d687 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:266
			telemetry.track('User added row to data table', {
				data_table_id: dataTableId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #72ed616794f2f748 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:302
			telemetry.track('User edited data table content', {
				data_table_id: dataTableId,
				column_id: colDef.colId,
				column_type: colDef.cellDataType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3d3270ab19590c7c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/core/dataTable/composables/useDataTableOperations.ts:379
			telemetry.track('User deleted rows in data table', {
				data_table_id: dataTableId,
				deleted_row_count: idsToDelete.length,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #37d0d9e129534c1a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/credentials/composables/useCredentialOAuth.ts:339
			telemetry.track('User created credentials', {
				credential_type: credential.type,
				credential_id: credential.id,
				workflow_id: workflowsStore.workflowId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ada7e2dd295fe3ef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/credentials/composables/useCredentialOAuth.ts:372
		telemetry.track('User saved credentials', trackProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #141cc60006ce4904 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/credentials/quickConnect/composables/useQuickConnect.ts:150
		telemetry.track('User clicked quick connect button', {
			source,
			credential_type: credentialTypeName,
			node_type: nodeType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #652867f6a2a18932 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionDebugging.ts:154
		telemetry.track('User clicked debug execution button', {
			instance_id: useRootStore().instanceId,
			exec_status: isFullExecutionResponse(execution) ? execution.status : '',
			override_pinned_data: pinnableNodes.length === pinnings,
			all_exec_data_imported: missingNodeNames.length === 0,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3bb5f327e7578442 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionHelpers.ts:116
		telemetry.track(
			metadata.parentExecution
				? 'User clicked parent execution button'
				: 'User clicked inspect sub-workflow',
			{
				view,
			},
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #704786d37cf8486a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionPreviewDocument.ts:261
			telemetry.track('User opened read-only execution', {
				workflow_id: data.workflowData.id,
				execution_mode: data.mode,
				execution_finished: data.finished,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bf59781a45e0b40a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/executions/composables/useExecutionRedaction.ts:35
		telemetry.track('User clicked reveal data', {
			workflow_id: workflowDocumentStore.value.workflowId,
			execution_id: workflowExecutionStateStore.value.activeExecution?.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #67d985813bfd45ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsPanelLayout.ts:72
			telemetry.track('User toggled log view', { new_state: 'attached' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e44fc6c28142f7cb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsPanelLayout.ts:86
		telemetry.track('User toggled log view', {
			new_state: wasOpen ? 'collapsed' : 'attached',
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d8b82cc1b29464b1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsPanelLayout.ts:92
		telemetry.track('User toggled log view', { new_state: 'floating' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3bd715c0d5515bf2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsSelection.ts:66
				telemetry.track('User selected node in log view', {
					node_type: value.node.type,
					node_id: value.node.id,
					execution_id: execution.value?.id,
					workflow_id: execution.value?.workflowData.id,
					subworkflow_depth: getDepth(value),
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dd66acd825845df5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/execution/logs/composables/useLogsSelection.ts:74
				telemetry.track('User selected canvas group in log view', {
					group_id: value.group.id,
					node_count: value.group.nodeIds.length,
					execution_id: execution.value?.id,
					workflow_id: execution.value?.workflowData.id,
					subworkflow_depth: getDepth(value),
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #611d6a6fe832e613 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/integrations/sourceControl.ee/sourceControl.utils.ts:63
					telemetry.track('User clicked review variables');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #43a1ced177755e96 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/integrations/sourceControl.ee/sourceControl.utils.ts:86
					telemetry.track('User clicked review credentials');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a391de997d8ff801 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/components/VirtualSchema.test.ts:678
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b0e8d91e9ea95744 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/components/VirtualSchema.test.ts:748
		const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c46dede20fd8a6ac Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/components/VirtualSchema.test.ts:1101
			const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4a298b7ad4c779bb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/runData/schemaPreview.store.ts:67
		telemetry.track('User executed node with schema preview', {
			node_id: id,
			node_type: type,
			node_version: typeVersion,
			node_resource: resource,
			node_operation: operation,
			schema_preview: JSON.stringify(result.result),
			output_schema: JSON.stringify(generateJsonSchema(pushEvent.data.data?.main?.[0]?.[0]?.json)),
			workflow_id: workflowId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #96b5245b3ffdf450 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/ndv/shared/ndv.utils.ts:29
import { captureException } from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a31b084ce930bfbd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/roles/composables/useRolesListActions.ts:57
			telemetry.track('User duplicated role', {
				role_id: item.slug,
				role_name: item.displayName,
				permissions: item.scopes,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f239c68ece585ba0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/settings/communityNodes/composables/useInstallNode.ts:68
			telemetry.track('user started cnr package install', {
				input_string: props.packageName,
				has_quick_connect: props.telemetry.hasQuickConnect,
				source: props.telemetry.source,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7d36703603ecdc89 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/settings/sso/provisioning/composables/useUserRoleProvisioningForm.ts:111
		telemetry.track('User updated provisioning settings', {
			instance_id: useRootStore().instanceId,
			authentication_method: protocol,
			assignment_method: getTelemetryAssignmentMethod(roleAssignment.value),
			role_mapping_method: getTelemetryRoleMappingMethod(mappingMethod.value),
			instance_rule_count: ruleSaveResult?.instanceRuleCount ?? 0,
			project_rule_count: ruleSaveResult?.projectRuleCount ?? 0,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #af975665c76aa085 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/setupPanel/setupPanel.store.ts:11
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ab120c2da7a6ff5d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/commandBar/composables/useCommandBar.ts:245
		telemetry.track('User executed command bar command', {
			command_id: item.id,
			command_section: item.section,
			view,
			parent_command_id: parentItem?.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ef322ac52621c3fb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/commandBar/composables/useExecutionCommands.ts:163
			telemetry.track('User clicked retry execution button', {
				workflow_id: workflowId.value,
				execution_id: activeExecution.value.id,
				retry_type: loadWorkflow ? 'current' : 'original',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a77541b86740eafd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/commandBar/composables/useWorkflowCommands.ts:368
					telemetry.track('User exported workflow', { workflow_id: workflowData.id });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c6ab9cea62aee57c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/editors/plugins/codemirror/resolvableHighlighter.ts:6
import { captureException } from '@sentry/vue';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8c5fdb153abcc6d0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/nodeCreator/composables/useActionsGeneration.test.ts:37
		posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7529659d29b6779d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/shared/nodeCreator/nodeCreator.store.ts:342
		telemetry.track(event, {
			...properties,
			nodes_panel_session_id: nodePanelSessionId.value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f356b851783340ae Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:36
			telemetry.track('User grouped nodes', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ca248e400fce891b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:39
			telemetry.track('User ungrouped nodes', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0c68855697881c83 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:42
			telemetry.track('User collapsed group', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a8b4542c7973b09d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/composables/useCanvasNodeGroupTelemetry.ts:45
			telemetry.track('User expanded group', buildProperties(group, source));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a08d53b4fb1ce81a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/canvas/experimental/experimentalNdv.store.ts:18
	const postHogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8b683b406bd8b92d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:119
		telemetry.track('User executed ready to run AI workflow', {
			status,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e96ac3a63467f6e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:125
		telemetry.track('User executed ready to run AI workflow successfully');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2e5b7d0271cc1fa6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:136
			telemetry.track('User claimed OpenAI credits');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cc24658e43d7e52c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/readyToRun/stores/readyToRun.store.ts:153
		telemetry.track('User opened ready to run AI workflow', {
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2f8ea330ee22b26f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/recommendations/recommendedTemplates.store.ts:22
	const posthogStore = usePostHog();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e7c9a9026d3c9f9a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/recommendations/recommendedTemplates.store.ts:49
		telemetry.track('User viewed template detail', {
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a5de3d0855b32a9d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/recommendations/recommendedTemplates.store.ts:55
		telemetry.track('User viewed template cell', {
			tileNumber,
			templateId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7ed64a7cb464ff97 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:159
		telemetry.track('User closed cred setup', {
			completed: false,
			creds_filled: 0,
			creds_needed: credentialUsages.value.length,
			workflow_id: null,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6b9edc88073d9cb1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:196
			telemetry.track('User closed cred setup', {
				completed: true,
				creds_filled: numFilledCredentials.value,
				creds_needed: credentialUsages.value.length,
				workflow_id: createdWorkflow.id,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9f05d3baecfab2e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:203
			telemetry.track('User inserted workflow template', {
				source: 'workflow',
				template_id: tryToParseNumber(templateId.value),
				wf_template_repo_session_id: templatesStore.currentSessionId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #52ccfb1ff2964645 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/setupTemplate.store.ts:209
			telemetry.track('User saved new workflow from template', {
				template_id: tryToParseNumber(templateId.value),
				workflow_id: createdWorkflow.id,
				wf_template_repo_session_id: templatesStore.currentSessionId,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2a70ff823295370d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/frontend/editor-ui/src/features/workflows/templates/utils/templateActions.ts:81
	telemetry.track('User opened cred setup', { source });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 11 low-confidence finding(s)
low env_fs production #31fc31edf490660e Filesystem access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:2
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2eba0466594b0f2 Environment-variable access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:8
	process.env.NODE_POPULARITY_ENDPOINT ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e628ca5812c1bbe Environment-variable access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:10
const FAIL_ON_ERROR = process.env.N8N_FAIL_ON_POPULARITY_FETCH_ERROR === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d1456e3c6bdae4b Filesystem access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:44
		const content = await fs.readFile(OUTPUT_FILE, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7af26227af50ecdb Filesystem access.
repo/packages/frontend/editor-ui/scripts/fetch-node-popularity.mjs:54
	await fs.writeFile(OUTPUT_FILE, JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37c2b7b7ba8c220b Environment-variable access.
repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:24
	server.urlPrefix = process.env.API_URL || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #f58f32121b16f200 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration. Test harness — not production egress.
repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:35 · flow /tmp/closeopen-eiu3royx/repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:24 → /tmp/closeopen-eiu3royx/repo/packages/frontend/editor-ui/src/__tests__/server/index.ts:35
	server.post('/rest/:any', async () => ({}));

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #69ca1b046086c97b Environment-variable access.
repo/packages/frontend/editor-ui/src/__tests__/setup.ts:86
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #43b76e0649bdb614 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/frontend/editor-ui/src/app/api/workflow-webhooks.ts:13
	return await post(N8N_API_BASE_URL, CONTACT_EMAIL_SUBMISSION_ENDPOINT, {
		instance_id: instanceId,
		user_id: `${instanceId}#${currentUser.id}`,
		email,
		agree,
		agree_updates: true,
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #f33cd86b89d1ed11 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/frontend/editor-ui/src/app/composables/useBugReporting.ts:31
		const url = new URL(BASE_FORUM_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #720ab95e5d40cb5a Filesystem access.
repo/packages/frontend/editor-ui/src/features/ai/instanceAi/__tests__/InstanceAiPreviewTabBar.test.ts:139
		const source = readFileSync(
			'src/features/ai/instanceAi/components/InstanceAiPreviewTabBar.vue',
			'utf8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/cli

npm first-party
high pii_flow production #a74dbf9178e418fc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/license/license.service.ts:71 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/license/license.service.ts:78 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/license/license.service.ts:71
		await this.http.request({
			url: 'https://enterprise.n8n.io/enterprise-trial',
			method: 'POST',
			body: {
				licenseType: 'enterprise',
				firstName: user.firstName,
				lastName: user.lastName,
				email: user.email,
				instanceUrl: this.urlService.getWebhookBaseUrl(),
			},
			json: true,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #48490654f9ae2954 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:172 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/agents/integrations/integration-action-executor.ts:174
		const sent = await thread.post(await this.toPostable(params.descriptor, input.message, params));

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #33b38584ddd5c98b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:283 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/external-secrets.ee/providers/infisical.ts:277
		return await this.http.request({
			url: '/api/v4/secrets',
			method: 'GET',
			qs: {
				projectId: this.settings.projectId,
				environment: this.settings.environment,
				secretPath: this.settings.secretPath,
			},
			json: true,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #632f3f91ecfea4d7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:33
		const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #d65e37e7ae80c1cd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:81
		const res = await fetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS), headers });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e0c4ce956188abbc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:380 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-webhook.ee.ts:401
			const requestResponse = await this.outboundHttp
				.requests({ ssrf: 'disabled' }) // The destination URL is admin-configured, so SSRF protection is disabled.
				.request(request);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a47e17208854b692 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/cli/src/oauth/oauth.service.ts:1096 · flow /tmp/closeopen-eiu3royx/repo/packages/cli/src/oauth/oauth.service.ts:1067 → /tmp/closeopen-eiu3royx/repo/packages/cli/src/oauth/oauth.service.ts:1096
		const registerResult = await this.http.request({
			url: registration_endpoint,
			method: 'POST',
			body: registerPayload,
			json: true,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #b5fd3473c4771a51 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/concurrency/concurrency-control.service.ts:138
				this.telemetry.track('User hit concurrency limit', {
					threshold: CLOUD_TEMP_PRODUCTION_LIMIT - capacity,
					concurrencyQueue: type,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #b0afd0a3938ff003 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:17
		expect(maskIp(input)).toBe(expected);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #87aa8e8d58d62a13 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:36
		setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'GET' }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #a050624618a87631 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:45
		setPostHogProxyHeaders(proxyReq, createReq({ method: 'GET' }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #72592a88c05fc22c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/posthog.controller.test.ts:54
		setPostHogProxyHeaders(proxyReq, createReq({ ip: '203.0.113.7', method: 'POST', rawBody }));

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #8976a02ce78bfca4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/controllers/__tests__/telemetry.controller.test.ts:122
		await controller.track(req, res, next);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d63d8ef9717d1a22 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/evaluation-collection.service.ts:187
		this.telemetry.track('Eval collection created', {
			user_id: user.id,
			workflow_id: workflowId,
			collection_id: collection.id,
			evaluation_config_id: input.evaluationConfigId,
			version_count: input.versions.length,
			existing_run_count: existingRunIds.length,
			new_run_count: runsStartedIds.length,
			dataset_id: this.extractDatasetId(config),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3490e513d6fab656 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/evaluation-collection.service.ts:264
		this.telemetry.track('Eval collection deleted', {
			user_id: user.id,
			workflow_id: workflowId,
			collection_id: collectionId,
			runs_unlinked: runsUnlinked,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cde48443ef3c3e9c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/insights/eval-insights.service.ts:143
		this.telemetry.track('Eval collection insights generated', {
			user_id: user.id,
			workflow_id: workflowId,
			collection_id: collectionId,
			model_used: response.modelUsed,
			duration_ms: Date.now() - startMs,
			status: response.status,
			regressions_found: response.insights.regressions.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #532a8bf1f17e1ba1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runner/test-runner.service.ee.ts:736
			this.telemetry.track('User ran test', {
				user_id: user.id,
				run_id: testRun.id,
				workflow_id: workflowId,
				run_type: runType,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bdc5888ecc7fbe97 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runner/test-runner.service.ee.ts:1201
			this.telemetry.track('Test run finished', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efb5eee0f9b140d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runs.controller.ee.ts:107
		this.telemetry.track('User deleted a run', { run_id: testRunId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #753ad0393990003c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/evaluation.ee/test-runs.controller.ee.ts:145
		this.telemetry.track('User cancelled a test case', {
			run_id: req.params.id,
			case_id: caseId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bf88e521060e14f7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:224
		this.telemetry.track('Instance AI mcp connected', {
			user_id: userId,
			server_slug: serverSlug,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #867ccd097d3dab46 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:234
		this.telemetry.track('Instance AI mcp disconnected', {
			user_id: userId,
			server_slug: serverSlug,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ded8fa8c58443ba7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:253
		this.telemetry.track('Project settings updated', {
			user_id: userId,
			role,
			project_id: projectId,
			members: members?.map(({ userId: user_id, role }) => ({ user_id, role })),
			otel_project_custom_tags_count: otelProjectCustomTagsCount,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c91f8d27cfe9f1eb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:269
		this.telemetry.track('User deleted project', {
			user_id: userId,
			role,
			project_id: projectId,
			removal_type: removalType,
			target_project_id: targetProjectId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2c645505e13e10fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:279
		this.telemetry.track('User created project', {
			user_id: userId,
			role,
			uiContext,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eb0abd63eb30637b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:297
		this.telemetry.track('User updated source control settings', {
			branch_name: branchName,
			read_only_instance: readOnlyInstance,
			repo_type: repoType,
			connected,
			connection_type: connectionType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #86441a2e8034f682 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:312
		this.telemetry.track('User started pull via UI', {
			user_id: userId,
			workflow_updates: workflowUpdates,
			workflow_conflicts: workflowConflicts,
			cred_conflicts: credConflicts,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #04b7d62903674bba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:324
		this.telemetry.track('User finished pull via UI', {
			user_id: userId,
			workflow_updates: workflowUpdates,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d9b7cd1b925c6837 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:334
		this.telemetry.track('User pulled via API', {
			workflow_updates: workflowUpdates,
			forced,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #62b76ec6c49f1592 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:348
		this.telemetry.track('User started push via UI', {
			user_id: userId,
			workflows_eligible: workflowsEligible,
			workflows_eligible_with_conflicts: workflowsEligibleWithConflicts,
			creds_eligible: credsEligible,
			creds_eligible_with_conflicts: credsEligibleWithConflicts,
			variables_eligible: variablesEligible,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #01edf43edcf225b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:365
		this.telemetry.track('User finished push via UI', {
			user_id: userId,
			workflows_eligible: workflowsEligible,
			workflows_pushed: workflowsPushed,
			creds_pushed: credsPushed,
			variables_pushed: variablesPushed,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a1dddc3b3bac31c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:379
		this.telemetry.track('Instance attempted to refresh license', {
			success,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7a35fc3628da474b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:389
		this.telemetry.track('User registered for license community plus', {
			user_id: userId,
			email,
			licenseKey,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #54a77a1eb77acfef Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:401
		this.telemetry.track('User created variable', {
			user_id: user.id,
			...(projectId && { project_id: projectId }),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4b998e11155ba1e8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:408
		this.telemetry.track('User updated variable', {
			user_id: user.id,
			...(projectId && { project_id: projectId }),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #189ea6a75a0e48fc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:415
		this.telemetry.track('User deleted variable', {
			user_id: user.id,
			...(projectId && { project_id: projectId }),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5be8660ea66ea049 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:432
		this.telemetry.track('User updated external secrets settings', {
			user_id: userId,
			vault_type: vaultType,
			is_valid: isValid,
			is_new: isNew,
			error_message: errorMessage,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e07f1b259cde1163 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:444
		this.telemetry.track('User reloaded external secrets', {
			vault_type: vaultType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0fd604744fe0f2f8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:455
		this.telemetry.track('User created external secrets connection', {
			user_id: userId,
			user_role: userRole,
			vault_type: vaultType,
			scope: projects.length === 0 ? 'global' : 'project',
			project_ids: projects.map((project) => project.id),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ad51134238007112 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:470
		this.telemetry.track('User updated external secrets connection', {
			user_id: userId,
			user_role: userRole,
			vault_type: vaultType,
			scope: projects.length === 0 ? 'global' : 'project',
			project_ids: projects.map((project) => project.id),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a5d01c697ca23653 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:485
		this.telemetry.track('User deleted external secrets connection', {
			user_id: userId,
			user_role: userRole,
			vault_type: vaultType,
			scope: projects.length === 0 ? 'global' : 'project',
			project_ids: projects.map((project) => project.id),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #190a0e574656cd0e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:498
		this.telemetry.track('User toggled external secrets system roles', {
			user_id: userId,
			enabled,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a7207a7384ae2a98 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:527
		this.telemetry.track('API key created', {
			user_id: user.id,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b6f8f5a1fa79be26 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:536
		this.telemetry.track('API key deleted', {
			user_id: user.id,
			public_api: publicApi,
			is_own: isOwn,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #647588f45d7e7739 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:546
		this.telemetry.track('API key rotated', {
			user_id: user.id,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0ec4f0baa933317f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:567
		this.telemetry.track('cnr package install finished', {
			user_id: user.id,
			input_string: inputString,
			package_name: packageName,
			success,
			package_version: packageVersion,
			package_node_names: packageNodeNames,
			package_author: packageAuthor,
			package_author_email: packageAuthorEmail,
			failure_reason: failureReason,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0a367a0977cfdf78 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:589
		this.telemetry.track('cnr package updated', {
			user_id: user.id,
			package_name: packageName,
			package_version_current: packageVersionCurrent,
			package_version_new: packageVersionNew,
			package_node_names: packageNodeNames,
			package_author: packageAuthor,
			package_author_email: packageAuthorEmail,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #58a8c6dc96352e7a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:608
		this.telemetry.track('cnr package deleted', {
			user_id: user.id,
			package_name: packageName,
			package_version: packageVersion,
			package_node_names: packageNodeNames,
			package_author: packageAuthor,
			package_author_email: packageAuthorEmail,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7c741bc40e51958d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:635
		this.telemetry.track('User created credentials', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			project_id: projectId,
			project_type: projectType,
			uiContext,
			is_private: isDynamic ?? false,
			uses_external_secrets: usesExternalSecrets ?? false,
			jwe_enabled: jweEnabled ?? false,
			credential_supports_managed_auth: supportsManagedAuth ?? false,
			credential_uses_managed_auth: usesManagedAuth ?? false,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ee46323ec4474050 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:659
		this.telemetry.track('User updated cred sharing', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			user_id_sharer: userIdSharer,
			user_ids_sharees_added: userIdsShareesAdded,
			sharees_removed: shareesRemoved,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #563e7c012d09157f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:680
		this.telemetry.track('User updated credentials', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			is_private: isDynamic ?? false,
			uses_external_secrets: usesExternalSecrets ?? false,
			jwe_enabled: jweEnabled ?? false,
			credential_supports_managed_auth: supportsManagedAuth ?? false,
			credential_uses_managed_auth: usesManagedAuth ?? false,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3d7aeda9190cba3d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:698
		this.telemetry.track('User deleted credentials', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5ee9a5a979dc3248 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:711
		this.telemetry.track('User disconnected own credential connection', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #12ef27d1049759ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:726
		this.telemetry.track('User created end-user credential', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			project_id: projectId,
			project_type: projectType,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #21c7323d525a0d62 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:741
		this.telemetry.track('User made credential end-user', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #74d22f7b5949648f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:754
		this.telemetry.track('User made credential fixed', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #adc92544aca64f60 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:767
		this.telemetry.track('User cleared end-user credential connections', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #80bbb59ed3d91c39 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:780
		this.telemetry.track('User deleted end-user credential', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6fc4f39a072d193b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:795
		this.telemetry.track('User connected to end-user credential', {
			user_id: user.id,
			user_role: user.role?.slug,
			credential_type: credentialType,
			credential_id: credentialId,
			credential_supports_managed_auth: supportsManagedAuth ?? false,
			credential_uses_managed_auth: usesManagedAuth ?? false,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0d72cf44bb79aa1a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:815
		this.telemetry.track('Ldap general sync finished', {
			type,
			succeeded,
			users_synced: usersSynced,
			error,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #970f316de6a5d51c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:837
		this.telemetry.track('User updated Ldap settings', {
			user_id: userId,
			loginIdAttribute,
			firstNameAttribute,
			lastNameAttribute,
			emailAttribute,
			ldapIdAttribute,
			searchPageSize,
			searchTimeout,
			synchronizationEnabled,
			synchronizationInterval,
			loginLabel,
			loginEnabled,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5dbdd08837d352b4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:854
		this.telemetry.track('Ldap login sync failed', { error });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3ef76b17122b49df Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:860
		this.telemetry.track('User login failed since ldap disabled', { user_ud: userId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b11d9c3ed62d8c7f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:872
		this.telemetry.track('Sso user project access update', {
			user_id: userId,
			projects_removed: projectsRemoved,
			projects_added: projectsAdded,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d7ab8e858795812e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:883
		this.telemetry.track('Sso user instance role update', { user_id: userId, role });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6ff9e5a39c484ace Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:901
		this.telemetry.track('User created workflow', {
			user_id: user.id,
			workflow_id: workflow.id,
			node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
			public_api: publicApi,
			project_id: projectId,
			project_type: projectType,
			meta: JSON.stringify(workflow.meta),
			otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
			otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
			otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
			uiContext,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #966a542867c6eb12 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:918
		this.telemetry.track('User archived workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7710aa966d1edabb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:930
		this.telemetry.track('User unarchived workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #751038447719b20b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:938
		this.telemetry.track('User deleted workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ed672220f53ddb47 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:997
		this.telemetry.track('User activated workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
			source,
			private_credentials_count: privateCredentialsCount,
			private_credential_types: privateCredentialTypes,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3f6308e93ada18d5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1014
		this.telemetry.track('User deactivated workflow', {
			user_id: user.id,
			workflow_id: workflowId,
			public_api: publicApi,
			deactivated_version_id: deactivatedVersionId,
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3792ceafd80b995e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1028
		this.telemetry.track('User updated workflow sharing', {
			workflow_id: workflowId,
			user_id_sharer: userIdSharer,
			user_id_list: userIdList,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #986dc5489b972f38 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1036
		this.telemetry.track('User imported n8n package', {
			user_id: user.id,
			workflow_conflict_policy: options.workflowConflictPolicy,
			workflow_id_policy: options.workflowIdPolicy,
			credential_matching_mode: options.credentialMatchingMode,
			credential_missing_mode: options.credentialMissingMode,
			workflow_publishing_policy: options.workflowPublishingPolicy,
			workflows_created: counts.workflows.created,
			workflows_updated: counts.workflows.updated,
			workflows_skipped: counts.workflows.skipped,
			credentials_matched: counts.credentials.matched,
			credentials_created: counts.credentials.created,
			credentials_required: counts.credentials.requirements,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ed8f3dc17b73e536 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1053
		this.telemetry.track('User exported n8n package', {
			user_id: user.id,
			workflow_count: counts.workflows,
			folder_count: counts.folders,
			credential_count: counts.credentials,
			data_table_count: counts.dataTables,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eba96912c2270feb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1069
		this.telemetry.track('User package export failed', {
			user_id: user.id,
			reason,
			workflow_count: workflowIds?.length ?? 0,
			folder_count: folderIds?.length ?? 0,
			project_count: projectIds?.length ?? 0,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #21f27bba43d19237 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1079
		this.telemetry.track('User package import failed', {
			user_id: user.id,
			reason,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #904d32662c4fdc94 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1163
		this.telemetry.track('User saved workflow', {
			user_id: user.id,
			workflow_id: workflow.id,
			node_graph_string: limitNodeGraphStringSize(JSON.stringify(nodeGraph)),
			notes_count_overlapping: overlappingCount,
			notes_count_non_overlapping: notesCount - overlappingCount,
			version_cli: N8N_VERSION,
			num_tags: workflow.tags?.length ?? 0,
			public_api: publicApi,
			sharing_role: userRole,
			meta: JSON.stringify(workflow.meta),
			workflow_edited_no_pos: workflowEditedNoPos,
			credential_edited: credentialEdited,
			ai_builder_assisted: aiBuilderAssisted ?? false,
			credential_resolver_id: credentialResolverId,
			identity_extractor_changed: identityExtractorChanged,
			redaction_policy: redactionPolicy,
			private_credentials_count: privateCredentialsCount,
			private_credential_types: privateCredentialTypes,
			otel_workflow_custom_tags_count: countWorkflowCustomTelemetryTags(workflow),
			otel_nodes_with_custom_tags_count: countNodesWithCustomTelemetryTags(workflow.nodes),
			otel_node_custom_tags_count: countNodeCustomTelemetryTags(workflow.nodes),
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1b2802a8a07d09c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1259
					this.telemetry.track('User ran out of free AI credits');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #899cc0a0ee977b2e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1387
					this.telemetry.track('Manual node exec finished', telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #29fa64dead8a27d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1400
					this.telemetry.track('Manual workflow exec finished', manualExecEventProperties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dbfe3260908bbb70 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1549
		this.telemetry.track('Instance started', {
			...info,
			earliest_workflow_created: firstWorkflow?.createdAt,
			otel,
			settings_managed_by_env_vars: settingsManagedByEnvVars,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #36a283fb9a88409d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1632
		this.telemetry.track('Session started', { session_id: pushRef });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #28a59b7070e8c290 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1636
		this.telemetry.track('User instance stopped');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #21d06dc911543613 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1645
		this.telemetry.track('Owner finished instance setup', { user_id: userId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e414ece8d702f532 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1653
		this.telemetry.track('Workflow first prod success', {
			project_id: projectId,
			workflow_id: workflowId,
			user_id: userId ?? undefined,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #194a92c8e0ca7ce1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1665
		this.telemetry.track('Instance first prod failure', {
			project_id: projectId,
			workflow_id: workflowId,
			user_id: userId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #218b40b7f5062abb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1680
		this.telemetry.track('Workflow first data fetched', {
			user_id: userId,
			workflow_id: workflowId,
			node_type: nodeType,
			node_id: nodeId,
			credential_type: credentialType,
			credential_id: credentialId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #112b3c141bdc0f44 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1707
		this.telemetry.track('User changed role', {
			user_id: userId,
			target_user_id: targetUserId,
			target_user_new_role: targetUserNewRole,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0b294b224fc37c53 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1716
		this.telemetry.track('User retrieved user', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #37a236a9ae3273b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1723
		this.telemetry.track('User retrieved all users', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #baf8bb507c8dbbd4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1730
		this.telemetry.track('User retrieved execution', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #379dee38e63e3608 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1740
		this.telemetry.track('User retrieved all executions', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #079934393c2b6f52 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1747
		this.telemetry.track('User retrieved workflow', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4fa131cbba69552 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1757
		this.telemetry.track('User retrieved workflow version', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5615c93035b18204 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1767
		this.telemetry.track('User retrieved all workflows', {
			user_id: userId,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #81aa21c35fd1c6d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1782
		this.telemetry.track('User changed personal settings', {
			user_id: user.id,
			fields_changed: fieldsChanged,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b935325cce72130a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1796
		this.telemetry.track('User deleted user', {
			user_id: user.id,
			public_api: publicApi,
			target_user_old_status: targetUserOldStatus,
			migration_strategy: migrationStrategy,
			target_user_id: targetUserId,
			migration_user_id: migrationUserId,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e9255eb0faebe3e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1820
		this.telemetry.track('User invited new user', {
			user_id: user.id,
			target_user_id: targetUserId,
			public_api: publicApi,
			email_sent: emailSent,
			invitee_role: inviteeRole,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e22bbca3bba135ad Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1847
		this.telemetry.track('User signed up', payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bbb5da75215cedf3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1862
		this.telemetry.track('User responded to personalization questions', personalizationSurveyData);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #df7a41651a88fda2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1870
		this.telemetry.track('Instance failed to send transactional email to user', {
			user_id: user.id,
			message_type: messageType,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5bf8c17b57e7d818 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1882
		this.telemetry.track('User sent transactional email', {
			user_id: userId,
			message_type: messageType,
			public_api: publicApi,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6f4699da10a06b48 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1981
		this.telemetry.track('User clicked invite link from email', {
			user_id: invitee.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #43c2061235f18534 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1987
		this.telemetry.track('User clicked password reset link from email', {
			user_id: user.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9aedcc7f31e25246 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:1995
		this.telemetry.track('User requested password reset while logged out', {
			user_id: user.id,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f571bcd88817df79 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2012
		this.telemetry.track('Instance compacted workflow history', {
			workflows_processed: workflowsProcessed,
			total_versions_seen: totalVersionsSeen,
			total_versions_deleted: totalVersionsDeleted,
			window_start_iso: new Date(windowStartIso),
			window_end_iso: new Date(windowEndIso),
			error_count: errorCount,
			compaction_start_time_iso: compactionStartTime,
			compaction_duration_ms: durationMs,
			compaction_batch_delay_ms: this.globalConfig.workflowHistoryCompaction.batchDelayMs,
			compaction_batch_size: this.globalConfig.workflowHistoryCompaction.batchSize,
			compaction_trimming_optimizing_time_window_hours:
				this.globalConfig.workflowHistoryCompaction.optimizingTimeWindowHours,
			compaction_trimming_time_window_days:
				this.globalConfig.workflowHistoryCompaction.trimmingTimeWindowDays,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ef42f184391cff39 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2038
		this.telemetry.track('User updated instance policies', {
			user_id: user.id,
			[settingName]: value,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #886127ecc72a31e2 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2050
		this.telemetry.track('User confirmed reveal data', {
			user_id: user.id,
			execution_id: executionId,
			workflow_id: workflowId,
			redaction_policy: redactionPolicy,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d41df3c1123e7074 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2063
		this.telemetry.track('User created custom role', {
			user_id: userId,
			role_slug: roleSlug,
			scopes,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #82abf34cc22d2575 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2071
		this.telemetry.track('User updated custom role', {
			user_id: userId,
			role_slug: roleSlug,
			scopes,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1f8ca8ea96276f3a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2079
		this.telemetry.track('User deleted custom role', {
			user_id: userId,
			role_slug: roleSlug,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c119995b0324cda5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2094
		this.telemetry.track('User imported workflows via server cli', {
			active_state: activeState,
			workflow_count: workflowCount,
			separate,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5a456d743f17af82 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/events/relays/telemetry.event-relay.ts:2108
		this.telemetry.track('User exported workflows via server cli', {
			selector,
			published,
			separate,
			backup,
			workflow_count: workflowCount,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #698592b92e6ad20e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/data-table/data-table-size-validator.service.ts:62
			this.telemetry.track('User hit data table storage limit', {
				total_bytes: size.totalBytes,
				max_bytes: this.globalConfig.dataTable.maxSize,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5bc7c8ed12d9367c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/browser/instance-ai-browser-session.service.ts:224
		this.telemetry.track('Instance AI Browser connected', { user_id: userId });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #655e9f6cb6b12e36 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-credit.service.ts:108
			this.telemetry.track('Builder credits claimed', {
				instance_id: this.instanceSettings.instanceId,
				user_id: user.id,
				thread_id: threadId,
				agent_run_id: dedupeId,
				status,
				success: false,
				error_message: getErrorMessage(error),
				attempted_usage: usage,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #98f42d2099407881 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-credit.service.ts:176
		this.telemetry.track('Builder credits claimed', {
			instance_id: this.instanceSettings.instanceId,
			user_id: user.id,
			thread_id: threadId,
			agent_run_id: dedupeId,
			status,
			success: true,
			credits_used: delta,
			credits_claimed_total: creditsClaimed,
			credits_quota: creditsQuota,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dada2011fa499b85 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-credit.service.ts:194
				this.telemetry.track('User exhausted assistant quota', {
					instance_id: this.instanceSettings.instanceId,
					user_id: user.id,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0919b43c5fe89c0f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-gateway.service.ts:81
		this.telemetry.track('User connected to Computer Use', {
			user_id: userId,
			tool_groups: data.toolCategories.filter((c) => c.enabled).map((c) => c.name),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7213372cfce47787 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:270
		this.telemetry.track('instance_ai_terminal_response_decision', {
			thread_id: threadId,
			run_id: runId,
			message_group_id: messageGroupId,
			source: 'terminal_guard',
			status: decision.status,
			action: decision.action,
			reason: decision.reason,
			visibility_source: decision.visibilitySource,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b281e438ee89bdc1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:398
					this.telemetry.track('instance_ai_terminal_response_decision', {
						thread_id: threadId,
						run_id: outcome.runId,
						message_group_id: outcome.messageGroupId,
						task_id: outcome.taskId,
						source: 'terminal_outcome_replay',
						status: outcome.status,
						action: published ? 'replay_event' : 'already-emitted',
						visibility_source: 'background-outcome',
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a878b47276737e60 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:433
			this.telemetry.track('instance_ai_terminal_response_decision', {
				thread_id: threadId,
				run_id: outcome.runId,
				message_group_id: outcome.messageGroupId,
				task_id: outcome.taskId,
				source: 'terminal_outcome_replay',
				status: outcome.status,
				action,
				visibility_source: 'background-outcome',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #858a1d11f018cbe5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:509
			this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
				thread_id: task.threadId,
				run_id: task.runId,
				task_id: task.taskId,
				status: outcome.status,
				phase: 'metadata',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #50c0fd029206c2e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:521
		this.telemetry.track('instance_ai_terminal_response_decision', {
			thread_id: task.threadId,
			run_id: task.runId,
			message_group_id: task.messageGroupId,
			task_id: task.taskId,
			source: 'background_outcome',
			status: outcome.status,
			action: published ? 'emit' : 'already-emitted',
			visibility_source: 'background-outcome',
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #43b62ca48e1d1f6c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai-terminal-outcome.service.ts:542
			this.telemetry.track('instance_ai_terminal_outcome_persistence_failure', {
				thread_id: task.threadId,
				run_id: task.runId,
				task_id: task.taskId,
				status: outcome.status,
				phase: 'snapshot',
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #688ac957fa417bcb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:429
		this.telemetry.track('instance_ai_gateway_available', {
			nodeCount: config.nodes.length,
			credentialTypeCount: config.credentialTypes.length,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b30af85424dfc0b9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:605
					telemetry.track('Builder published workflow', {
						thread_id: threadId,
						workflow_id: workflowId,
						executed_by: 'ai',
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #989ba6bd588d2774 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:778
					telemetry.track('Builder created workflow', {
						thread_id: threadId,
						workflow_id: updated.id,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #514cc480ebc3ee54 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:859
					telemetry.track('Builder modified workflow', {
						thread_id: threadId,
						workflow_id: workflowId,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6e0ff97eadf0b082 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:1155
					telemetry.track('Builder executed workflow', {
						thread_id: threadId,
						workflow_id: workflowId,
						executed_by: 'ai',
						pinned_node_count: Object.keys(runData.pinData ?? {}).length,
						exec_type: runData.executionMode,
						status,
						...(error ? { error } : {}),
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #add9f913f894bb51 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:1653
			this.telemetry?.track('instance_ai_workflow_verification_obligation', {
				event,
				thread_id: obligation.threadId,
				run_id: obligation.runId,
				task_id: obligation.taskId,
				planned_task_id: obligation.plannedTaskId,
				work_item_id: obligation.workItemId,
				workflow_id: obligation.workflowId,
				source: obligation.source,
				policy: obligation.policy,
				status: obligation.status,
				readiness_status: obligation.readiness?.status,
				setup_status: obligation.setupRequirement?.status,
				has_evidence: obligation.evidence?.attempted === true,
				evidence_success: obligation.evidence?.success,
				blocking_reason: obligation.blockingReason,
				...extra,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8588ee2bf401fe76 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:2038
			this.telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8dcf7a77def7f419 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:2055
				this.telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #17a26d26263e1671 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3324
					this.telemetry.track('Builder sent message', {
						thread_id: threadId,
						message: intermediateText,
						is_intermediate: true,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #469627b72cb4736b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3488
				this.telemetry.track('Builder sent message', {
					thread_id: threadId,
					message: outputText,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #429ce22e20c633f6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3492
				this.telemetry.track('Builder satisfied user intent', {
					thread_id: threadId,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e94ab158e9fb995d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:4461
					this.telemetry.track('Builder sent message', {
						thread_id: opts.threadId,
						message: intermediateText,
						is_intermediate: true,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #14bade6fe61b182d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:4621
				this.telemetry.track('Builder sent message', {
					thread_id: opts.threadId,
					message: outputText,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #00a650da042c41a1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:4625
				this.telemetry.track('Builder satisfied user intent', {
					thread_id: opts.threadId,
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5f4d9a3b853b2fa9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5059
		this.telemetry.track('Builder asked for input', {
			thread_id: threadId,
			input_thread_id: inputThreadId,
			type,
			num_steps: numSteps,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #73727a2b1c75aab8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5145
		this.telemetry.track('instance_ai_run_finished', {
			thread_id: threadId,
			run_id: runId,
			status: effectiveStatus,
			...(userId ? { user_id: userId } : {}),
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9a28d2ac5756fd2d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5152
			this.telemetry.track('Builder generation errored', {
				thread_id: threadId,
				run_id: runId,
				error_message: errorInfo?.errorMessage ?? reason ?? 'unknown',
				...(errorInfo?.errorSource ? { error_source: errorInfo.errorSource } : {}),
				...(userId ? { user_id: userId } : {}),
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6d7dda619a5b5139 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:5413
			this.telemetry.track('Instance AI mcp tool called', {
				user_id: userId,
				server_slug: serverSlug,
				tool_name: toolName,
				success,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #18ecf63945a16a98 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/log-streaming.ee/destinations/message-event-bus-destination-sentry.ee.ts:1
import * as Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #066a601a22f06362 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/mcp-server-middleware.service.ts:139
		this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #878a137a2723ff0a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/mcp.controller.ts:216
		this.telemetry.track(USER_CONNECTED_TO_MCP_EVENT, payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #87621acc0d630699 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/mcp.service.ts:509
					this.telemetry.track(MCP_PREVIEW_RENDER_REQUESTED_EVENT, {
						user_id: user.id,
						client_name: clientInfo?.name,
						client_version: clientInfo?.version,
					});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a6263d48ff721042 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-column.tool.ts:74
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #14d863184dd7c5e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-column.tool.ts:83
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6afc40a748d7c166 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-rows.tool.ts:76
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1900e34d9dbedffa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/add-data-table-rows.tool.ts:88
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4f475bbddde3dbaa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/create-data-table.tool.ts:90
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e05dfe4a739f6c4f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/create-data-table.tool.ts:102
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #62e3cc0597ee861a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/delete-data-table-column.tool.ts:59
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f1734aaad0bc65fc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/delete-data-table-column.tool.ts:68
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8f8f9c29739b0449 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table-column.tool.ts:75
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b4cc5fd8875aeaf5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table-column.tool.ts:84
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b3e62b24272a4692 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table.tool.ts:58
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #dacfa2905cc4171e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/rename-data-table.tool.ts:67
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e737979a1c137fab Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/search-data-tables.tool.ts:91
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #818943b782c674bf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/data-table/search-data-tables.tool.ts:104
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #612dc68155f6d16b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/execute-workflow.tool.ts:147
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8b051389a5ad440e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/execute-workflow.tool.ts:181
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a1f4be9d78e1f512 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-execution.tool.ts:157
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #46cbbdac7500d76b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-execution.tool.ts:195
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5a706f7c5e531c45 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-details.tool.ts:87
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e6a84d4f1db720d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-details.tool.ts:99
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #db9bcf73050aedda Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-history.tool.ts:102
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d09a26232486a741 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-history.tool.ts:125
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4d3e907f657ce7fa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-version.tool.ts:110
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #60dfadb906097f1d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/get-workflow-version.tool.ts:140
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec347c13d108c0a6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-credentials.tool.ts:135
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #314680df147dcd82 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-credentials.tool.ts:147
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #07a148e920d87a64 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-tags.tool.ts:96
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #70fa2a716e5bb1a8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/list-tags.tool.ts:107
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a15ebb2b0d0ddaca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/prepare-workflow-pin-data.tool.ts:100
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fb756820513a93b8 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/prepare-workflow-pin-data.tool.ts:109
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2e7b5cee6605a64d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/publish-workflow.tool.ts:93
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b38742a113e44624 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/publish-workflow.tool.ts:115
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9cfadd1f3696f235 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-executions.tool.ts:150
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c8a480a38fdc941d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-executions.tool.ts:165
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #693171de374c48fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-folders.tool.ts:75
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b4dba1b1c22e9955 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-folders.tool.ts:103
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e593df29d262b8a6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-folders.tool.ts:116
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0dbf22b7bbc1c799 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-projects.tool.ts:166
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #97e72fc2ec64459d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-projects.tool.ts:179
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a1dbb8a96f2df99f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-workflows.tool.ts:130
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d34ae55e90f3f3f9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/search-workflows.tool.ts:148
				telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0d356ffea0a2f625 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/test-workflow.tool.ts:112
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e3f1b2773d41fc03 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/test-workflow.tool.ts:136
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #720e91c7daa60906 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/unpublish-workflow.tool.ts:82
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9e9a34d93388932c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/unpublish-workflow.tool.ts:103
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4547ded65a997fca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/connection-structure-check.ts:174
	telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #84cec26d01084174 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:211
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #199993e5abd0c98f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:328
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #28ee7a4b0824928b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:389
					telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b38486cd95138155 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/create-workflow-from-code.tool.ts:416
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ad9004c225f1abcc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/delete-workflow.tool.ts:71
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #426eba48b1dcf7a4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/delete-workflow.tool.ts:90
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #25cdafdb8c381916 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/explore-node-resources.tool.ts:128
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #20e3ca24279f388c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/explore-node-resources.tool.ts:141
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #eeb84511d4afd1cb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-best-practices.tool.ts:140
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #005c824698f8d21a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-best-practices.tool.ts:151
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #529121f63b2b3495 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-node-types.tool.ts:68
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #421c14839966fef6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-node-types.tool.ts:79
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d970a2e4a1d0e362 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/get-workflow-sdk-reference.tool.ts:68
		telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4df1771351b8d189 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/restore-workflow-version.tool.ts:128
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4b6bc9ea5808ec04 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/restore-workflow-version.tool.ts:151
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ff3de36de03bcafc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/search-workflow-nodes.tool.ts:67
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d4f466f9a962ff2c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/search-workflow-nodes.tool.ts:78
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #00e954c0dd0964e3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/update-workflow.tool.ts:744
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #09910c8831df78f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/update-workflow.tool.ts:771
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #736b155eec325ce3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-node.tool.ts:133
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #531f981d92cdc567 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-node.tool.ts:148
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ebface3d0544011d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-workflow-code.tool.ts:104
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #36a96ebc744571b5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/modules/mcp/tools/workflow-builder/validate-workflow-code.tool.ts:126
			telemetry.track(USER_CALLED_MCP_TOOL_EVENT, telemetryPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #dd37cfe083b1ac97 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:5
import { PostHog } from 'posthog-node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #8c421debf5c4f857 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:52
		ph.track({
			userId: 'test',
			event: 'test',
			properties: {},
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #a112ad9170dd819c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:72
		ph.track({
			userId,
			event,
			properties,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #71f396db2cddfca6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:89
		ph.track({
			userId: instanceId,
			event: 'Instance started',
			properties: { instance_id: instanceId },
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #630ef352603d3125 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/__tests__/posthog.test.ts:102
		ph.track({
			userId: '',
			event: 'Some event',
			properties: {},
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6e145f98fa0feff9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/posthog/index.ts:7
import type { PostHog, FeatureFlagEvaluations } from 'posthog-node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f9e94dc52bb6b5c7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/services/ai-workflow-builder.service.ts:122
			this.telemetry.track(event, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b7abdba1bb338e1a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/services/user.service.ts:173
			publicUser.featureFlags = await posthog.getFeatureFlags(publicUser);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #10200e391ff20f72 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:990
			telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #d5d590dad2767370 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1005
			telemetry.track('Test Event', { user_id: '1234' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #deed64fb6664babf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1021
			telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #52dcc007e6b2164b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1040
			telemetry.track(eventName, properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #88d796f5d1e58a7d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1052
			telemetry.track(eventName, {});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #9ba00ecaf32f749d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/__tests__/telemetry.test.ts:1064
			telemetry.track(eventName, {});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a7c10479d1ef3c94 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:232
				this.track('Public API usage', {
					user_id: userId,
					total_calls: entry.total_calls,
					first: entry.first,
					endpoints: JSON.stringify(entry.endpoints),
					user_agents: JSON.stringify(entry.user_agents),
				});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6990870f8654d260 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:260
		this.track('pulse', pulsePacket);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1d2bc4122882a86e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:278
			this.track('Workflow execution count', {
				event_version: '2',
				workflow_id: workflowId,
				...this.executionCountsBuffer[workflowId],
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d9bd6e3c123fbf49 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:302
			this.track('Agent execution count', {
				event_version: '1',
				agent_id,
				...(user_id ? { user_id } : {}),
				...counts,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d22638ddb8d9d3fb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:336
			this.track('Agent session metrics', {
				event_version: '1',
				agent_id: bucket.agent_id,
				...bucket.configuration,
				run_type: bucket.run_type,
				turn_status: bucket.turn_status,
				session_count: sessions.length,
				turn_count: turnCount,
				latency_ms_sum: latencyMsSum,
				cost_sum: costSum,
				tool_call_count_sum: toolCallCountSum,
				num_skills_sum: numSkillsSum,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #db732a91b6e8fb93 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:388
				this.track('Workflow execution with end-user credentials', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f4f7c7d936f26f64 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:396
				this.track('Workflow execution errored', properties);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8d54ed17e4388c11 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:594
		this.postHog?.track(payload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #900f19ade13e0b32 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/cli/src/telemetry/index.ts:596
		return this.rudderStack.track(rudderStackPayload);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 677 low-confidence finding(s)
low env_fs production #801bb9f7bac05e92 Environment-variable access.
repo/packages/cli/bin/n8n:7
process.env.NODE_CONFIG_DIR = process.env.NODE_CONFIG_DIR || path.join(__dirname, 'config');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f817290bf64113d9 Environment-variable access.
repo/packages/cli/bin/n8n:38
if (process.env.E2E_TESTS !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c464a81863c3e26 Environment-variable access.
repo/packages/cli/bin/n8n:48
if (process.env.NODEJS_PREFER_IPV4 === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1106bddca5252a1a Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:1
import { mkdir, readFile, readdir, writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fe3616e2a66f40d Environment-variable access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:28
		process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e1d9c1d0ece0922 Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:51
				const contents = await readFile(join(dir, file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a9e91601b705aa4 Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:63
	const contents = await readFile(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea5f29cb012e9cf4 Filesystem access.
repo/packages/cli/scripts/agent-integration-recordings.mjs:73
	await writeFile(outputPath, `${JSON.stringify(records, null, 2)}\n`, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5bf6eacbdf01970 Filesystem access.
repo/packages/cli/scripts/build.mjs:2
import { writeFileSync, existsSync, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb4454b00084430b Environment-variable access.
repo/packages/cli/scripts/build.mjs:15
const publicApiEnabled = process.env.N8N_PUBLIC_API_DISABLED !== 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77f8020c57d8c6a2 Filesystem access.
repo/packages/cli/scripts/build.mjs:110
	writeFileSync(path.resolve(ROOT_DIR, 'dist/timezones.json'), JSON.stringify({ data }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f687d69ab8c5d13 Filesystem access.
repo/packages/cli/scripts/bundle-agent-library.mjs:16
import { writeFileSync, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0045752bbf6e3cb Filesystem access.
repo/packages/cli/scripts/bundle-agent-library.mjs:71
	writeFileSync(OUTPUT_FILE, bundle, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e6548a876029667 Filesystem access.
repo/packages/cli/src/__tests__/external-hooks.test.ts:21
	const { mkdtempSync, writeFileSync } = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2db88628958eb4f5 Filesystem access.
repo/packages/cli/src/__tests__/external-hooks.test.ts:28
	writeFileSync(
		p,
		'module.exports = { workflow: { create: [(...args) => globalThis.__extHookFn(...args)] } };',
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #78c080990919cedd Filesystem access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:4
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f27acf0fd8c8e22 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:47
	const originalNodePath = process.env.NODE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a503d5a7c6b486b0 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:56
			delete process.env.NODE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4e8b31c93ebbdaab Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:58
			process.env.NODE_PATH = originalNodePath;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74b7820748c8d3ce Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:64
		process.env.NODE_PATH = existingPath;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2278146792c5b88 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:68
		process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24dc161629e2d753 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:72
		expect(process.env.NODE_PATH).toContain(existingPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c130b6094d7ec93f Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:73
		expect(process.env.NODE_PATH?.endsWith(existingPath)).toBe(true);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd97dcc41822e632 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:77
		delete process.env.NODE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #809ed086e1b8daa0 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:80
		process.env.NODE_PATH = [modulePaths.join(delimiter), process.env.NODE_PATH]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce5cdbb8fed91956 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:84
		expect(process.env.NODE_PATH).toBe(modulePaths.join(delimiter));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1236464a46e0d362 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:85
		expect(process.env.NODE_PATH).not.toContain('undefined');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c20cfc4cb45f145 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:215
			process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9309bf144627341 Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:235
			delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cdcb3091287b0a2f Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:240
			delete process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dbd6eacb3580570e Environment-variable access.
repo/packages/cli/src/__tests__/load-nodes-and-credentials.test.ts:275
			process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f619ea30f3608d9 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:258
		delete process.env.ENABLE_OBSERVABILITY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #956eff802c3068c7 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:262
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df59d71c1052dacc Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:266
		process.env.ENABLE_OBSERVABILITY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1ae530d01137d34 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:270
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7f18f281962e8de6 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:274
		process.env.ENABLE_OBSERVABILITY = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #69d9111f66af61e4 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:278
		expect(process.env.ENABLE_OBSERVABILITY).toBe('false');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f53a97bb925ce10 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:282
		delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4716b5354ad351a Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:286
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #568b98075f4e03e4 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:290
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e941bff917da5be7 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:294
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bf04a9539f65368d Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:298
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb0c4e94f6b77f82 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:302
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('false');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #217de74eddd311e9 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:306
		delete process.env.ENABLE_OBSERVABILITY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e4c3cfa2eaacdd8 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:307
		delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #531c730abd90bf6c Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:311
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd4174b713194f1a Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:312
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #256c94050f911110 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:316
		process.env.ENABLE_OBSERVABILITY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8b1667fb1f9df99b Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:317
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f070ee78cd19937a Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:321
		expect(process.env.ENABLE_OBSERVABILITY).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d504b895b1453dc Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:322
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #845e21f83658d364 Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:326
		process.env.ENABLE_OBSERVABILITY = 'custom-value';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b840ff6a6dc0bdff Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:327
		delete process.env.ENABLE_A365_OBSERVABILITY_EXPORTER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6ff084cf66b32fb Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:331
		expect(process.env.ENABLE_OBSERVABILITY).toBe('custom-value');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2120f5ea97d0ddbc Environment-variable access.
repo/packages/cli/src/__tests__/utils.test.ts:332
		expect(process.env.ENABLE_A365_OBSERVABILITY_EXPORTER).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc474185c40bd0ee Filesystem access.
repo/packages/cli/src/abstract-server.ts:8
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8358970f488f745f Filesystem access.
repo/packages/cli/src/abstract-server.ts:179
					key: await readFile(this.sslKey, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2892e98fc12be17 Filesystem access.
repo/packages/cli/src/abstract-server.ts:180
					cert: await readFile(this.sslCert, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #02462794bea00553 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:212
				originalPreviewMode = process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4dcf431d5e5d02e0 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:221
					delete process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9290ae8ff3e604f1 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:223
					process.env.N8N_PREVIEW_MODE = originalPreviewMode;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b8af4a621b9b46f Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:228
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0bdcd89f052c90e Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:246
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a647365f343a06b8 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:264
				process.env.N8N_PREVIEW_MODE = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0444aa462d58bae3 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:282
				delete process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6276807ce9811de2 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:300
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28dfa311b7410251 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:321
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0933794c8145d533 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:485
				const originalPreviewMode = process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b27131028069d62 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:486
				process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4345c83227246d3f Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:507
					delete process.env.N8N_PREVIEW_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df40c816fa9ccef1 Environment-variable access.
repo/packages/cli/src/auth/__tests__/auth.service.test.ts:509
					process.env.N8N_PREVIEW_MODE = originalPreviewMode;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #525d59de593cc0ce Environment-variable access.
repo/packages/cli/src/auth/auth.service.ts:155
			const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f66cd51959fd9be1 Filesystem access.
repo/packages/cli/src/binary-data/__tests__/database.manager.integration.test.ts:294
		await writeFile(tempFilePath, buffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d8e10f7b3ede999 Filesystem access.
repo/packages/cli/src/binary-data/__tests__/database.manager.integration.test.ts:324
		await writeFile(tempFilePath, oversizedBuffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #601f2d599230c9d5 Filesystem access.
repo/packages/cli/src/binary-data/database.manager.ts:135
		const buffer = await readFile(sourcePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7306c20ffd6cc573 Filesystem access.
repo/packages/cli/src/blob-storage/__tests__/fs-byte-store.integration.test.ts:58
		const onDisk = await fs.readFile(join(storagePath, 'a/b/c/blob.json'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20e3f2d5b431ac5e Filesystem access.
repo/packages/cli/src/blob-storage/fs-byte-store.ts:30
			await fs.writeFile(tempPath, body);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71e35b7d3308190f Filesystem access.
repo/packages/cli/src/blob-storage/fs-byte-store.ts:44
			return await fs.readFile(readPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca6e6ec70102e57e Environment-variable access.
repo/packages/cli/src/commands/base-command.ts:170
		if (process.env.EXECUTIONS_PROCESS === 'own') process.exit(-1);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6214d34ed11c6e6e Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:5
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d83a3a842c644340 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:246
				const contents = fs.readFileSync(flags.ids, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8862a7120f263acb Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:270
				const contents = fs.readFileSync(flags.skipList, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fda9e4de517d8c70 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:337
			fs.writeFileSync(flags.output, this.formatJsonOutput(results));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de7601aba78bf2ca Environment-variable access.
repo/packages/cli/src/commands/execute-batch.ts:534
		const output = process.env.GITHUB_OUTPUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #738c87b7a08db54b Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:811
								const contents = fs.readFileSync(fileName, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9fe7ac843efec8d9 Filesystem access.
repo/packages/cli/src/commands/execute-batch.ts:854
							fs.writeFileSync(fileName, serializedData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3a6594add556c9b Filesystem access.
repo/packages/cli/src/commands/export/credentials.ts:5
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7d37a7d6fa91442 Filesystem access.
repo/packages/cli/src/commands/export/credentials.ts:148
				fs.writeFileSync(filename, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5047ee9f5fd893b Filesystem access.
repo/packages/cli/src/commands/export/credentials.ts:154
				fs.writeFileSync(flags.output, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4654f9dfb925252f Filesystem access.
repo/packages/cli/src/commands/export/nodes.ts:3
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd2905aa8c997607 Filesystem access.
repo/packages/cli/src/commands/export/nodes.ts:4
import { mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15c66fce74cb5289 Filesystem access.
repo/packages/cli/src/commands/export/workflow.ts:5
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf8ef010e5f7defe Filesystem access.
repo/packages/cli/src/commands/export/workflow.ts:158
				fs.writeFileSync(filename, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63a3f4d78e5ca345 Filesystem access.
repo/packages/cli/src/commands/export/workflow.ts:164
				fs.writeFileSync(flags.output, fileContents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f948dfb0744f2ae8 Filesystem access.
repo/packages/cli/src/commands/import/credentials.ts:15
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #deee916d378dd0ae Filesystem access.
repo/packages/cli/src/commands/import/credentials.ts:248
				jsonParse<Partial<CredentialsEntity>>(fs.readFileSync(file, { encoding: 'utf8' })),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fefa78055c16c831 Filesystem access.
repo/packages/cli/src/commands/import/credentials.ts:252
				fs.readFileSync(inputPath, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7878358e19c73448 Filesystem access.
repo/packages/cli/src/commands/import/workflow.ts:13
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #765c57a7c7788ec5 Filesystem access.
repo/packages/cli/src/commands/import/workflow.ts:253
				fs.readFileSync(path, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b943ee533732549e Filesystem access.
repo/packages/cli/src/commands/import/workflow.ts:269
			const workflow = jsonParse<IWorkflowToImport>(fs.readFileSync(file, { encoding: 'utf8' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c309b78fb92008d Filesystem access.
repo/packages/cli/src/commands/start.ts:14
import { createReadStream, createWriteStream, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0472c3a1bcfe7378 Filesystem access.
repo/packages/cli/src/commands/start.ts:15
import { mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65a754840cfc7e84 Environment-variable access.
repo/packages/cli/src/commands/start.ts:136
			environment: process.env.ENVIRONMENT || 'development',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9e8ef0d5a9b34ef Environment-variable access.
repo/packages/cli/src/commands/start.ts:137
			serverName: process.env.DEPLOYMENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48bc024d62e22d9f Environment-variable access.
repo/packages/cli/src/commands/start.ts:208
			if (process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3448c6f6de55f516 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:51
	const originalEvalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f02095398cd5b0d0 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:53
		process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e27212ba79517ba Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:56
		if (originalEvalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d95e14cafaa182e Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:57
		else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEvalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0e47c906b46368da Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:221
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ebcfa0c8c30e1c4 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:226
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9143fab5ed5e82f1 Environment-variable access.
repo/packages/cli/src/concurrency/__tests__/concurrency-control.service.test.ts:297
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '-1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f92954f461e7a65b Filesystem access.
repo/packages/cli/src/config/index.ts:5
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d453c9085b6bafff Environment-variable access.
repo/packages/cli/src/config/index.ts:17
	process.env.EXTERNAL_FRONTEND_HOOKS_URLS = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb0a5022dcd51460 Environment-variable access.
repo/packages/cli/src/config/index.ts:18
	process.env.N8N_PERSONALIZATION_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #580d7d213e5cc324 Environment-variable access.
repo/packages/cli/src/config/index.ts:19
	process.env.N8N_AI_ENABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a156de75f0efa7f Environment-variable access.
repo/packages/cli/src/config/index.ts:23
	process.env.SKIP_STATISTICS_EVENTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1964854791fc2d4f Environment-variable access.
repo/packages/cli/src/config/index.ts:25
	process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b428b9bf6ecf119d Filesystem access.
repo/packages/cli/src/config/index.ts:47
					value = readFileSync(fileName, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e4bbbafcd765c65 Filesystem access.
repo/packages/cli/src/constants.ts:2
import { readFileSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #835bdf41b6b9f42a Filesystem access.
repo/packages/cli/src/constants.ts:28
const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f9db4804d58b728 Filesystem access.
repo/packages/cli/src/constants.ts:30
	readFileSync(aiAssistantPackageJsonPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d64a1efbe9a40c4a Filesystem access.
repo/packages/cli/src/constants.ts:33
	readFileSync(workflowSdkPackageJsonPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc87fafefdfeb449 Environment-variable access.
repo/packages/cli/src/constants/workflow-reviews.ts:6
	return process.env[WORKFLOW_REVIEWS_ENV_FEATURE_FLAG] === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b5214ec324d8381 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:38
	const originalWorkflowReviewsFlag = process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5bc283ee2577778a Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:43
		delete process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b31823d740dab200 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:49
			delete process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #466b756a078377f2 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:51
			process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS = originalWorkflowReviewsFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6d6876192fa85aa Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:96
			process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b5ab0cf169e44c89 Environment-variable access.
repo/packages/cli/src/controllers/__tests__/security-settings.controller.test.ts:154
			process.env.N8N_ENV_FEAT_WORKFLOW_REVIEWS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1a945fa6cce405f9 Filesystem access.
repo/packages/cli/src/controllers/__tests__/translation.controller.test.ts:15
	const { mkdtempSync, writeFileSync } = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0501890954af83ae Filesystem access.
repo/packages/cli/src/controllers/__tests__/translation.controller.test.ts:22
	writeFileSync(p, JSON.stringify({ translation: 'string' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65143cc01c2faa47 Filesystem access.
repo/packages/cli/src/controllers/instance-ai-examples.controller.ts:101
		const raw = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #232127d28e736d0e Filesystem access.
repo/packages/cli/src/controllers/third-party-licenses.controller.ts:3
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1716110262b126c2 Filesystem access.
repo/packages/cli/src/controllers/third-party-licenses.controller.ts:19
			const content = await readFile(licenseFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4168c51550eaf903 Filesystem access.
repo/packages/cli/src/controllers/translation.controller.ts:5
import { access } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20c1bfc305035d7b Filesystem access.
repo/packages/cli/src/crash-journal.ts:3
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d926f8bd56cd4bf8 Filesystem access.
repo/packages/cli/src/crash-journal.ts:4
import { mkdir, utimes, open, rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1b146e1f744cf103 Environment-variable access.
repo/packages/cli/src/databases/repositories/__tests__/workflow-statistics.integration.test.ts:10
const runOnSqlite = (process.env.DB_TYPE ?? 'sqlite') === 'sqlite';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #deab332a41e73169 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:31
		const originalEnv = process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc4e4cbfe52c7229 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:35
				process.env[envVar] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afa32de477c559fd Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:37
				delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2dc2d45d1427880 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:53
				process.env[envVar] = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19b1da10631da5d5 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:55
				delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c149216ea5731d4 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:85
					process.env[envVar] = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b329e5b8f0018b52 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:108
					process.env[envVar] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77a6c2ec1f56791c Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:124
					process.env[envVar] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a3a014af4a30d7ac Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:140
					process.env[envVar] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cbb5486aa2c156ab Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:147
					process.env[envVar] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a7f7718c268d097 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:156
					delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75981d9f34eea51f Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:176
			delete process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #779045e70451b664 Environment-variable access.
repo/packages/cli/src/deprecation/__tests__/deprecation.service.test.ts:187
			process.env[envVar] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1097704f2e0d7edc Environment-variable access.
repo/packages/cli/src/deprecation/deprecation.service.ts:129
			const envValue = process.env[d.envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2edf7c8eeb36598 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:28
	const originalEnv = process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #595e28535b5f13c4 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:31
		if (originalEnv === undefined) delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb17636f5e5c5999 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:32
		else process.env[ENV_VAR] = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #625d48abec39f60d Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:41
			process.env[ENV_VAR] = envValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ec4d99a4c41f585 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:52
			process.env[ENV_VAR] = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31e196c4aaf70343 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:66
			delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e48e0287c03c1f7a Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:96
			delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31866c9ba0b3da4b Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:135
	const originalEnv = process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4cddbfa2dce7592 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:138
		if (originalEnv === undefined) delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #986a38f00c124dd2 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:139
		else process.env[ENV_VAR] = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91e0ee27cd9399ab Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:143
		process.env[ENV_VAR] = '3';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cab96edb6b11a10 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:148
		delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #744573cc64093519 Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:153
		delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e500c7a62fa399d Environment-variable access.
repo/packages/cli/src/evaluation.ee/__tests__/evaluation-concurrency.helper.test.ts:158
		delete process.env[ENV_VAR];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd9fabc6a243c27c Environment-variable access.
repo/packages/cli/src/evaluation.ee/evaluation-concurrency.helper.ts:68
	if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4fb3ab35adc39e69 Environment-variable access.
repo/packages/cli/src/evaluation.ee/evaluation-concurrency.helper.ts:87
	if (process.env[EVALUATION_CONCURRENCY_ENV_VAR] !== undefined) return 'env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5a6f7878f854af7 Filesystem access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:12
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #478e7e7b483c77d3 Filesystem access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:54
	readFileSync(path.join(__dirname, './mock-data/workflow.under-test.json'), { encoding: 'utf-8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #896b9e5c086900af Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:550
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a45f9818359c727 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:621
			delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8a8450b52a22a47c Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2340
			const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e475c46007d3c580 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2341
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '5';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d23169e90406ff0 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2349
				if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d02168b3c0ab3107 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2350
				else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8d706d8eaf8bd0c Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2379
			const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f0949fe0604271f Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2380
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91b532c1e750d7b4 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2392
				if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f8ee7a01a646dc4b Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2393
				else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #448d4b66705ed43c Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2462
			const originalEnv = process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b520709e20643789 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2463
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6cf3548162c404d Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2480
				if (originalEnv === undefined) delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df82bcb7795856b1 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/__tests__/test-runner.service.ee.test.ts:2481
				else process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1591b9ae9a27c17 Environment-variable access.
repo/packages/cli/src/evaluation.ee/test-runner/test-runner.service.ee.ts:404
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66587fa33086109c Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/__tests__/message-event-bus-log-writer.test.ts:43
		writeFileSync(path, lines.join('\n') + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b83cf065f4485bf8 Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/message-event-bus-log-writer-worker.ts:1
import { appendFileSync, existsSync, rmSync, renameSync, openSync, closeSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3981ca37fc76c3d Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/message-event-bus-log-writer-worker.ts:2
import { stat } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0dc8408f528d8a35 Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus-writer/message-event-bus-log-writer.ts:5
import { createReadStream, existsSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #702b9bc2a0591183 Filesystem access.
repo/packages/cli/src/eventbus/message-event-bus/__tests__/message-event-bus.test.ts:112
		writeFileSync(stalePath, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2ad05c9e1e877848 Environment-variable access.
repo/packages/cli/src/execution-lifecycle/__tests__/execution-lifecycle-hooks.test.ts:1481
				process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dc20942746e53398 Environment-variable access.
repo/packages/cli/src/execution-lifecycle/__tests__/execution-lifecycle-hooks.test.ts:1485
				delete process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #934c060e5af4d7e1 Environment-variable access.
repo/packages/cli/src/execution-lifecycle/__tests__/execution-lifecycle-hooks.test.ts:1502
				delete process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #677f2dbe9dec3493 Environment-variable access.
repo/packages/cli/src/execution-lifecycle/execution-lifecycle-hooks.ts:703
				process.env.N8N_SKIP_UNSAVED_EXECUTION_DATA_WRITES === 'true' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d2efd2b851e1d8a Filesystem access.
repo/packages/cli/src/load-nodes-and-credentials.ts:7
import fsPromises from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35e2db51eea2acb3 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:76
		process.env.NODE_PATH = [module.paths.join(delimiter), process.env.NODE_PATH]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36dfd57994cddd43 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:89
		if (process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd7ada122a948c73 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:281
		if (process.env[CUSTOM_EXTENSION_ENV] !== undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b02fb264542df031 Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:282
			const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a4aa51e88a17fdd Environment-variable access.
repo/packages/cli/src/load-nodes-and-credentials.ts:366
		return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acf1d86ca55eb14a Filesystem access.
repo/packages/cli/src/metrics/prometheus/pss-metrics.service.ts:29
					const content = readFileSync('/proc/self/smaps_rollup', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b66cc113043120e1 Filesystem access.
repo/packages/cli/src/metrics/prometheus/pss-metrics.service.ts:43
			readFileSync('/proc/self/smaps_rollup', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1cd7d4695384ecde Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:174
		await writeFile(textFilePath, 'hello world');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f9b7f045b4d7a43 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:175
		await writeFile(pdfFilePath, '%PDF-1.4');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8870b39d0d3af498 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:252
		await writeFile(firstPath, 'hello');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1050a7dea36385b Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:253
		await writeFile(secondPath, 'world');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #030baad743c1c952 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:287
		await writeFile(filePath, 'hello');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27a345cd0af1c6b3 Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:331
		await writeFile(tempFilePath, 'x');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0de6cc41205b98ca Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-knowledge.service.test.ts:512
		await writeFile(tempFilePath, 'hello world');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8ed28033578ab4c Filesystem access.
repo/packages/cli/src/modules/agents/__tests__/agent-secure-runtime.test.ts:2
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83c3e5b2e756efbc Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:23
	for (const key of ENV_KEYS) delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9e1c88716cece4e8 Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:114
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c978105e00ed099f Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:224
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd26191843ec58cd Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:244
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3800e0e9639107bc Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:293
			process.env.N8N_AI_ANTHROPIC_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da3915df4c8fd755 Environment-variable access.
repo/packages/cli/src/modules/agents/builder/__tests__/agents-builder-settings.service.test.ts:301
			process.env.ANTHROPIC_API_KEY = 'sk-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c082b286aff9f613 Environment-variable access.
repo/packages/cli/src/modules/agents/builder/agents-builder-settings.service.ts:40
	const key = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #40c3a0d5cadf27f3 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-contract.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d5c0a5e3a09e0ecf Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-contract.test.ts:16
	readFileSync(join(__dirname, 'fixtures/slack/basic.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f203859705c959b2 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-contract.test.ts:19
	readFileSync(join(__dirname, 'fixtures/telegram/basic.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a3c3be6a3b3ce276 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-recorder.test.ts:1
import { mkdtemp, rm, writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #8a491f438014ee60 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-recorder.test.ts:76
			await fetch('https://api.telegram.org/bot123456:secret/sendMessage', {
				method: 'POST',
				headers: requestHeaders,
				body: '{}',
			});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #d63a90f79a2fa9b1 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/__tests__/channel-integration-recorder.test.ts:136
		await writeFile(filePath, 'x', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9814f8b113a2ff72 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/linear/recorded-integration.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ce3a8cab82c5b15 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/linear/recorded-integration.test.ts:13
	readFileSync(join(__dirname, '../../../__tests__/fixtures/linear/recorded-session.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #495aa84abcf16d94 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/slack/recorded-integration.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d78cac844c4a920f Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/slack/recorded-integration.test.ts:12
	readFileSync(join(__dirname, '../../../__tests__/fixtures/slack/recorded-session.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #900a2a64f5491bcb Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/telegram/recorded-integration.test.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9df1f6c6a0457792 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/telegram/recorded-integration.test.ts:25
	readFileSync(join(__dirname, '../../../__tests__/fixtures/telegram/basic.json'), 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2626c5552f7410f1 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/platforms/__tests__/telegram/recorded-integration.test.ts:28
	readFileSync(
		join(__dirname, '../../../__tests__/fixtures/telegram/recorded-session.json'),
		'utf8',
	),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bfb86eab9293b72 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:1
import { mkdir, readFile, readdir, rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d27b1afb54a3d958 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:161
	const ref = process.env.N8N_AGENT_INTEGRATION_RECORDING_REF ?? 'local';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9781aa4ab54ddee Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:247
			options.enabled ?? process.env.N8N_AGENT_INTEGRATION_RECORDING_ENABLED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d458cac1cda0f22 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:250
				process.env.N8N_AGENT_INTEGRATION_RECORDING_SESSION_ID ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4320a8ccc9f4b6b0 Environment-variable access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:255
			process.env.N8N_AGENT_INTEGRATION_RECORDING_DIR ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b7c006d1553b23c Filesystem access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:385
					const contents = await readFile(join(this.recordingDir, file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06cc1851f0748043 Filesystem access.
repo/packages/cli/src/modules/agents/integrations/recording/channel-integration-recorder.ts:398
		const contents = await readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #671fc8be494a9447 Filesystem access.
repo/packages/cli/src/modules/agents/runtime/agent-secure-runtime.ts:4
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f60bb1d894f6ac0 Filesystem access.
repo/packages/cli/src/modules/agents/runtime/agent-secure-runtime.ts:139
			this.libraryBundle = readFileSync(LIBRARY_BUNDLE_PATH, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ab7526f46de3d9f7 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/dotenv-upgrade.rule.test.ts:33
			delete process.env.DOTENV_CONFIG_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #90009dac62fed39f Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/oauth-callback-auth.rule.test.ts:18
			delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0dba05d7d8d39c55 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/oauth-callback-auth.rule.test.ts:30
				process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #11325c86079a0dcc Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:49
			const originalValue = process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc7aa37981f249d3 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:51
				process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d08e6e02d59c1e64 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:67
					delete process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17b5821c42ac7e6e Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/process-env-access.rule.test.ts:69
					process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE = originalValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82fdcbb3982f2254 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/queue-worker-max-stalled-count.rule.test.ts:12
			delete process.env.QUEUE_WORKER_MAX_STALLED_COUNT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ca67f288e9b6b92 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/queue-worker-max-stalled-count.rule.test.ts:21
			process.env.QUEUE_WORKER_MAX_STALLED_COUNT = '10';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6bf38689d739c04 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:15
		originalEnvValue = process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cf98f9a272ca02c7 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:17
		delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4eca6ab136fa72fe Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:22
			delete process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6e01d1ad4394937 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:24
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = originalEnvValue;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f943828700aa1dfe Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:43
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b5e39db44ad746ab Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/__tests__/settings-file-permissions.rule.test.ts:53
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38a4bde57c6acd77 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/disabled-nodes.rule.ts:56
		if (process.env.NODES_EXCLUDE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae3152c8cde685c3 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/oauth-callback-auth.rule.ts:30
		if (process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8807c94d25d51a73 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/process-env-access.rule.ts:34
		if (process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #223f5332a6b1cda9 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/queue-worker-max-stalled-count.rule.ts:36
		if (!process.env.QUEUE_WORKER_MAX_STALLED_COUNT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ad39f4272a94dfb Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v2/settings-file-permissions.rule.ts:42
		if (process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67a604d9da830af8 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:9
		delete process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c1c3e1f426738ad Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:10
		delete process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f76d8884a198d996 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:28
			process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe0884288b32f37d Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:38
			process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d1bb95d7c7a37e0 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:48
			process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES = '2147483648';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e09bc61d9a2412d3 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/compression-node-limits.rule.test.ts:49
			process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES = '5000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71b6a052662824a0 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/offload-manual-executions.rule.test.ts:13
		delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #01b738402f4fbe43 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/offload-manual-executions.rule.test.ts:33
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb9a30eea8381a66 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/offload-manual-executions.rule.test.ts:53
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6291151f926cf96 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/task-runner-task-timeout.rule.test.ts:9
		delete process.env.N8N_RUNNERS_TASK_TIMEOUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2750c0dd7888b7a Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/task-runner-task-timeout.rule.test.ts:28
			process.env.N8N_RUNNERS_TASK_TIMEOUT = '300';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4576e9125d20e8c7 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/unverified-packages.rule.test.ts:13
		delete process.env.N8N_UNVERIFIED_PACKAGES_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fde30e41c5ae703c Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/unverified-packages.rule.test.ts:33
			process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c9d52372b8d3eca5 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/__tests__/unverified-packages.rule.test.ts:41
			process.env.N8N_UNVERIFIED_PACKAGES_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #899e323dd7417bd5 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/compression-node-limits.rule.ts:28
		if (process.env.N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b662d210cda57c9 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/compression-node-limits.rule.ts:37
		if (process.env.N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ce078c84c7871ca Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/offload-manual-executions.rule.ts:31
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS !== 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b3adea15ebcd91b Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/task-runner-task-timeout.rule.ts:26
		if (process.env.N8N_RUNNERS_TASK_TIMEOUT !== undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85ca29aa1ea26217 Environment-variable access.
repo/packages/cli/src/modules/breaking-changes/rules/v3/unverified-packages.rule.ts:31
			process.env.N8N_UNVERIFIED_PACKAGES_ENABLED === undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c077cc3323e7e81e Filesystem access.
repo/packages/cli/src/modules/chat-hub/chat-hub-agent.service.ts:12
import { readFile, unlink } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #356d140695005db7 Filesystem access.
repo/packages/cli/src/modules/chat-hub/chat-hub-agent.service.ts:449
			const buffer = file.buffer ?? (await readFile(file.path));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebe5d5c3965b85c5 Environment-variable access.
repo/packages/cli/src/modules/chat-hub/chat-hub-workflow.service.ts:101
		if (process.env.N8N_SKIP_CHAT_WORKFLOW_CLEANUP !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb42f56225079316 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:29
		delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac96fda4c82fc501 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:52
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a82af2ce8311b1fa Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:64
			process.env.ENVIRONMENT = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9edbe2b3395beae3 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-node-types.service.test.ts:70
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d74fe1878db198b Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:22
		process.env.N8N_DISABLED_MODULES = 'community-packages';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e590311a60a395be Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:28
		process.env.N8N_DISABLED_MODULES = 'insights,community-packages,mcp';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ac7034b02cab0f2 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:34
		process.env.N8N_DISABLED_MODULES = 'insights,mcp';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5265b5be7a12b173 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.config.test.ts:40
		process.env.N8N_COMMUNITY_PACKAGES_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #130a5fc3ed5aed72 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1100
			const originalEnv = process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f2c88ecd3e9d5018 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1108
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9983fff9c980cb8 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1124
					delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9672772e93c4dd04 Environment-variable access.
repo/packages/cli/src/modules/community-packages/__tests__/community-packages.service.test.ts:1126
					process.env.ENVIRONMENT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eba05dadff21cbf Environment-variable access.
repo/packages/cli/src/modules/community-packages/community-node-types.service.ts:128
		const environment = process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b779387881337069 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:269
			await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0916f354f7b227f Environment-variable access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:298
			const environment = process.env.ENVIRONMENT === 'staging' ? 'staging' : 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a46b4b48a95f3d8 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:649
			const packageJsonContent = await readFile(packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a1c7fbc1dff7b05 Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:662
			await writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fe696ada9377fdb Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:704
		const existingContent = await readFile(this.packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da8c8970a4e4efad Filesystem access.
repo/packages/cli/src/modules/community-packages/community-packages.service.ts:707
		await writeFile(this.packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35d2a41c61775e74 Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/csv-parser.service.test.ts:3
import { mkdtempSync, writeFileSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e456c2612775285 Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/csv-parser.service.test.ts:31
		writeFileSync(join(tempDir, filename), content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1749d02b92b8fddf Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/data-table-file-cleanup.service.test.ts:2
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ad1438e47cc1d867 Filesystem access.
repo/packages/cli/src/modules/data-table/__tests__/multer-upload-middleware.test.ts:5
import * as fsPromises from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7868a9475e6bf6bc Filesystem access.
repo/packages/cli/src/modules/data-table/csv-parser.service.ts:5
import { createReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c79c00861a7a22c5 Filesystem access.
repo/packages/cli/src/modules/data-table/data-table-file-cleanup.service.ts:4
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12ce69c7aadc0fa5 Filesystem access.
repo/packages/cli/src/modules/data-table/multer-upload-middleware.ts:6
import { mkdir, readdir, stat, unlink } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1af342930874e9db Environment-variable access.
repo/packages/cli/src/modules/dynamic-credentials.ee/__tests__/dynamic-credentials-cors.integration.test.ts:18
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14b398ee4040d8f1 Environment-variable access.
repo/packages/cli/src/modules/dynamic-credentials.ee/__tests__/dynamic-credentials-rate-limit.integration.test.ts:27
process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #480a912d240c727e Environment-variable access.
repo/packages/cli/src/modules/dynamic-credentials.ee/dynamic-credentials.module.ts:13
	return process.env.N8N_ENV_FEAT_DYNAMIC_CREDENTIALS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17299066b00c26c5 Environment-variable access.
repo/packages/cli/src/modules/encryption-key-manager/encryption-key-manager.module.ts:7
	return process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3716af98746565d8 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:75
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7a0326d99851093 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:82
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9157994d8b7fa7ca Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:103
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c840b3cc4ea3beba Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:131
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c52197b283fed6f5 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:149
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc12d3d7ca28865f Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai-test.controller.test.ts:223
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d85caed2a828c5c8 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3189
		const original = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8af917c2316e3788 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3190
		process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0f57423c5b92fa8b Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3220
			if (original === undefined) delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ac295eb99fda6b7 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/instance-ai.adapter.service.test.ts:3221
			else process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = original;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #23b91f0d87c7561d Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:14
		writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0844b27a31db7fa9 Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:15
		writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fc377f00c5ca4f6 Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:54
		writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72c74c1fafba323f Filesystem access.
repo/packages/cli/src/modules/instance-ai/__tests__/node-definition-resolver.test.ts:55
		writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #adb7ffca324049a5 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:291
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68b09c403fbf94e3 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:301
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0ef861727788cbf Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:314
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c212a1390ce52bb Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:326
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b24aca0d8856d81f Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:338
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34e7e4f33e44ce0b Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:350
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #40bf323f0466c8e5 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:365
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f8b7d48aa63bdbc Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:379
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e191d459da79886d Environment-variable access.
repo/packages/cli/src/modules/instance-ai/__tests__/trace-replay-state.test.ts:397
			process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ce69e82b4c4ae13b Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:44
	savedApiKey = process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aff847c9b92aefdf Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:45
	delete process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da81b08883cea631 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:50
		process.env.CONTEXT7_API_KEY = savedApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faeafea43585cd6b Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:52
		delete process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dcac5a302be3c047 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:225
		process.env.CONTEXT7_API_KEY = 'test-api-key-123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #62ca7ceb2ddca945 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/api-docs.test.ts:241
		delete process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b99bc5aff9e950ff Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:8
	const original = process.env.N8N_INSTANCE_AI_EVAL_TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d38f67703d6fb42 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:11
		if (original === undefined) delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #15da686a71b48ea2 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:12
		else process.env.N8N_INSTANCE_AI_EVAL_TIMING = original;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #642e0c3ecb040f59 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:17
			delete process.env.N8N_INSTANCE_AI_EVAL_TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa3e36137df072be Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/__tests__/eval-timings.test.ts:33
			process.env.N8N_INSTANCE_AI_EVAL_TIMING = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10a8e29aa330e50f Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:28
		const apiKey = process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1df2e303f5b3bfa4 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/api-docs.ts:76
		const apiKey = process.env.CONTEXT7_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b7f704d4692ca00 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/eval-timings.ts:23
	readonly enabled = process.env.N8N_INSTANCE_AI_EVAL_TIMING === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f587d77d81b48a6 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/eval-timings.ts:56
			process.env.N8N_INSTANCE_AI_EVAL_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c603a55ff32e738e Environment-variable access.
repo/packages/cli/src/modules/instance-ai/eval/eval-timings.ts:57
			process.env.N8N_INSTANCE_AI_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a95b4b717f676945 Filesystem access.
repo/packages/cli/src/modules/instance-ai/eval/pin-data-generator.ts:15
import { existsSync, readFileSync, readdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e00b3b720fc4ca1 Filesystem access.
repo/packages/cli/src/modules/instance-ai/eval/pin-data-generator.ts:129
							const content = readFileSync(join(entryPath, nodeFile), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36f4ac5dc8b2a821 Filesystem access.
repo/packages/cli/src/modules/instance-ai/eval/pin-data-generator.ts:204
				return JSON.parse(readFileSync(schemaFile, 'utf-8')) as Record<string, unknown>;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #442cd9fcab42f1fe Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai-model.service.ts:124
		const hasHttpProxy = Boolean(process.env.HTTPS_PROXY || process.env.HTTP_PROXY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2249bffd4789bbec Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai-test.controller.ts:117
		if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1444602d42cce4f9 Filesystem access.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:215
		const promise = readFile(filePath, 'utf-8').then((json) =>

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9af58acb91e9a129 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai.adapter.service.ts:1132
					process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b361f4571c0f8efb Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai.module.ts:29
		if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cdfcb89dc70d186 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/instance-ai.service.ts:3067
			if (!tracing && process.env.E2E_TESTS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37f6d9d985753f03 Filesystem access.
repo/packages/cli/src/modules/instance-ai/node-definition-resolver.ts:375
${readFileSync(variant.filePath, 'utf-8')}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b5f4739d2259c01 Filesystem access.
repo/packages/cli/src/modules/instance-ai/node-definition-resolver.ts:382
		const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67a55db1206fd163 Environment-variable access.
repo/packages/cli/src/modules/instance-ai/trace-replay-state.ts:154
		if (process.env.E2E_TESTS !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9bbec6c2c8c2f15c Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/__tests__/mcp-registry-test.controller.test.ts:66
			delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3ab5652fbb75b6dd Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/__tests__/mcp-registry-test.controller.test.ts:72
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fecd7026af3cfdc3 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/mcp-registry-test.controller.ts:39
		if (process.env.E2E_TESTS !== 'true' || process.env.NODE_ENV === 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11aba10c34efa99e Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/mcp-registry.module.ts:16
		if (process.env.E2E_TESTS === 'true' && process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b92e17e539d6a401 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:19
	const originalEnv = process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5210bf2794a8bc02 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:20
	const originalDevUrl = process.env.N8N_MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7dbb1c9ca0b1466 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:24
		delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58da6ce96de97aac Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:25
		delete process.env.N8N_MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c4943ad92f5aedb3 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:31
			process.env.ENVIRONMENT = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7025b2ae26f723a2 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:33
			delete process.env.ENVIRONMENT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #09379d5ba5be6551 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:36
			process.env.N8N_MCP_SERVERS_DEV_URL = originalDevUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c3d5d2e27988ed98 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:38
			delete process.env.N8N_MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3eca038807f2d2c1 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:56
			process.env.ENVIRONMENT = 'staging';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0356c207c888ff17 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:69
			process.env.ENVIRONMENT = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64edab54a6b1cc38 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:82
			process.env.ENVIRONMENT = 'dev';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1c173d970d878013 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:95
			process.env.ENVIRONMENT = 'dev';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e513b47c4f9a587f Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:96
			process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fbe21b656413c1b7 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/__tests__/mcp-registry-api.client.test.ts:109
			process.env.N8N_MCP_SERVERS_DEV_URL = 'http://localhost:9999/api/mcp-servers';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #422d7c58633171ed Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/mcp-registry-api.client.ts:68
		switch (process.env.ENVIRONMENT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51795957c6706496 Environment-variable access.
repo/packages/cli/src/modules/mcp-registry/registry/mcp-registry-api.client.ts:70
				return process.env.N8N_MCP_SERVERS_DEV_URL || MCP_SERVERS_DEV_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ca34b14c2573d54 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:11
		delete process.env.N8N_MCP_SERVER_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31fe395b8c440bd3 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:21
		process.env.N8N_MCP_SERVER_RATE_LIMIT = '500';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41ed5217a9af1a47 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:29
		process.env.N8N_MCP_SERVER_RATE_LIMIT = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fcdf8b8d9690a8a5 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.config.test.ts:39
			process.env.N8N_MCP_SERVER_RATE_LIMIT = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b3dc8e5e4323f75 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:453
			const originalEnv = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ea072bdaa64b216 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:454
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd14c7d23805e4a2 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:461
				process.env.NODE_ENV = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51daed88f240c2ef Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:466
			const originalEnv = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b2a69b6459e708de Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:467
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41f4f786730d35a3 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:479
				process.env.NODE_ENV = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #823265994c77a77c Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:484
			const originalEnv = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e73ee8b9c9e44e87 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:485
			process.env.NODE_ENV = 'production';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1a9c4c267097a090 Environment-variable access.
repo/packages/cli/src/modules/mcp/__tests__/mcp.settings.controller.test.ts:494
				process.env.NODE_ENV = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6ccd64ccc9308eb Environment-variable access.
repo/packages/cli/src/modules/mcp/dto/update-allowed-redirect-uris.dto.ts:22
		const requiresHttps = process.env.NODE_ENV !== 'development' && !isLocalhost(hostname);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #47c36f83b23231f4 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:145
	writer.writeFile('manifest.json', JSON.stringify(manifest));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #43e6bb43c246ee21 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:148
		writer.writeFile(`workflows/wf-${idx}/workflow.json`, JSON.stringify(wf));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64e9f1240f658ba4 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:230
	writer.writeFile('manifest.json', JSON.stringify(manifest));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0337d95e16241fc Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:233
		writer.writeFile(`${target}/workflow.json`, JSON.stringify(workflow));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a8481bc7b385f332 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:237
		writer.writeFile(`${target}/folder.json`, JSON.stringify(folder));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #06df502df6eae398 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/fixtures/package-fixtures.ts:241
		writer.writeFile(`${target}/project.json`, JSON.stringify(project));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e9ec0986f6729d8 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1016
		writer.writeFile(
			'manifest.json',
			JSON.stringify({
				packageFormatVersion: '99',
				exportedAt: new Date().toISOString(),
				sourceN8nVersion: '1.0.0',
				sourceId: 'bad-manifest',
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #de31f8c7bd46ac84 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1081
		writer.writeFile(
			'manifest.json',
			JSON.stringify({
				packageFormatVersion: '99',
				exportedAt: new Date().toISOString(),
				sourceN8nVersion: '1.0.0',
				sourceId: 'integration-test-source',
				workflows: [{ id: 'wf-x', name: 'X', target: 'workflows/wf-x' }],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3a4b7d220e4d353c Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1092
		writer.writeFile(
			'workflows/wf-x/workflow.json',
			JSON.stringify(serializedWorkflow({ id: 'wf-x', name: 'X' })),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #478fe733e4028e57 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/__tests__/import-package.integration.test.ts:1108
		writer.writeFile(
			'manifest.json',
			JSON.stringify({
				packageFormatVersion: FORMAT_VERSION,
				exportedAt: new Date().toISOString(),
				sourceN8nVersion: '1.0.0',
				sourceId: 'integration-test-source',
				workflows: [{ id: 'wf-missing', name: 'Missing', target: 'workflows/nowhere-to-be-found' }],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56e45016664053c3 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/engine/n8n-package-parser.ts:146
			content = await reader.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c93c0649b76f7d3a Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/credential/credential.exporter.ts:74
				request.writer.writeFile(
					`${target}/credential.json`,
					JSON.stringify(this.credentialSerializer.serialize(credential), null, '\t'),
				);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0570bc84743fe197 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/data-table/data-table.exporter.ts:70
			request.writer.writeFile(
				`${target}/data-table.json`,
				JSON.stringify(this.dataTableSerializer.serialize(dataTable), null, '\t'),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39fc206c16fd6a08 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/folder/folder.exporter.ts:168
		writer.writeFile(`${target}/folder.json`, JSON.stringify(serialized, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49ce5c3c3e5f5c0e Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/project/project.exporter.ts:91
		writer.writeFile(`${target}/project.json`, JSON.stringify(serialized, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #accd9c7569d33add Filesystem access.
repo/packages/cli/src/modules/n8n-packages/entities/workflow/workflow.exporter.ts:68
			request.writer.writeFile(`${target}/workflow.json`, JSON.stringify(serialized, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6b89425cfa2d06b Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:38
				writer.writeFile('manifest.json', JSON.stringify(manifest));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1207d64497f39a0d Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:40
				writer.writeFile('workflows/my-workflow-abc/workflow.json', workflowJson);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #87ba1948b7bf45aa Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:46
			await expect(reader.readFile('workflows/my-workflow-abc/workflow.json')).resolves.toEqual(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74193bcae223e1f4 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:53
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fb376d66c36b64f Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:55
				writer.writeFile('workflows/a/workflow.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28e8120c015e5ef8 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:57
				writer.writeFile('workflows/b/workflow.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #294a2389a4e8ebe0 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:83
				writer.writeFile('manifest.json', '{not-json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #23a41bcb243070bd Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:208
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #976289087b99daee Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:209
				writer.writeFile('oversized.bin', 'x'.repeat(500));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e4e6c1fb7f4614f6 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:224
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #40c535dfef78753d Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:225
				writer.writeFile('oversized.bin', 'x'.repeat(500));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1ff236272ac47638 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:239
				writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f2893a4eed8d4c7 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-reader.test.ts:241
					writer.writeFile(`workflows/wf-${i}/workflow.json`, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c8cd2bb0c696d1b Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:49
		writer.writeFile('workflows/wf-abc/workflow.json', '{"id":"abc"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #55a98ab4169f70d0 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:50
		writer.writeFile('manifest.json', '{"packageFormatVersion":"1"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa0dae1e09e552be Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:62
			writer.writeFile('manifest.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32f2500e006c85cf Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:64
			writer.writeFile('workflows/x/workflow.json', '{"id":"x"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29e43e158d7055a4 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:83
		writer.writeFile('manifest.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d60101c2c50eacc3 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/io/__tests__/tar-package-writer.test.ts:84
		writer.writeFile('./workflows/wf/workflow.json', '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b64868e08503590 Filesystem access.
repo/packages/cli/src/modules/n8n-packages/n8n-packages.service.ts:139
		writer.writeFile('manifest.json', JSON.stringify(manifest, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7eab61288329b3f9 Environment-variable access.
repo/packages/cli/src/modules/oauth-jwe/oauth-jwe.module.ts:9
	return process.env.N8N_ENV_FEAT_OAUTH2_JWE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da6e56b7b42154be Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:11
		delete process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72e3af45afcdadeb Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:12
		delete process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f25cb47b8986bc0a Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:13
		delete process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #87f2f810dee5e289 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:14
		delete process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #559d1bd38d4a84c1 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:15
		delete process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4128fcf5c6b77d8f Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:29
		process.env.N8N_OAUTH_SERVER_REGISTER_RATE_LIMIT = '100';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e4e9aeaa9558252b Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:30
		process.env.N8N_OAUTH_SERVER_AUTHORIZE_RATE_LIMIT = '200';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0eadce02ec50e1dd Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:31
		process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '300';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef88ac4fb720180c Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:32
		process.env.N8N_OAUTH_SERVER_REVOKE_RATE_LIMIT = '400';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #603b5b3fe367c769 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:33
		process.env.N8N_OAUTH_SERVER_WELL_KNOWN_RATE_LIMIT = '500';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1d0d41be00bf8ef Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:45
		process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ef3996265053e57 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.config.test.ts:55
			process.env.N8N_OAUTH_SERVER_TOKEN_RATE_LIMIT = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #9859e725b00150be Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:233
				resource: new URL('https://n8n.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #26dcf1c6c5f8f7e1 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:470
				resource: new URL('https://attacker.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #55435a26b14a31b8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:505
				resource: new URL('https://n8n.example.com/mcp-server/http/'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #87fa2dde0668ef88 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:759
				new URL('https://n8n.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #4b73f5685a2a3599 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:817
					new URL('https://attacker.example.com/mcp-server/http'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #bd2d560ab7bf434e Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/oauth-server/__tests__/oauth-server.service.test.ts:847
				new URL('https://n8n.example.com/mcp-server/http/'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #23f421f54a13ee83 Environment-variable access.
repo/packages/cli/src/modules/oauth-server/oauth-session.service.ts:36
			secure: process.env.NODE_ENV === 'production',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #738ce3a972931c54 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:21
			if (key.startsWith('N8N_OTEL_')) delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d3977c749577191 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:81
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68f8f921481a2944 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:100
			process.env.N8N_OTEL_ENABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f8344d1a52e94b1 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:101
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #848a859f9494b7e1 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:172
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ae78cef04ce87a4 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/otel-settings.service.test.ts:203
			process.env.N8N_OTEL_EXPORTER_OTLP_ENDPOINT = 'https://from-env';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #dcfe72b8c0ffb4c2 Filesystem access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:7
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d6c51d1e959e9e4 Filesystem access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:27
		readFileSync(path.join(BASE_DIR, 'nodes-base/dist/known/nodes.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f152dd6fabd3ef55 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:86
		saved[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7add1c5bc73ffeac Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:87
		process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cdf54b34fbe563a6 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:95
			delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9f78a0a69af5f69 Environment-variable access.
repo/packages/cli/src/modules/otel/__tests__/support/otel-integration-utils.ts:97
			process.env[key] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e99d645df4cc7546 Environment-variable access.
repo/packages/cli/src/modules/otel/otel-settings.service.ts:95
		return process.env[OTEL_ENV_VARS[key]] !== undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef6610f0d09efe01 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:11
		delete process.env.N8N_QUICK_CONNECT_OPTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #98f148b171459707 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:29
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ed2b72be193c1818 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:49
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c9b00d9cec6dfc5a Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:72
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5dcea672b2116e90 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:93
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ccf6f7a7b19a3f0 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:101
		process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ada2427b3e6e81a2 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:127
		process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3d1d548816bd27e5 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.config.test.ts:249
		process.env.N8N_QUICK_CONNECT_OPTIONS = config;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3af6d53fb8faa688 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:15
		delete process.env.N8N_QUICK_CONNECT_OPTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13b34c2e0ebade0d Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:32
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afe26754188023b5 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:55
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14500e49c6d3821b Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:83
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f71e72de06dcc661 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:105
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9e139bbb6136c366 Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.module.test.ts:140
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d99d149ace9276b Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:107
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c868a2a99d58b2ca Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:129
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac87636a64cee8bc Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:141
			process.env.N8N_QUICK_CONNECT_OPTIONS = '[]';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #344aeb8c1a61700b Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:165
			process.env.N8N_QUICK_CONNECT_OPTIONS = JSON.stringify(testConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0dabeeded0462fa Environment-variable access.
repo/packages/cli/src/modules/quick-connect/__tests__/quick-connect.service.test.ts:177
		delete process.env.N8N_QUICK_CONNECT_OPTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f64c910ae1d5542 Environment-variable access.
repo/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts:14
		delete process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58025fcf7d0134aa Environment-variable access.
repo/packages/cli/src/modules/runtime-credentials/__tests__/runtime-credentials.module.test.ts:23
			process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51223b643cdef9d9 Environment-variable access.
repo/packages/cli/src/modules/runtime-credentials/runtime-credentials.module.ts:8
	return process.env.N8N_ENV_FEAT_RUNTIME_CREDENTIALS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b1bd5d7e259d8666 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:395
				delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb22cf3ea743fc42 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:396
				delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c4d61fb5df36f4b Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:397
				delete process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #71a6609b375f6ebe Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:398
				delete process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #36cd7ada022a8176 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:399
				delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd263cb6717ef3e4 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:400
				delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19dc1989c77a0e8f Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:401
				delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28613a4fd4b2915b Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:402
				delete process.env.all_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8823156af1171188 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:415
				process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9cc7ffa5cc78395b Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:439
				process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #785efcf5f1bcc825 Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:483
				process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #092bb61e42bb3b2b Environment-variable access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-git.service.test.ts:484
				process.env.NO_PROXY = 'github.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e600b21c4431af62 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-helper.ee.test.ts:3
import { accessSync, constants as fsConstants } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2438ad32d616965b Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:4
import { readFile, writeFile, access, mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fdac4a9d0e3006bd Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:99
			const fileContent = await readFile(tempFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7f15a5cb112d766 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:131
			const fileContent = await readFile(tempFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd0b4b01abc97dee Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:165
			const fileContent = await readFile(tempFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec50ad693e5bcfea Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:205
			const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9c60c3e0384ad093 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:266
			const fileContent = await readFile(tempFilePath2, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #546fe4aa1255b1e0 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/__tests__/source-control-preferences.service.ee.test.ts:437
			await writeFile(knownHostsPath, 'github.com ssh-rsa AAAA...\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bc2ee797ff2eb2b Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:146
					return await fsWriteFile(fileName, JSON.stringify(sanitizedWorkflow, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #333af4a94d430407 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:238
			await fsWriteFile(fileName, JSON.stringify(sanitizedVariables, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f326601d5cfedcb Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:359
				await fsWriteFile(filePath, JSON.stringify(exportableDataTable, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54504ba63e586020 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:429
			await fsWriteFile(
				fileName,
				JSON.stringify(
					{
						folders: newFolders,
					},
					null,
					2,
				),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43af9b6344d73ebe Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:462
				await fsWriteFile(fileName, JSON.stringify({ tags: [], mappings: [] }, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a3e98ec1033fbf0 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:492
			await fsWriteFile(
				fileName,
				JSON.stringify(
					{
						// overwrite all tags
						tags: tags.map((tag) => ({ id: tag.id, name: tag.name })),
						mappings: mappingsToKeep.concat(mappingsOfAllowedWorkflows),
					},
					null,
					2,
				),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88d32512bc627c1b Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:580
					return await fsWriteFile(filePath, JSON.stringify(stub, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df43a5fc2b0c25a6 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-export.service.ee.ts:640
					return await fsWriteFile(fileName, JSON.stringify(sanitizedProject, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff866f24452acdca Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:6
import { accessSync, constants as fsConstants, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a27bddb946a9af32 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:191
			await fsReadFile(file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2b3d2212d6369f3 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:214
		return jsonParse<ExportedFolders>(await fsReadFile(file, { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cbcf89c0a6fdf27 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-helper.ee.ts:229
		return jsonParse<ExportableDataTable[]>(await fsReadFile(file, { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d915e5d9850215a Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:316
					await fsReadFile(file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f63c5514e803e7c8 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:426
				await fsReadFile(variablesFile[0], { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc5870fa915dccbf Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:456
				const fileContent = await fsReadFile(file, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2df04a9c1c932913 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:556
			}>(await fsReadFile(foldersFile[0], { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88264a731a9feb23 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:607
				await fsReadFile(tagsFile[0], { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #086778f5c1579c5b Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:653
				const fileContent = await fsReadFile(file, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38825f456d03a520 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:875
			const fileContent = await fsReadFile(file, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b5b68e8990627f3 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:979
					await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21d0fd096684311b Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1051
				await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d41e86032f01e9e2 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1149
			}>(await fsReadFile(candidate.file, { encoding: 'utf8' }), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5e1aa7554d27972 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1265
				await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbf40a31c290ba35 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1305
					await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #639c9dfa7958ccc1 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-import.service.ee.ts:1590
					await fsReadFile(candidate.file, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd5dd928888a2090 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:6
import { rm as fsRm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b0182e29f5de030 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:152
			await writeFile(tempFilePath, normalizedKey, { mode: 0o600 });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0df408825eee4c7 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control-preferences.service.ee.ts:170
			return await readFile(this.sshKeyName + '.pub', { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b5ec97138dabee9 Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control.service.ee.ts:10
import { writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30e6613293aee25d Filesystem access.
repo/packages/cli/src/modules/source-control.ee/source-control.service.ee.ts:244
					writeFileSync(path.join(this.gitFolder, '/README.md'), SOURCE_CONTROL_README);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #b267c813e4501565 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.controller.ee.test.ts:244
			const mockAuthUrl = new URL('https://provider.com/auth?client_id=123');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #31f9bbeb31537b5f Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.controller.ee.test.ts:301
			const mockAuthUrl = new URL(
				'https://provider.com/auth?client_id=123&redirect_uri=http://localhost:5678/callback',
			);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #7eca15b97586a106 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:374
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #a3c9ab457aff519b Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:399
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #5fe351bf0e056b2d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:430
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #c5b3fe3e955c9fd6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:451
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f01bc4014feca0ba Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:473
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #3f390c9b51c55bbb Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:495
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #72441a9fd8fb45dc Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:520
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #0bfeded4aa0e49cd Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:551
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f8bd4011d548c5e5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:589
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #9f72ec155edce88a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:629
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #f6ddaeecdef6e5b2 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:664
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #306540cb476a61d6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:686
			const callbackUrl = new URL('https://example.com/callback');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #0fd3d5813c705532 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:700
		const discoveryUrl = new URL('https://example.com/.well-known/openid-configuration');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #d2a77366f2739d76 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/__tests__/oidc.service.ee.test.ts:795
				new URL('https://issuer.example.com/.well-known/openid-configuration'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #13a167c089861ba0 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/cli/src/modules/sso-oidc/oidc.service.ee.ts:63
	discoveryEndpoint: new URL('http://n8n.io/not-set'),

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #a4e866ab7d62551a Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:200
	const originalEnv = process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cabaa672d8bba080 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:250
			process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8c14382124f97c2 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:252
			delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bcd52fe02ac4bdac Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:265
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5aa3efbb79005296 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:267
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4aad5ec673cca3f4 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:274
			process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a2c63a4259fe070 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:849
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #661d3c97f34d46f1 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:860
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #213fc155f4909d29 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:873
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1018e43476c412de Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:897
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35337fb492788be2 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:927
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6b49ffee968654cf Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:955
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec572f5db26fd64b Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:993
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b60fd049df46111 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1014
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca2dc51551f3f76e Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1055
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bf2becb56aebd667 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1110
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0e41be65459a6a7f Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1196
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2045c2acc651f364 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1222
				delete process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0edb4f4033ba6db7 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/__tests__/saml.service.ee.test.ts:1246
				process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c5b39b37b864111 Environment-variable access.
repo/packages/cli/src/modules/sso-saml/saml.service.ee.ts:113
		return process.env.N8N_ENV_FEAT_SIGNED_SAML_REQUESTS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2bcc185f79d8e67 Environment-variable access.
repo/packages/cli/src/modules/token-exchange/token-exchange.module.ts:7
	return process.env.N8N_ENV_FEAT_TOKEN_EXCHANGE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cc8cbe5a9073c7c Filesystem access.
repo/packages/cli/src/node-catalog/node-catalog.service.ts:9
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2cc5227d748a141f Filesystem access.
repo/packages/cli/src/node-types.ts:3
import type { Dirent } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57e375d09ed17b91 Filesystem access.
repo/packages/cli/src/node-types.ts:4
import { readdir, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df7d02fcf17c4d6c Filesystem access.
repo/packages/cli/src/node-types.ts:53
				const translation = await readFile(translationPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #200f0a43362deae4 Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:173
			delete process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c8fd7df0e2b2fa4c Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:178
			process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17ca7813d921dc63 Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:183
			process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7bf1ec9e67484928 Environment-variable access.
repo/packages/cli/src/oauth/__tests__/oauth.service.test.ts:188
			process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK = 'TRUE';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d430127fe767b96d Environment-variable access.
repo/packages/cli/src/oauth/oauth.service.ts:87
	const value = process.env.N8N_SKIP_AUTH_ON_OAUTH_CALLBACK?.toLowerCase() ?? 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5ee5bec5d9ffe75 Filesystem access.
repo/packages/cli/src/public-api/index.ts:7
import fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6183fad4abfdd4f1 Filesystem access.
repo/packages/cli/src/public-api/index.ts:90
			const spec = await fs.readFile(openApiSpecPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c44f699b483a25e Filesystem access.
repo/packages/cli/src/public-api/index.ts:102
			const swaggerThemeCss = await fs.readFile(swaggerThemePath, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0aa343154ba6d2c2 Environment-variable access.
repo/packages/cli/src/public-api/index.ts:236
						operationHandlers: process.env.VITEST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #962fd09002445423 Filesystem access.
repo/packages/cli/src/public-api/v1/handlers/data-tables/__tests__/data-table-column-name.openapi.test.ts:2
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9534d49bae07e09e Filesystem access.
repo/packages/cli/src/public-api/v1/handlers/data-tables/__tests__/data-table-column-name.openapi.test.ts:22
		const doc = columnNameYmlSchema.parse(parse(fs.readFileSync(ymlPath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c0dc467aefd3339 Filesystem access.
repo/packages/cli/src/server.ts:9
import { access as fsAccess } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bce0801e6ad72c7f Environment-variable access.
repo/packages/cli/src/server.ts:117
		if (inDevelopment && process.env.N8N_DEV_RELOAD === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3b14f4799c80cc5 Environment-variable access.
repo/packages/cli/src/server.ts:389
			const isPreviewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #961f86eb8647427f Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:827
		writeFileSync(
			join(packageDir, 'package.json'),
			JSON.stringify({
				name: 'n8n-nodes-base',
				version: '1.0.0',
				n8n: { nodes: [], credentials: [] },
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32858b9a50699815 Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:835
		writeFileSync(
			join(packageDir, 'dist', 'known', 'nodes.json'),
			JSON.stringify({
				httpRequest: {
					className: 'HttpRequest',
					sourcePath: 'dist/nodes/HttpRequest/HttpRequest.node.js',
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7930724545d898bb Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:844
		writeFileSync(join(packageDir, 'dist', 'known', 'credentials.json'), JSON.stringify({}));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0fe666960c4a3a1d Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:845
		writeFileSync(
			join(packageDir, 'dist', 'types', 'nodes.json'),
			JSON.stringify([nodeTypeDescription]),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #624c62ae538609af Filesystem access.
repo/packages/cli/src/services/__tests__/ai-workflow-builder.service.test.ts:849
		writeFileSync(join(packageDir, 'dist', 'types', 'credentials.json'), JSON.stringify([]));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #09ed3f54de7761da Filesystem access.
repo/packages/cli/src/services/__tests__/export.service.test.ts:3
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5eebb5ea71c05acd Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:370
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e549b811ffadf25 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:387
			process.env.N8N_CONCURRENCY_EVALUATION_LIMIT = '7';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe591c83b954be46 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:408
			delete process.env.N8N_CONCURRENCY_EVALUATION_LIMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76da79178e9b8b01 Environment-variable access.
repo/packages/cli/src/services/__tests__/frontend.service.test.ts:536
			process.env.N8N_PREVIEW_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e2d80414afba33b7 Filesystem access.
repo/packages/cli/src/services/__tests__/import.service.test.ts:5
import { readdir, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac944096bfb1e21a Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:8
		delete process.env.WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1087fc344bcad653 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:13
			process.env.WEBHOOK_URL = undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d33227aa6adf4ce7 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:23
			process.env.WEBHOOK_URL = 'https://example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #23885196ee38feb8 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:34
			process.env.WEBHOOK_URL = undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8cc7c452474d49cc Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:44
			process.env.WEBHOOK_URL = '"https://example.com/"';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fb81df0344e57ff7 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:57
			process.env.WEBHOOK_URL = 'https://old.example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6c3a4eb931b35e2c Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:65
			process.env.WEBHOOK_URL = 'https://old.example.com/';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b14c0970e856921 Environment-variable access.
repo/packages/cli/src/services/__tests__/url.service.test.ts:92
			process.env.WEBHOOK_URL = undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8f7ee3291202515 Filesystem access.
repo/packages/cli/src/services/ai-workflow-builder.service.ts:10
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e6ae563ab87d44d Filesystem access.
repo/packages/cli/src/services/export.service.ts:6
import { mkdir, rm, readdir, appendFile, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #818beed2b5d47158 Filesystem access.
repo/packages/cli/src/services/export.service.ts:252
				const keyFileContent = await readFile(keyFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3efc562c74741bfc Filesystem access.
repo/packages/cli/src/services/frontend.service.ts:7
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbde3523dde64cd6 Filesystem access.
repo/packages/cli/src/services/frontend.service.ts:8
import { mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5452f566084de0ee Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:170
		const previewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e5b8c4583ab2962 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:198
		const previewMode = process.env.N8N_PREVIEW_MODE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92ea198c31a6ee28 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:228
			nodeEnv: process.env.NODE_ENV,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c403cf322c815c17 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:336
				builtIn: process.env.NODE_FUNCTION_ALLOW_BUILTIN?.split(',') ?? undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7614d377902b46a2 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:337
				external: process.env.NODE_FUNCTION_ALLOW_EXTERNAL?.split(',') ?? undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13405205f3cdb6d5 Environment-variable access.
repo/packages/cli/src/services/frontend.service.ts:569
				!!this.globalConfig.aiAssistant.baseUrl || !!process.env.N8N_AI_ANTHROPIC_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43c51f7b6db36199 Filesystem access.
repo/packages/cli/src/services/import.service.ts:17
import { readdir, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0a8d20e45f422b1 Filesystem access.
repo/packages/cli/src/services/import.service.ts:470
		const content = await readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2adb4e805942375f Filesystem access.
repo/packages/cli/src/services/import.service.ts:525
				const keyFileContent = await readFile(keyFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6acf629f757badae Filesystem access.
repo/packages/cli/src/services/import.service.ts:1002
			await readFile(migrationsFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00ebc23c7d0a855a Filesystem access.
repo/packages/cli/src/services/import.service.ts:1010
		const migrationsFileContent = await readFile(migrationsFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ecc03aa35ce4147 Environment-variable access.
repo/packages/cli/src/services/url.service.ts:18
			this.globalConfig.webhookUrl || this.trimQuotes(process.env.WEBHOOK_URL) || this.baseUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f0e566cd69ef5bd0 Environment-variable access.
repo/packages/cli/src/task-runners/__tests__/task-runner-process-py.test.ts:54
			process.env[envVar] = 'custom value';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #30a3078d0d9e09e4 Environment-variable access.
repo/packages/cli/src/task-runners/__tests__/task-runner-process.test.ts:91
			process.env[envVar] = 'custom value';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0666d64c5a0f938b Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:58
			PATH: process.env.PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #027eba116c8f7f72 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:59
			HOME: process.env.HOME ?? process.env.USERPROFILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1318c4517c3a88c1 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:60
			NODE_PATH: process.env.NODE_PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02f5c32b0d4dd40d Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:63
			GENERIC_TIMEZONE: process.env.GENERIC_TIMEZONE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fc432920bfb2fac Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:64
			NODE_FUNCTION_ALLOW_BUILTIN: process.env.NODE_FUNCTION_ALLOW_BUILTIN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84f15d259236ca3e Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:65
			NODE_FUNCTION_ALLOW_EXTERNAL: process.env.NODE_FUNCTION_ALLOW_EXTERNAL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4ddbfebc20e9c64 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:68
			N8N_SENTRY_DSN: process.env.N8N_SENTRY_DSN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0c2a73f7488696d Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:69
			N8N_VERSION: process.env.N8N_VERSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a7745cdd21a912e Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:70
			ENVIRONMENT: process.env.ENVIRONMENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebc360aeae9c0fe5 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:71
			DEPLOYMENT_NAME: process.env.DEPLOYMENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23096714f70e7f5b Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:80
			N8N_RUNNERS_INSECURE_MODE: process.env.N8N_RUNNERS_INSECURE_MODE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62ac58c1953c9ddf Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:83
			N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT: process.env.N8N_RUNNERS_GRACEFUL_SHUTDOWN_TIMEOUT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b01182fe3f9b705 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-js.ts:84
			N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN: process.env.N8N_RUNNERS_SHUTDOWN_FORCE_KILL_MARGIN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae3e86e87e305e7c Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:42
				PATH: process.env.PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b85bcb4dffd7795b Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:43
				HOME: process.env.HOME ?? process.env.USERPROFILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f27568bee19614c Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:54
				N8N_RUNNERS_STDLIB_ALLOW: process.env.N8N_RUNNERS_STDLIB_ALLOW,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa56a5227bb88381 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:55
				N8N_RUNNERS_EXTERNAL_ALLOW: process.env.N8N_RUNNERS_EXTERNAL_ALLOW,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18deb7455e1ca5c7 Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:56
				N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS: process.env.N8N_RUNNERS_ALLOW_TRANSITIVE_IMPORTS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84954b83148625ea Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:57
				N8N_RUNNERS_BUILTINS_DENY: process.env.N8N_RUNNERS_BUILTINS_DENY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a7c211f2744784f Environment-variable access.
repo/packages/cli/src/task-runners/task-runner-process-py.ts:58
				N8N_BLOCK_RUNNER_ENV_ACCESS: process.env.N8N_BLOCK_RUNNER_ENV_ACCESS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #732dfdaaf904aceb Filesystem access.
repo/packages/cli/src/user-management/email/__tests__/node-mailer.test.ts:3
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5df420392791fcae Filesystem access.
repo/packages/cli/src/user-management/email/__tests__/node-mailer.test.ts:23
		const includedContent = await readFile(pathJoin(templatesDir, match[1]), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48ac90d767d33360 Filesystem access.
repo/packages/cli/src/user-management/email/__tests__/node-mailer.test.ts:35
	const rawMarkup = await readFile(pathJoin(templatesDir, `${templateName}.mjml`), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #649a4531a97d3fc1 Filesystem access.
repo/packages/cli/src/user-management/email/user-management-mailer.ts:7
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #623be933278d5c10 Filesystem access.
repo/packages/cli/src/user-management/email/user-management-mailer.ts:8
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8355491d5197bb2a Filesystem access.
repo/packages/cli/src/user-management/email/user-management-mailer.ts:337
			const markup = await readFile(templatePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00d76465594564d1 Environment-variable access.
repo/packages/cli/src/utils.ts:132
	if (process.env.ENABLE_OBSERVABILITY === undefined || process.env.ENABLE_OBSERVABILITY === '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c85477e7f8a206c Environment-variable access.
repo/packages/cli/src/utils.ts:133
		process.env.ENABLE_OBSERVABILITY = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #128ca70db6df659d Environment-variable access.
repo/packages/cli/src/utils.ts:136
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === undefined ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #732340ebdd8779be Environment-variable access.
repo/packages/cli/src/utils.ts:137
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #229e2fe1e3ea0887 Environment-variable access.
repo/packages/cli/src/utils.ts:139
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e54e0187442b1e08 Environment-variable access.
repo/packages/cli/src/utils/ai-proxy-fetch.ts:13
export const AI_REQUEST_TIMEOUT_MS = resolveTimeoutMs(process.env.N8N_AI_TIMEOUT_MAX);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93c9ad59852e2bfe Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:3
import { createWriteStream, mkdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abdfd4aef7a05ca7 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:4
import type { FileHandle } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fa157f3807986d7 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:5
import { open, readFile, readdir, mkdir } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47b5db3eff7bc1f2 Filesystem access.
repo/packages/cli/src/utils/compression.util.ts:221
			const fileContent = await readFile(fullPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f62c6d66fcf7c117 Environment-variable access.
repo/packages/cli/src/utils/health-endpoint.util.ts:24
	const isHealthEndpointCustomized = process.env.N8N_ENDPOINT_HEALTH !== undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c63ae1e24c0487c2 Environment-variable access.
repo/packages/cli/src/workflow-runner.ts:272
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #635421680d2e52d6 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:746
			originalOffloadManualExecutionsToWorkers = process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9259e594025db91 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:747
			process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5ed66b697294d164 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:773
				delete process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84782233d4dc5b65 Environment-variable access.
repo/packages/cli/src/workflows/__tests__/workflow-execution.service.test.ts:775
				process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS = originalOffloadManualExecutionsToWorkers;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf1ddda01007e05d Environment-variable access.
repo/packages/cli/src/workflows/workflow-execution.service.ts:242
				process.env.OFFLOAD_MANUAL_EXECUTIONS_TO_WORKERS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #214f3cf5581aee09 Filesystem access.
repo/packages/cli/vitest.tsc-entity-transform.ts:72
			const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f596b83def8bbf10 Filesystem access.
repo/packages/cli/vitest.tsc-entity-transform.ts:90
				const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/nodes-base

npm first-party
high pii_flow production #9bd17b6a47831a9b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:77
		const secureXToken = (await http.request({
			url: `https://visibility.${region}.cisco.com/iroh/oauth2/token`,
			method: 'POST',
			auth: {
				username: clientId,
				password: clientSecret,
			},
			body: new URLSearchParams({
				grant_type: 'client_credentials',
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
				Accept: 'application/json',
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #87a2940ea99a8c79 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:92 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/CiscoSecureEndpointApi.credentials.ts:95
		const secureEndpointToken = (await http.request({
			url: `https://api.${region}.cisco.com/v3/access_tokens`,
			method: 'POST',
			body: new URLSearchParams({
				grant_type: 'client_credentials',
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
				Accept: 'application/json',
				Authorization: `Bearer ${secureXToken.access_token}`,
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f3bff8db3117fa83 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:334 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/GoogleApi.credentials.ts:366
		const { access_token } = (await http.request({
			url: 'https://oauth2.googleapis.com/token',
			method: 'POST',
			body: new URLSearchParams({
				grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
				assertion: signature,
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e0cb82a628de0871 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:148 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/MicrosoftEntraServicePrincipalApi.credentials.ts:140
	const response = await http.request({
		url: tokenUrl,
		method: 'POST',
		body: body.toString(),
		headers: {
			'Content-Type': 'application/x-www-form-urlencoded',
		},
		json: true,
		timeout: TOKEN_REQUEST_TIMEOUT,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c64818f5235a2d54 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:105 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/SalesforceJwtApi.credentials.ts:121
		const response = (await http.request({
			url: `${authUrl}/services/oauth2/token`,
			method: 'POST',
			body: new URLSearchParams({
				grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
				assertion: signature,
			}).toString(),
			headers: {
				'Content-Type': 'application/x-www-form-urlencoded',
			},
			json: true,
			timeout: TOKEN_REQUEST_TIMEOUT,
		})) as { access_token?: string; instance_url?: string };

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5a833d3eb9d0d7e7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:283
		const response = await fetch(fullUri, {
			method: 'GET',
			headers,
			signal: AbortSignal.timeout(2000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9b3f7d8c0137a41f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:349
		const credentialsResponse = await fetch(`https://sts.${region}.${getAwsDomain(region)}`, {
			method: 'POST',
			headers,
			body: body.toString(),
			signal: AbortSignal.timeout(2000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #806be562f4020fc2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:41 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AcuityScheduling/GenericFunctions.ts:45
			return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2e0fc8edc6570359 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:24 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Affinity/GenericFunctions.ts:47
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3f011628763091b1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:31 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:50
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a0ecaebda5e508c1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:128
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1f0cfc1b25666193 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:140
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #8d81aa0205683eb2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:149
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c1652319d9a3b9cb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:112 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/AgileCrm/GenericFunctions.ts:160
			lastSuccesfulUpdateReturn = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c1ff052e0f0ec3a8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:29 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Autopilot/GenericFunctions.ts:45
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #85b812d3dc9c8576 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:25 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/BambooHr/v1/transport/index.ts:56
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4344223d3d4efa07 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:29 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Bannerbear/GenericFunctions.ts:45
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4c8a4198270d36df User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:208 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Bitbucket/BitbucketTrigger.node.ts:217
					const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0f2b19775e16869b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:48 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Bitbucket/GenericFunctions.ts:61
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c64b9eb3d92d4099 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:591 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Chargebee/Chargebee.node.ts:600
					responseData = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9117002b9a4ebe47 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:25 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/CircleCi/GenericFunctions.ts:39
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #323b4419da9a04ba User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:25 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Clearbit/GenericFunctions.ts:37
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #69a28b81cf41ec43 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:26 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Demio/GenericFunctions.ts:38
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #b1a8a021471cb46f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:28 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Dhl/GenericFunctions.ts:42
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #486c579d37c7ea01 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:172 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Discord/v1/DiscordV1.node.ts:253
					response = await this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #aa97ab85d03158e4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:36 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Egoi/GenericFunctions.ts:50
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #eaaeca33b82f550d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:126 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Emelia/GenericFunctions.ts:135
		await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1c0b134503d5befc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:37 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/FileMaker/GenericFunctions.ts:64
		const response = await this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2e54867eaa9e993c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:23 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Freshdesk/GenericFunctions.ts:46
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #067a87f02b9a85a3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:187 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Google/Chat/GoogleChat.node.ts:223
					const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #3bce88b4e9a21617 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:90 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Google/GenericFunctions.ts:126
	return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c39cddbac6ae0910 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:432 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/GraphQL/GraphQL.node.ts:535
					response = await this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2deb4d6340a1f798 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:958 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HttpRequest/V1/HttpRequestV1.node.ts:1014
				const request = this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #28d15224c8c0a08a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1019 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HttpRequest/V2/HttpRequestV2.node.ts:1078
					const request = this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #291441097527669d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:556 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HttpRequest/V3/HttpRequestV3.node.ts:766
						const request = this.helpers.request(requestOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #6fd4379fd8a5ce71 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:45 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:46
			return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #29c62e6fdd1f5cad User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:55 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hubspot/V1/GenericFunctions.ts:56
				return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #1e51b0d0e988bd0e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:47 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hubspot/V2/GenericFunctions.ts:48
				return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #671057efce14df29 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:35 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/HumanticAI/GenericFunctions.ts:41
		const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #078d0beea2f52aa9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:23 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Hunter/GenericFunctions.ts:36
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #232325c01cfb3025 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:32 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Jenkins/GenericFunctions.ts:42
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #36156da53fd7d0b2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:26 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/JotForm/GenericFunctions.ts:41
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2ccf90df56fe83a5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:109 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Linear/GenericFunctions.ts:122
	return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #efe145e782516359 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:26 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/LingvaNex/GenericFunctions.ts:37
		const response = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #47b7dd5c79f0b87e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:24 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Mandrill/GenericFunctions.ts:37
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #a78c6c008eaa6f8c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:24 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Marketstack/GenericFunctions.ts:35
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f12397084815dcb3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:248 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Odoo/v1/OdooV1.node.ts:266
					const result = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #91f7987130a25e69 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:33 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Onfleet/GenericFunctions.ts:43
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #48a2fe1231191df3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:137 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Onfleet/Onfleet.node.ts:146
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #52431a94d52f74d7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:25 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/PayPal/GenericFunctions.ts:42
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #675fb09beb123e20 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:86 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/PayPal/PayPal.node.ts:117
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #39c920a683cc1bf5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:24 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/PostHog/GenericFunctions.ts:41
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ebae4d76d06106a8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:36 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/QuickBase/GenericFunctions.ts:58
		return await this.helpers?.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e2fd1b09f7b478d2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:56 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/SeaTable/v1/GenericFunctions.ts:62
	ctx.base = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5e25db4bd5b6f39b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:51 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/SecurityScorecard/GenericFunctions.ts:74
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c4aa984a5e4ec0f2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:65 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/SentryIo/GenericFunctions.ts:68
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #45c39c74776c895b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:30 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Stackby/GenericFunction.ts:49
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #5dc45e64fb07eab2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:79 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Strapi/GenericFunctions.ts:85
	return await (this.helpers.request(options) as Promise<{ jwt: string }>);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0553ad51010d47ac User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:111 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Strapi/Strapi.node.ts:119
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4cf472445d5fa375 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:26 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Tapfiliate/GenericFunctions.ts:43
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #69c3de7d15155f58 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:43 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/UnleashedSoftware/GenericFunctions.ts:53
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #cbbcaf8d94f1a082 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:24 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Uplead/GenericFunctions.ts:36
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9a5a272f0eaad50c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:25 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/UptimeRobot/GenericFunctions.ts:33
		const responseData = await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0ef1d78793329fe1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:44 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Zammad/GenericFunctions.ts:73
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #950a3262b8fd1da9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:293 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Zammad/Zammad.node.ts:299
					await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #c79b8cda95ba806d User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53 · flow /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:33 → /tmp/closeopen-eiu3royx/repo/packages/nodes-base/nodes/Zulip/GenericFunctions.ts:53
		return await this.helpers.request(options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 42 low-confidence finding(s)
low env_fs production #08b7aac000486a42 Environment-variable access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-sdk.ts:44
const getEnv = (key: string): string | undefined => process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36503244be5b1809 Filesystem access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:4
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57356d95d29a829a Environment-variable access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:28
export const envGetter = (key: string): string | undefined => process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #7c0318a070f48f33 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:121
			const tokenResponse = await fetch(`${baseUrl}/api/token`, {
				method: 'PUT',
				headers: {
					'X-aws-ec2-metadata-token-ttl-seconds': '21600',
					'User-Agent': 'n8n-aws-credential',
				},
				signal: AbortSignal.timeout(2000),
			});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #ff3de8034154aa4a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:138
		const roleResponse = await fetch(`${baseUrl}/meta-data/iam/security-credentials/`, {
			method: 'GET',
			headers,
			signal: AbortSignal.timeout(2000),
		});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ce2e5ea75efe6dc6 Filesystem access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:264
				authToken = (await readFile(authTokenFile, 'utf-8')).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cba59dfbecce2e95 Filesystem access.
repo/packages/nodes-base/credentials/common/aws/system-credentials-utils.ts:328
		const token = (await readFile(webIdentityTokenFile, 'utf8')).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #d3b84d22263ec08b Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:619
		const url = new URL('https://vpce-0abc123.bedrock-runtime.us-east-1.vpce.amazonaws.com/model');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #39a87217e48ab2c4 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:624
		const url = new URL('https://vpce-0abc123.sqs.us-west-2.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c51db9889698c4cc Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:629
		const url = new URL('https://vpce-0abc123-usw2-az1.sqs.us-west-2.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #1b2da1b6263a391d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:634
		const url = new URL('https://vpce-0abc.sqs.not-a-region.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #00e96e24341cac53 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:639
		const url = new URL('https://vpce-0abc123.sqs.us-gov-west-1.vpce.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d26808fd8ac59eb4 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:644
		const url = new URL('https://vpce-0abc123.sqs.cn-north-1.vpce.amazonaws.com.cn/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #00ef46067c8f7c04 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:649
		const url = new URL('https://lambda.us-east-1.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #333bbed285c01d47 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:654
		const url = new URL('https://lambda.cn-north-1.amazonaws.com.cn/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #e2bcf9b885e15180 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/nodes-base/credentials/common/aws/utils.test.ts:659
		const url = new URL('https://iam.amazonaws.com/');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #24dc27b3a781188f Environment-variable access.
repo/packages/nodes-base/credentials/common/aws/utils.ts:627
	if (process.env.N8N_AWS_LEGACY_SIGNER === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #865cba9cbe1dcdc3 Filesystem access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15c1509cf32753c0 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:8
	if (process.env.N8N_VERSION) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f0b8c8f3221bef3 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:9
		return process.env.N8N_VERSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39f947fe0d96f6b5 Filesystem access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:15
		const n8nPackageJson = jsonParse<n8n.PackageJson>(readFileSync(packageJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab0c0f9fd6cf4f39 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:25
export const BASE_URL = process.env.AIRTOP_BASE_URL ?? 'https://api.airtop.ai/api/v1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #321ba54b60423b0e Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:26
export const BASE_URL_V2 = process.env.AIRTOP_BASE_URL_V2 ?? 'https://api.airtop.ai/api/v2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f6c5006787dc216 Environment-variable access.
repo/packages/nodes-base/nodes/Airtop/constants.ts:28
	process.env.AIRTOP_HOOKS_BASE_URL ?? 'https://api.airtop.ai/api/hooks';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a77b36f86d5737e1 Filesystem access.
repo/packages/nodes-base/nodes/EditImage/EditImage.node.ts:1
import { writeFile as fsWriteFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38a446fa86078d66 Filesystem access.
repo/packages/nodes-base/nodes/EditImage/EditImage.node.ts:1140
						await fsWriteFile(path, binaryDataBuffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ff15d051795cccf Filesystem access.
repo/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts:1
import { readFile as fsReadFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b8359d12b81ea09 Filesystem access.
repo/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts:1
import { readFile as fsReadFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3e9fffcedddf41c Filesystem access.
repo/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts:48
		const workflowJson = await fsReadFile(resolvedPath, { encoding: 'utf8' }).catch(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2135608adaa41ea9 Filesystem access.
repo/packages/nodes-base/nodes/Form/utils/utils.ts:3
import { rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef3e12198bba9aef Filesystem access.
repo/packages/nodes-base/nodes/Ftp/Ftp.node.ts:3
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #533864bd8d5eec5a Filesystem access.
repo/packages/nodes-base/nodes/Merge/v3/helpers/sandbox-utils.ts:62
	const alasqlSource = await readFile(alasqlBundlePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccf1d28656066b4b Filesystem access.
repo/packages/nodes-base/nodes/SpreadsheetFile/v1/SpreadsheetFileV1.node.ts:83
						workbook = xlsxReadFile(binaryPath, xlsxOptions);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1805378aded2ca9e Filesystem access.
repo/packages/nodes-base/nodes/Ssh/Ssh.node.ts:2
import { writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b12c790ad1928c6 Filesystem access.
repo/packages/nodes-base/nodes/Ssh/Ssh.node.ts:448
								await writeFile(binaryFile.path, uploadData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f18dd19af80bd444 Filesystem access.
repo/packages/nodes-base/nodes/Webhook/Webhook.node.ts:2
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d6f5fe00f559e6f Filesystem access.
repo/packages/nodes-base/nodes/Webhook/Webhook.node.ts:3
import { stat } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #772b190a8ba2a763 Filesystem access.
repo/packages/nodes-base/nodes/Webhook/utils.ts:3
import { rm } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f001952cdc9e0f3e Filesystem access.
repo/packages/nodes-base/scripts/copy-nodes-json.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d6e211793afe0de Filesystem access.
repo/packages/nodes-base/scripts/validate-schema-versions.js:11
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9a918f1ebf570d0 Filesystem access.
repo/packages/nodes-base/scripts/validate-schema-versions.js:66
	const content = fs.readFileSync(nodeFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5af35d4589be537a Environment-variable access.
repo/packages/nodes-base/vite.config.ts:7
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/core

npm first-party
high pii_flow production #60ec4499e9fa2f09 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/azure-blob.manager.ts:66 · flow /tmp/closeopen-eiu3royx/repo/packages/core/src/binary-data/azure-blob.manager.ts:64 → /tmp/closeopen-eiu3royx/repo/packages/core/src/binary-data/azure-blob.manager.ts:66
		await this.azureBlobService.put(targetFileId, sourceFile, metadata);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #41df78b3fa9e318f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/core/src/binary-data/object-store.manager.ts:80 · flow /tmp/closeopen-eiu3royx/repo/packages/core/src/binary-data/object-store.manager.ts:78 → /tmp/closeopen-eiu3royx/repo/packages/core/src/binary-data/object-store.manager.ts:80
		await this.objectStoreService.put(targetFileId, sourceFile, metadata);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry test-only #0bae519e294b53ec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/errors/__tests__/error-reporter.test.ts:3
import type { ErrorEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d234ffe462942a27 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/errors/error-reporter.ts:6
import type { ErrorEvent, EventHint } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #76f092dd8a11b3e0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/errors/error-reporter.ts:7
import type { NodeOptions } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #81ba52ad6781276f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/sentry-tracing.test.ts:1
import type { StartSpanOptions } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #a275b34d974f2493 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/sentry-tracing.test.ts:2
import type Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #5d8b33714123a8a0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/span-sampling.test.ts:1
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #ac92064e5470f31f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/__tests__/tracing.test.ts:1
import type { StartSpanOptions } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #4287d349e67cbe38 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/sentry-tracing.ts:2
import type Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #87461053b17f2a5c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/span-sampling.ts:1
import type { SpanJSON, TracesSamplerSamplingContext, TransactionEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #912a74403db05237 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/tracing.ts:2
import type {
	StartSpanOptions as SentryStartSpanOptions,
	SpanContextData as SentrySpanContextData,
	SpanAttributes as SentrySpanAttributes,
} from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #77a041f04be82c96 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/core/src/observability/tracing/tracing.ts:7
import type Sentry from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 108 low-confidence finding(s)
low env_fs production #7bf52e9129ae3206 Filesystem access.
repo/packages/core/bin/common.js:13
	await writeFile(filePath, payload, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41eb876014a4543b Filesystem access.
repo/packages/core/bin/generate-node-defs:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf855ed48d5a5d84 Filesystem access.
repo/packages/core/bin/generate-node-defs:15
const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26f27f415ee16fed Filesystem access.
repo/packages/core/bin/generate-translations:3
const {
	existsSync,
	promises: { writeFile },
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faca019e70cfd8cc Filesystem access.
repo/packages/core/bin/generate-translations:6
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a82a2f7a7ada5b9e Filesystem access.
repo/packages/core/nodes-testing/node-test-harness.ts:64
		return JSON.parse(readFileSync(filePath, 'utf-8')) as IWorkflowBase &

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3643d59fbd93d076 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:47
		process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'filesystem';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4da3b40bfae27f1a Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:55
		process.env.N8N_STORAGE_PATH = '/custom/storage/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2de49d065e580161 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:63
		process.env.N8N_STORAGE_PATH = '/path/one';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aaebc0ad332fa35c Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:64
		process.env.N8N_BINARY_DATA_STORAGE_PATH = '/path/two';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c6cacee86ce2940 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:70
		process.env.N8N_STORAGE_PATH = '/same/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65e0cd0406752895 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:71
		process.env.N8N_BINARY_DATA_STORAGE_PATH = '/same/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d1d1fb16b55528d Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:79
		process.env.N8N_EXECUTION_DATA_STORAGE_MODE = 'invalid-mode';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42aee9ee5e9d4bd9 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:106
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9eeeca8f7f6f3729 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:131
			process.env.N8N_STORAGE_PATH = '/custom/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a487f7886b32c708 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:139
			process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59ebc2c208c4801a Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:155
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6dcdd627d5fe35b0 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:165
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2f71ea9785edb2a6 Environment-variable access.
repo/packages/core/src/__tests__/storage.config.test.ts:175
			process.env.N8N_MIGRATE_FS_STORAGE_PATH = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #96001a0f80d5bcd2 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:40
		process.env.N8N_DEFAULT_BINARY_DATA_MODE = 's3';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92e061c1c80a5700 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:41
		process.env.N8N_BINARY_DATA_STORAGE_PATH = '/custom/storage/path';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f75f342e3631a05d Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:42
		process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'super-secret';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #62fac25285a6ce34 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:59
		process.env.N8N_DEFAULT_BINARY_DATA_MODE = 'invalid-mode';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f435aa1be986020f Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:71
			process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '1024';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f05766c3fbcd849 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:85
			process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = 'not-a-number';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b1ecd9c88ba3074 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:96
			process.env.N8N_BINARY_DATA_DATABASE_MAX_FILE_SIZE = '2048';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8f8c10334762ec8 Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:118
			delete process.env.N8N_BINARY_DATA_SIGNING_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12ae5efa5d02458f Environment-variable access.
repo/packages/core/src/binary-data/__tests__/binary-data.config.test.ts:122
			process.env.N8N_BINARY_DATA_SIGNING_SECRET = 'env-pinned-secret';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bef0c472c762148e Filesystem access.
repo/packages/core/src/binary-data/azure-blob.manager.ts:64
		const sourceFile = await fs.readFile(sourcePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ed641de9080fa85 Environment-variable access.
repo/packages/core/src/binary-data/binary-data.config.ts:81
		if (process.env.N8N_BINARY_DATA_SIGNING_SECRET) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bf79e610e49cb3f Filesystem access.
repo/packages/core/src/binary-data/binary-data.service.ts:77
			binaryData.data = await readFile(filePath, { encoding: BINARY_ENCODING });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a374a959cbdf4a4b Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:37
		await fs.writeFile(filePath, bufferOrStream);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3df09a81e20df3c6 Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:67
		return await fs.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fcf92f8a5a6f870 Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:73
		return await jsonParse(await fs.readFile(filePath, { encoding: 'utf-8' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca98a143b6c449a1 Filesystem access.
repo/packages/core/src/binary-data/file-system.manager.ts:199
		await fs.writeFile(filePath, JSON.stringify(metadata), { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #652fc8c0010b16b6 Filesystem access.
repo/packages/core/src/binary-data/object-store.manager.ts:78
		const sourceFile = await fs.readFile(sourcePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #460c94eef2db2432 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:233
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #085809e28fb0cbb5 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:234
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19494badb43766a7 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:243
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83ac110733abdaa0 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:268
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ae7ccd411a3fc16a Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:269
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #80caf3d31a31a760 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:274
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f48124b79eae9a6 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:300
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e1a48a804eb3fdb7 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:301
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #062d719f4e0a015d Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:306
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9751481ef6afa713 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:326
			const originalFlag = process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #531fc55168b4320d Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:327
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #88e31f581ead6ab1 Environment-variable access.
repo/packages/core/src/encryption/__tests__/cipher.test.ts:334
				process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION = originalFlag;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #487082e5abd6039d Environment-variable access.
repo/packages/core/src/encryption/cipher.ts:38
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8aab408ae685d2ad Environment-variable access.
repo/packages/core/src/encryption/cipher.ts:58
			process.env.N8N_ENV_FEAT_ENCRYPTION_KEY_ROTATION === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b56a34c4ddb225c7 Environment-variable access.
repo/packages/core/src/execution-engine/__tests__/ssh-clients-manager.test.ts:251
		process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = '5';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6cd0405df96aae8 Environment-variable access.
repo/packages/core/src/execution-engine/__tests__/ssh-clients-manager.test.ts:264
			process.env.N8N_SSH_TUNNEL_IDLE_TIMEOUT = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #294be4c547282a24 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/execute-context.ts:222
		if (process.env.CODE_ENABLE_STDOUT === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4486fb8121b2136c Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/supply-data-context.ts:431
		if (process.env.CODE_ENABLE_STDOUT === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f0e9b16047fb4ad Filesystem access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/binary-helper-functions.test.ts:3
import { mkdtempSync, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9d7652f3a971789 Filesystem access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/binary-helper-functions.test.ts:128
			readFileSync(
				`${temporaryDir}/${setBinaryDataBufferResponse.id?.replace('filesystem-v2:', '')}`,
			),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4e2f9076bdc0a1a1 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:61
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e622718e1fe4d4b7 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:99
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c65e25c6a492b46 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:117
		process.env[CONFIG_FILES] = '/path/to/config1,/path/to/config2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c068f429ed76893f Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:123
		process.env[CUSTOM_EXTENSION_ENV] = '/path/to/extensions1;/path/to/extensions2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cda7ee0c1ad3865b Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:129
		process.env[BINARY_DATA_STORAGE_PATH] = '/path/to/binary/storage';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #531a2b23d07b83cc Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:135
		process.env[UM_EMAIL_TEMPLATES_INVITE] = '/path/to/invite/templates';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17f8224c7db5cef1 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:136
		process.env[UM_EMAIL_TEMPLATES_PWRESET] = '/path/to/pwreset/templates';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f31eff3187dc6801 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:147
		const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e5737da00669f35 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:150
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a47322ba04d785e4 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:157
		const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d3fe974404b00d2 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:160
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #acfa1afebac7db99 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:167
		const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a93fdfa819f23d69 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:170
		process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6bed419e351f9d54 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts:389
			process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0006eab078969cb1 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:122
	const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11056b8d21cfa964 Filesystem access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:423
				await fileHandle.writeFile(content, { encoding: 'binary' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e753d3094ce4d299 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:458
	if (process.env[CONFIG_FILES]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06fd277ff15c7033 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:459
		restrictedPaths.push(...process.env[CONFIG_FILES].split(','));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4178d76ec36f46ff Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:462
	if (process.env[CUSTOM_EXTENSION_ENV]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b33088aee22e142 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:463
		const customExtensionFolders = process.env[CUSTOM_EXTENSION_ENV].split(';');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #282dc1acca844e78 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:467
	if (process.env[BINARY_DATA_STORAGE_PATH]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97de45bb76a46d8b Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:468
		restrictedPaths.push(process.env[BINARY_DATA_STORAGE_PATH]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5efbe10ea24324a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:471
	if (process.env[UM_EMAIL_TEMPLATES_INVITE]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bc7138155f3e87a Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:472
		restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_INVITE]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d16814e845f0efeb Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:475
	if (process.env[UM_EMAIL_TEMPLATES_PWRESET]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3461551be0a4f49 Environment-variable access.
repo/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:476
		restrictedPaths.push(process.env[UM_EMAIL_TEMPLATES_PWRESET]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f61ec4a3aaf36180 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:91
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6f823f8470c95e8 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:101
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8b9ec55106c5aa86 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:137
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #645b42fd4dec2d51 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:155
			process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b97e583ed3419b4 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:247
				process.env.N8N_INSTANCE_ID = 'env-pinned-id';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a49c17098b562632 Environment-variable access.
repo/packages/core/src/instance-settings/__tests__/instance-settings.test.ts:302
				process.env.N8N_HMAC_SIGNATURE_SECRET = 'env-pinned-hmac';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f0841c4b54a3497 Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:101
			process.env.N8N_INSTANCE_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a141c8f668a8cd58 Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:110
			process.env.N8N_HMAC_SIGNATURE_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a985ab9f12f83a4 Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:232
			const cgroupV1 = readFileSync('/proc/self/cgroup', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bcb4cad58f4116d Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:241
			const cgroupV2 = readFileSync('/proc/self/mountinfo', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f120280b8ce9a4e Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:263
			const content = readFileSync(this.settingsFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60868021b2f6319a Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:315
		const hmacSignatureSecretFromEnv = process.env.N8N_HMAC_SIGNATURE_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c736b0e624959413 Filesystem access.
repo/packages/core/src/instance-settings/instance-settings.ts:324
		writeFileSync(this.settingsFile, JSON.stringify(this.settings, null, '\t'), {
			mode: this.enforceSettingsFilePermissions.enforce ? 0o600 : undefined,
			encoding: 'utf-8',
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bb2dcba54a1e88d Environment-variable access.
repo/packages/core/src/instance-settings/instance-settings.ts:335
		const isEnvVarSet = !!process.env.N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d4121258ca42bafa Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:40
		fs.writeFileSync(file, nodeSource(version));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #50922d9254a952d0 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:75
		fs.writeFileSync(nodeFile, nodeSource(2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59a1bd61ec892c30 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:99
		fs.writeFileSync(nodeFile, nodeSource(2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df7cbec50e3c6c3f Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/custom-directory-loader.hot-reload.test.ts:116
		fs.writeFileSync(nodeFile, nodeSource(2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #614704479d191969 Filesystem access.
repo/packages/core/src/nodes-loader/__tests__/scan-directory-for-packages.fs.test.ts:30
		writeFileSync(path.join(dir, 'package.json'), JSON.stringify({ name, version: '1.0.0' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #945dba8d069e294c Filesystem access.
repo/packages/core/src/nodes-loader/package-directory-loader.ts:96
		const fileString = readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf9ba2fb0c21e175 Filesystem access.
repo/packages/core/src/nodes-loader/package-directory-loader.ts:102
		const fileString = await readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #117ffaffb1633f3a Environment-variable access.
repo/packages/core/src/storage.config.ts:41
		const storagePath = process.env.N8N_STORAGE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b2ec88bcbee8b46 Environment-variable access.
repo/packages/core/src/storage.config.ts:42
		const binaryDataStoragePath = process.env.N8N_BINARY_DATA_STORAGE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #245a0c1e6d628a5d Environment-variable access.
repo/packages/core/src/storage.config.ts:70
		if (process.env.N8N_STORAGE_PATH) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2594a5707099bb6c Environment-variable access.
repo/packages/core/src/storage.config.ts:71
		if (process.env.N8N_BINARY_DATA_STORAGE_PATH) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #023e3cfa8ee9225e Environment-variable access.
repo/packages/core/src/storage.config.ts:78
		const shouldMigrate = process.env.N8N_MIGRATE_FS_STORAGE_PATH === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm)

npm first-party
high pii_flow production #9c2bf066b82563ec User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45 · flow /tmp/closeopen-eiu3royx/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 → /tmp/closeopen-eiu3royx/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
	await fetch(`${TELEMETRY_HOST}/v1/track`, {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json',
			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
		},
		body: payload,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fc9c394037ea7596 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/keycloak.ts:520 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/containers/services/keycloak.ts:509 → /tmp/closeopen-eiu3royx/repo/packages/testing/containers/services/keycloak.ts:520
			const { headers, body } = await undiciRequest(formAction, {
				method: 'POST',
				headers: loginHeaders,
				body: loginBody.toString(),
				dispatcher: agent,
			});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f1e01089a64dea31 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/containers/services/ngrok.ts:85 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/containers/services/ngrok.ts:48 → /tmp/closeopen-eiu3royx/repo/packages/testing/containers/services/ngrok.ts:85
			const response = await fetch(`http://${host}:${hostPort}/api/tunnels`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0fee3d50dce0d5d1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:75 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/reporters/metrics-reporter.ts:40 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/reporters/metrics-reporter.ts:75
					const response = await fetch(webhookUrl, {
						method: 'POST',
						headers: {
							'Content-Type': 'application/json',
							Authorization: `Basic ${auth}`,
						},
						body: JSON.stringify(payload),
						signal: AbortSignal.timeout(30000),
					});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #4715569606bab70f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/scripts/coverage-analysis.mjs:146
			res = await fetch(url, { headers });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #9749cd2fee9a23cf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:46
	const res = await fetch(`http://localhost:${VM_PORT}/api/v1/import`, {
		method: 'POST',
		headers: { 'Content-Type': 'application/json' },
		body: readFileSync(metricsFile),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0f1e914596002f8e User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/scripts/import-victoria-data.mjs:56
	const res = await fetch(`http://localhost:${VL_PORT}/insert/jsonline`, {
		method: 'POST',
		headers: { 'Content-Type': 'application/json' },
		body: readFileSync(logsFile),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e678f97f64509605 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:223 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:225 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/mcp-oauth-api-helper.ts:223
		return await this.api.request.post(`${params.basePath ?? DEFAULT_ENDPOINT_BASE_PATH}/revoke`, {
			form: {
				token: params.token,
				client_id: params.clientId,
				...(params.tokenTypeHint && { token_type_hint: params.tokenTypeHint }),
			},
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fc73a4edc09bbfaf User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/scripts/instance-seeding/seedInstance.mjs:228 · flow /tmp/closeopen-eiu3royx/repo/scripts/instance-seeding/seedInstance.mjs:10 → /tmp/closeopen-eiu3royx/repo/scripts/instance-seeding/seedInstance.mjs:228
	const res = await fetch(`${BASE}/api/v1${path}`, {
		method,
		headers: HEADERS,
		body: body !== undefined ? JSON.stringify(body) : undefined,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #2b620afae4352bba Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45 · flow /tmp/closeopen-eiu3royx/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:29 → /tmp/closeopen-eiu3royx/repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
	await fetch(`${TELEMETRY_HOST}/v1/track`, {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json',
			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
		},
		body: payload,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 578 low-confidence finding(s)
low egress production #0e8b5ec3530e87a6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/.claude/plugins/n8n/scripts/track-skill-usage.mjs:45
	await fetch(`${TELEMETRY_HOST}/v1/track`, {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json',
			Authorization: `Basic ${Buffer.from(`${TELEMETRY_WRITE_KEY}:`).toString('base64')}`,
		},
		body: payload,
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #1e2915a33f3b9e28 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:338
		writeFileSync(join(repoDir, 'shared.ts'), 'shared\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fce6861b05d02f98 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:345
		writeFileSync(join(repoDir, 'pr-only.ts'), 'pr\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f94e29f503a8c8db Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:351
		writeFileSync(join(repoDir, 'shared.ts'), 'shared\ndrift-from-master\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1adf476d8e4f1fa1 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:386
		writeFileSync(join(repoDir, 'shared.ts'), 'shared\npr-edit\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #da8e12ecd0969c4f Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:405
	const originalStep = process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19bd2cfa77ceefde Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:417
		writeFileSync(join(builderDir, 'shared.ts'), 'shared\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e9f8e0cc0724271 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:424
		writeFileSync(join(builderDir, 'pr-only.ts'), 'pr\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #969e1f0b88ed825b Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:432
			writeFileSync(join(builderDir, 'shared.ts'), `shared\ndrift ${i}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e67b7072ffa3908e Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:445
		process.env.CI_FILTER_DEEPEN_STEP = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60020ac6d1c20587 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:451
		if (originalStep === undefined) delete process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d8d5370ee7e96ce5 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:452
		else process.env.CI_FILTER_DEEPEN_STEP = originalStep;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #984b995af92479c3 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:472
	const originalStep = process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ec2b36e406e65fa Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:473
	const originalMax = process.env.CI_FILTER_MAX_DEEPEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be5b9004db520c6a Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:484
		writeFileSync(join(builderDir, 'shared.ts'), 'shared\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b714aa7231f2063 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:490
		writeFileSync(join(builderDir, 'pr-only.ts'), 'pr\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #401495efa02074df Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:497
			writeFileSync(join(builderDir, 'shared.ts'), `shared\ndrift ${i}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f034c753cac125ce Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:510
		process.env.CI_FILTER_DEEPEN_STEP = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6af424be286bb1aa Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:511
		process.env.CI_FILTER_MAX_DEEPEN = '2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74ccbeed99ae16d5 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:517
		if (originalStep === undefined) delete process.env.CI_FILTER_DEEPEN_STEP;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e3e8cb49d4c2b61f Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:518
		else process.env.CI_FILTER_DEEPEN_STEP = originalStep;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc0c1a83b0735a77 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:519
		if (originalMax === undefined) delete process.env.CI_FILTER_MAX_DEEPEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73858c3a29a4b6fa Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:520
		else process.env.CI_FILTER_MAX_DEEPEN = originalMax;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0a3fa50934fb04cd Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:552
		writeFileSync(join(repoDir, 'main.ts'), 'main\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b94116cf98fbf6c3 Filesystem access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:560
		writeFileSync(join(repoDir, 'feature.ts'), 'feature\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b8af74a7cc1eec9 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:582
		const originalEnv = process.env.INPUT_JOB_RESULTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c6f6852da338bed Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:586
		process.env.INPUT_JOB_RESULTS = JSON.stringify(jobResults);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1a8364e051cd463 Environment-variable access.
repo/.github/actions/ci-filter/__tests__/ci-filter.test.ts:594
			process.env.INPUT_JOB_RESULTS = originalEnv;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #822ea6597cc4e924 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:147
	let step = Number(process.env.CI_FILTER_DEEPEN_STEP) || 200;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63f25d1d8ada31d1 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:148
	const maxDeepen = Number(process.env.CI_FILTER_MAX_DEEPEN) || 20_000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28ac9ed0137287f1 Filesystem access.
repo/.github/actions/ci-filter/ci-filter.mjs:195
		const content = readFileSync(shallowPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7cdadc9773142095 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:245
	const outputFile = process.env.GITHUB_OUTPUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #187f2d218f1300ed Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:265
	maxCount = Number(process.env.CI_FILTER_MAX_CHANGED_FILES) || 1000,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1bbc4d2be8b370bd Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:279
	const filtersInput = process.env.INPUT_FILTERS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c666550c2c54bdf4 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:280
	const baseRef = process.env.INPUT_BASE_REF;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e773ac5016de1198 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:318
	const raw = process.env.INPUT_JOB_RESULTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5e9ed917961443b1 Environment-variable access.
repo/.github/actions/ci-filter/ci-filter.mjs:348
	const mode = process.env.INPUT_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ab11c5217088c83a Filesystem access.
repo/.github/scripts/bump-versions.mjs:3
import { writeFile, readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a3637dbfe3748da9 Environment-variable access.
repo/.github/scripts/bump-versions.mjs:175
	const releaseType = /** @type { import('semver').ReleaseType | "experimental" } */ (
		process.env.RELEASE_TYPE
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b63531deab62c1f3 Filesystem access.
repo/.github/scripts/bump-versions.mjs:224
	const rootPkgJson = JSON.parse(await readFile(resolve(rootDir, 'package.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4ee1face2a00871e Filesystem access.
repo/.github/scripts/bump-versions.mjs:235
		await readFile(resolve(rootDir, 'pnpm-workspace.yaml'), 'utf-8').catch(() => ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff8b6cec399a7316 Filesystem access.
repo/.github/scripts/bump-versions.mjs:252
		const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2beb8212b6b6b320 Filesystem access.
repo/.github/scripts/bump-versions.mjs:271
		const packageJson = JSON.parse(await readFile(packageFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #882ec294dc340321 Filesystem access.
repo/.github/scripts/bump-versions.mjs:285
		await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10ae6565c7522b6d Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:25
	const prNumber = process.env.PR_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e4ed37003c2852e2 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:26
	const headSha = process.env.HEAD_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8e132dcbb5a73155 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:27
	const baseSha = process.env.BASE_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd3335bca7828ba2 Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:28
	const isMergeGroup = process.env.IS_MERGE_GROUP === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d20d6151817a98c Environment-variable access.
repo/.github/scripts/cla/check-signatures.mjs:90
		const url = `${process.env.CLA_API}?checkContributor=${encodeURIComponent(login)}`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #16024c3c2daeb12f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/cla/check-signatures.mjs:92 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/cla/check-signatures.mjs:90 → /tmp/closeopen-eiu3royx/repo/.github/scripts/cla/check-signatures.mjs:92
			const res = await fetch(url);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #bd148148d3a74bc6 Environment-variable access.
repo/.github/scripts/cla/manage-label.mjs:23
	const issue_number = Number(process.env.PR_NUMBER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #949eff4521d8bf17 Environment-variable access.
repo/.github/scripts/cla/manage-label.mjs:24
	const allSigned = process.env.ALL_SIGNED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #14342b4b7647588d Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:24
	const allSigned = process.env.ALL_SIGNED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #451ebb009558e0b5 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:25
	const unsigned = (process.env.UNSIGNED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e3b114acc0f47a6 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:26
	const errored = (process.env.ERRORED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54d79761a6e5eccf Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:27
	const unlinked = JSON.parse(process.env.UNLINKED || '[]');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a338af57f657869 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:52
	const prNumber = process.env.PR_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9dff253a51508b7c Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:55
		: process.env.CLA_SIGN_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd6005d4d01f64c1 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:60
		sha: /** @type {string} */ (process.env.HEAD_SHA),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #38ac451d46f4d543 Environment-variable access.
repo/.github/scripts/cla/post-final-status.mjs:62
		context: /** @type {string} */ (process.env.STATUS_CONTEXT),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0cc72fdfbdf68ce Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:19
	const issue_number = Number(process.env.PR_NUMBER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #26077820c4a96153 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:20
	const allSigned = process.env.ALL_SIGNED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #454caa7862d80ab6 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:21
	const unsigned = (process.env.UNSIGNED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #90c4fd6fee803130 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:22
	const errored = (process.env.ERRORED ?? '').split(',').filter(Boolean);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9b25cc45af5d830b Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:23
	const unlinked = JSON.parse(process.env.UNLINKED || '[]');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c46d65de0d524cb Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:24
	const MARKER = /** @type {string} */ (process.env.COMMENT_MARKER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c277105d2b3123d9 Environment-variable access.
repo/.github/scripts/cla/update-pr-comment.mjs:54
Like many open source projects, we ask that you sign our [Contributor License Agreement](${process.env.CLA_SIGN_URL}) before we can accept your contribution.`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #60c12b033ac83efe Environment-variable access.
repo/.github/scripts/claude-task/prepare-claude-prompt.mjs:17
const task = process.env.INPUT_TASK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #07dc24371431d7e5 Environment-variable access.
repo/.github/scripts/claude-task/prepare-claude-prompt.mjs:18
const useRaw = process.env.USE_RAW_PROMPT === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f38a1383098e312b Environment-variable access.
repo/.github/scripts/claude-task/prepare-claude-prompt.mjs:19
const envFile = process.env.GITHUB_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4244966c2d98bdb3 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:18
const resumeUrl = process.env.RESUME_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48c64fca6171b655 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:19
const executionFile = process.env.EXECUTION_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abbfabf5a789e3e8 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:20
const claudeOutcome = process.env.CLAUDE_OUTCOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #38d424a732584bdb Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:21
const sessionId = process.env.CLAUDE_SESSION_ID ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb9fb4db5a409733 Environment-variable access.
repo/.github/scripts/claude-task/resume-callback.mjs:22
const branchName = process.env.BRANCH_NAME ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fa86e4df13d91908 Filesystem access.
repo/.github/scripts/claude-task/resume-callback.mjs:34
		const execution = JSON.parse(readFileSync(executionFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #4d27c53becddf0f5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/claude-task/resume-callback.mjs:45 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/claude-task/resume-callback.mjs:18 → /tmp/closeopen-eiu3royx/repo/.github/scripts/claude-task/resume-callback.mjs:45
	const response = await fetch(resumeUrl, {
		method: 'POST',
		headers: { 'Content-Type': 'application/json' },
		body: payload,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #29eb0685283e2c09 Environment-variable access.
repo/.github/scripts/cleanup-ghcr-images.mjs:18
const ORG = process.env.GHCR_ORG || 'n8n-io';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1b2f0418a66eb64b Environment-variable access.
repo/.github/scripts/cleanup-ghcr-images.mjs:19
const REPO = process.env.GHCR_REPO || 'n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7bb7ad0980622fa8 Filesystem access.
repo/.github/scripts/cleanup-release-branch.mjs:85
	const rawEventData = await fs.readFile(eventPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a1e7ed256dfa7c08 Environment-variable access.
repo/.github/scripts/compute-backport-targets.mjs:70
	const pullRequestEnv = process.env.PULL_REQUEST_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0630e576043b24ff Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:72
		process.env.GITHUB_EVENT_PATH = './fixtures/mock-github-event.json';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41046c5c2799f30c Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:81
		process.env.PULL_REQUEST_ID = '123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #26e56bbf7b149f3f Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:91
		process.env.PULL_REQUEST_ID = '#123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cba4909c7e8dd99f Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:96
		process.env.PULL_REQUEST_ID = '123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cbd9fe64ffe83202 Environment-variable access.
repo/.github/scripts/compute-backport-targets.test.mjs:101
		process.env.PULL_REQUEST_ID = 'abc-123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff7a7d7b6fba3c31 Environment-variable access.
repo/.github/scripts/create-github-release.mjs:29
	const ADDITIONAL_TAGS = process.env.ADDITIONAL_TAGS ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #653fccfd26a71d4f Environment-variable access.
repo/.github/scripts/determine-release-candidate-branch-for-track.mjs:34
	const force = process.env.FORCE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #158fa9ce025fe682 Filesystem access.
repo/.github/scripts/determine-version-info.mjs:139
	const packageJson = JSON.parse(readFileSync('./package.json', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #99e9dc9b33e93917 Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:7
		this.githubOutput = process.env.GITHUB_OUTPUT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e17f9b82ab1a4c61 Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:147
			event: getArg('event') || process.env.GITHUB_EVENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a208547cedb19846 Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:148
			pr: getArg('pr') || process.env.GITHUB_PR_NUMBER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #932eb1c73842f7da Environment-variable access.
repo/.github/scripts/docker/docker-config.mjs:149
			branch: getArg('branch') || process.env.GITHUB_REF_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #48c8f424050e75fe Environment-variable access.
repo/.github/scripts/docker/docker-tags.mjs:7
		this.githubOwner = process.env.GITHUB_REPOSITORY_OWNER || 'n8n-io';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0dd1a54674a4cec4 Environment-variable access.
repo/.github/scripts/docker/docker-tags.mjs:8
		this.dockerUsername = process.env.DOCKER_USERNAME || 'n8nio';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #067de4d88232e8b2 Environment-variable access.
repo/.github/scripts/docker/docker-tags.mjs:9
		this.githubOutput = process.env.GITHUB_OUTPUT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a97bda29f5237489 Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:18
const githubOutput = process.env.GITHUB_OUTPUT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc9cc2e47cce99d0 Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:38
const n8nTag = process.env.N8N_TAG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b54decf5fe013d8a Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:39
const runnersTag = process.env.RUNNERS_TAG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e25ba04a8927df35 Environment-variable access.
repo/.github/scripts/docker/get-manifest-digests.mjs:40
const distrolessTag = process.env.DISTROLESS_TAG || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4b7efc093270f591 Filesystem access.
repo/.github/scripts/ensure-provenance-fields.mjs:1
import { writeFile, readFile, copyFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #30b4d9bdab6c0675 Filesystem access.
repo/.github/scripts/ensure-provenance-fields.mjs:25
		...JSON.parse(await readFile(packageFile, 'utf-8')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6a091dea12825090 Filesystem access.
repo/.github/scripts/ensure-provenance-fields.mjs:49
	await writeFile(packageFile, JSON.stringify(packageJson, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9dfffb8c1cffecd6 Filesystem access.
repo/.github/scripts/github-helpers.mjs:172
	return JSON.parse(fs.readFileSync(eventPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0827f2bcff11d7b1 Environment-variable access.
repo/.github/scripts/github-helpers.mjs:214
	const v = process.env[variableName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #758913b04289e2d8 Environment-variable access.
repo/.github/scripts/github-helpers.mjs:253
	const path = process.env.GITHUB_OUTPUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #229442b9da998dab Environment-variable access.
repo/.github/scripts/github-helpers.test.mjs:24
		process.env.GITHUB_TOKEN = 'token';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83c4433baa8cea57 Environment-variable access.
repo/.github/scripts/github-helpers.test.mjs:25
		process.env.GITHUB_REPOSITORY = 'n8n-io/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b168c1f626f3841 Filesystem access.
repo/.github/scripts/owners.mjs:50
	const content = readFileSync(path, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5bd5682750cac132 Filesystem access.
repo/.github/scripts/owners.mjs:127
		readFileSync(path, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f1118143cbbaab07 Environment-variable access.
repo/.github/scripts/plan-release.mjs:13
const stable = process.env['STABLE_VERSION'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5dc93ec93f230f6d Environment-variable access.
repo/.github/scripts/plan-release.mjs:14
const beta = process.env['BETA_VERSION'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca4fa20baba7aa6e Environment-variable access.
repo/.github/scripts/plan-release.mjs:15
const v1 = process.env['V1_VERSION'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #389ceaab7b64abee Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:42
const webhookUrl = process.env.QA_METRICS_COMMENT_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44ae9b8ff84fe179 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:48
const repo = process.env.GITHUB_REPOSITORY ?? 'n8n-io/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9933d2c8faaae0ee Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:49
const sha = process.env.GITHUB_SHA?.slice(0, 8) ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #766435fe25b66d14 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:55
const user = process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1b6a15d47a41b426 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:56
const pass = process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #8da124c73a481dda User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:65 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:42 → /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:65
	res = await fetch(webhookUrl, {
		method: 'POST',
		headers,
		body: JSON.stringify({
			pr_number: pr,
			github_repo: repo,
			git_sha: sha,
			baseline_days: baselineDays,
			metric_names: metrics,
		}),
		signal: AbortSignal.timeout(60_000),
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #e735fde35daaf6b2 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:104
const token = process.env.GITHUB_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #ddeab9d8421e3ca2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:117 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:48 → /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:117
const comments = await fetch(
	`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments?per_page=100`,
	{ headers: ghHeaders },
).then((r) => r.json());

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow test-only Excluded from app score #3596292ced841da1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:127 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:42 → /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:127
	await fetch(
		`https://api.github.com/repos/${owner}/${repoName}/issues/comments/${existing.id}`,
		{ method: 'PATCH', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
	);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow test-only Excluded from app score #5e6b0e68bedb06b5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/post-qa-metrics-comment.mjs:133 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:42 → /tmp/closeopen-eiu3royx/repo/.github/scripts/post-qa-metrics-comment.mjs:133
	const created = await fetch(
		`https://api.github.com/repos/${owner}/${repoName}/issues/${pr}/comments`,
		{ method: 'POST', headers: ghHeaders, body: JSON.stringify({ body: markdown }) },
	).then((r) => r.json());

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #95c5befdcf8c9209 Environment-variable access.
repo/.github/scripts/post-qa-metrics-comment.mjs:141
	const match = (process.env.GITHUB_REF ?? '').match(/refs\/pull\/(\d+)/);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df52ef78ac52aa0b Environment-variable access.
repo/.github/scripts/promote-backport-labels-on-minor.mjs:27
	const dryRun = process.env.DRY_RUN === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63cc4d8caec8ed14 Filesystem access.
repo/.github/scripts/send-build-stats.mjs:36
const summary = JSON.parse(readFileSync(join(runsDir, files.at(-1)), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #767597cc3fe58876 Filesystem access.
repo/.github/scripts/send-docker-stats.mjs:42
	? JSON.parse(readFileSync(buildManifestPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #904df7cd874b5628 Filesystem access.
repo/.github/scripts/send-docker-stats.mjs:46
	? JSON.parse(readFileSync(dockerManifestPath, 'utf-8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92acc5d82650c6e3 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:28
	const ref = process.env.GITHUB_REF || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34c64449139276e9 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:30
	const runId = process.env.GITHUB_RUN_ID || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ebfbaed94b8a0f6 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:36
			sha: process.env.GITHUB_SHA?.slice(0, 8) || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1373d1f77d21a817 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:37
			branch: process.env.GITHUB_HEAD_REF || process.env.GITHUB_REF_NAME || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1fb331a82d6877e Environment-variable access.
repo/.github/scripts/send-metrics.mjs:43
				runId && process.env.GITHUB_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b00e9f8fd7b644ce Environment-variable access.
repo/.github/scripts/send-metrics.mjs:44
					? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d7a305ef44e4b534 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:46
			job: process.env.GITHUB_JOB || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5c98ca7a54705524 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:47
			workflow: process.env.GITHUB_WORKFLOW || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #436493c6edeba808 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:48
			attempt: process.env.GITHUB_RUN_ATTEMPT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fd6315f3ddb8e42d Environment-variable access.
repo/.github/scripts/send-metrics.mjs:49
				? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f60ca2b1923af498 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:53
			provider: !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #61d65d564d60aa9a Environment-variable access.
repo/.github/scripts/send-metrics.mjs:55
				: process.env.RUNNER_ENVIRONMENT === 'github-hosted'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a99aa2984aa9066 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:65
	const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c53dc6b0bfd47f6 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:66
	const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd1205035bc1b9d2 Environment-variable access.
repo/.github/scripts/send-metrics.mjs:67
	const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow test-only Excluded from app score #cf446d258ea2a0ac User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/.github/scripts/send-metrics.mjs:87 · flow /tmp/closeopen-eiu3royx/repo/.github/scripts/send-metrics.mjs:65 → /tmp/closeopen-eiu3royx/repo/.github/scripts/send-metrics.mjs:87
		const response = await fetch(webhookUrl, {
			method: 'POST',
			headers: {
				'Content-Type': 'application/json',
				Authorization: `Basic ${basicAuth}`,
			},
			body: JSON.stringify(payload),
			signal: AbortSignal.timeout(5_000),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs test-only #32e99a4ad4d7292f Environment-variable access.
repo/.github/scripts/set-latest-for-monorepo-packages.mjs:27
	const token = process.env.NPM_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ffdc13a407698c8e Filesystem access.
repo/.github/scripts/slack/build-trivy-blocks.mjs:28
	const report = JSON.parse(readFileSync(results, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4623e1724e1d7573 Filesystem access.
repo/.github/scripts/slack/build-trivy-blocks.test.mjs:18
	writeFileSync(path, JSON.stringify(report));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #5abd14c4c2c0a84f Hardcoded external endpoint. Review what data is sent to this destination.
repo/.github/scripts/slack/notify.mjs:31
	const res = await fetch('https://slack.com/api/chat.postMessage', {
		method: 'POST',
		headers: {
			'Content-Type': 'application/json; charset=utf-8',
			Authorization: `Bearer ${token}`,
		},
		body: JSON.stringify(payload),
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #b207b14401abd590 Environment-variable access.
repo/.github/scripts/slack/notify.mjs:78
	const token = process.env.SLACK_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eaec5dd7892e4571 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:162
	if (process.env.GH_TOKEN) return process.env.GH_TOKEN.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fec9a36c6b629468 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:163
	if (process.env.GITHUB_TOKEN) return process.env.GITHUB_TOKEN.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10341b1fc7889618 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:172
	if (process.env.GITHUB_REPOSITORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7bdcd45c205a6a5 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:173
		const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #729c7f6703c79566 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:193
	if (process.env.DRY_RUN === 'false' || process.env.DRY_RUN === '0') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e573dd872bdb09b1 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:196
	if (process.env.DRY_RUN === 'true' || process.env.DRY_RUN === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17fdd54298aca322 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:210
	const raw = [...(values.exclude ?? []), process.env.EXCLUDE_BRANCHES ?? ''];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #b0bae95efa08a720 Hardcoded external endpoint. Review what data is sent to this destination.
repo/.github/scripts/stale/clean-stale-branches.mjs:228
	const res = await fetch(`${API}/graphql`, {
		method: 'POST',
		headers: { ...ctx.headers, 'Content-Type': 'application/json' },
		body: JSON.stringify({ query, variables }),
	});

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #24a5613a39c50d25 Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:398
	const staleDays = Number(values.days ?? process.env.STALE_DAYS ?? 100);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #db99da16e79420fa Environment-variable access.
repo/.github/scripts/stale/clean-stale-branches.mjs:400
		throw new Error(`Invalid --days value: ${values.days ?? process.env.STALE_DAYS}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #824addc573653611 Environment-variable access.
repo/.github/scripts/sync-conflict-owners.mjs:112
	const repo = process.env.GITHUB_REPOSITORY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86cf24c1eb3a471d Environment-variable access.
repo/.github/scripts/sync-conflict-owners.mjs:113
	const token = process.env.GH_TOKEN || process.env.GITHUB_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #738a3cb763a3dc4a Filesystem access.
repo/.github/scripts/trim-fe-packageJson.js:1
const { writeFileSync } = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d5b4f9abb7d57d2 Filesystem access.
repo/.github/scripts/trim-fe-packageJson.js:13
	writeFileSync(filePath, JSON.stringify(packageJson, null, 2) + '\n', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #beae938680ed69da Filesystem access.
repo/.github/scripts/update-changelog.mjs:4
import { createReadStream, createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf54649689f3dfaa Environment-variable access.
repo/packages/testing/code-health/src/cli.ts:27
		changedFiles: parseChangedFiles(process.env.CODE_HEALTH_CHANGED_FILES),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f96dee768650c1df Environment-variable access.
repo/packages/testing/code-health/src/cli.ts:28
		addedFiles: parseChangedFiles(process.env.CODE_HEALTH_ADDED_FILES),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93c13af4256add97 Filesystem access.
repo/packages/testing/code-health/src/rules/catalog-violations.rule.test.ts:16
	fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65fffbfe0001cc46 Filesystem access.
repo/packages/testing/code-health/src/rules/migration-timestamp.rule.test.ts:25
	fs.writeFileSync(fullPath, 'export {};\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #104f405373496e25 Filesystem access.
repo/packages/testing/code-health/src/rules/stale-overrides.rule.test.ts:16
	fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb23fa2b926d5ad5 Filesystem access.
repo/packages/testing/code-health/src/rules/subpath-purity.rule.test.ts:16
		writeFileSync(abs, source, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619a9cffcf732e80 Filesystem access.
repo/packages/testing/code-health/src/rules/workflow-pr-target-safety.rule.test.ts:16
	fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd0e4ee8411ac3aa Filesystem access.
repo/packages/testing/code-health/src/utils/node-modules-deps-scanner.ts:34
			pkg = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as OnDiskPackageJson;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4588de44f4c0cbe Filesystem access.
repo/packages/testing/code-health/src/utils/overrides-parser.ts:21
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4797ad74bc16cb6a Filesystem access.
repo/packages/testing/code-health/src/utils/package-json-scanner.ts:28
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8644ce7526c158a Filesystem access.
repo/packages/testing/code-health/src/utils/pnpm-lock-parser.ts:31
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc1f0f3e3bde4dac Filesystem access.
repo/packages/testing/code-health/src/utils/workflow-scanner.ts:35
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #442445ee3b388cd1 Filesystem access.
repo/packages/testing/code-health/src/utils/workspace-parser.ts:17
	const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aefefc3de8eb595a Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:170
	if (process.env.N8N_LICENSE_TENANT_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2469cc75e7eb5a40 Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:171
		extraEnvs.push({ name: 'N8N_LICENSE_TENANT_ID', value: process.env.N8N_LICENSE_TENANT_ID });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f07869b9c995fcae Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:173
	if (process.env.N8N_LICENSE_ACTIVATION_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cb44b2a1a11979a Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:176
			value: process.env.N8N_LICENSE_ACTIVATION_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b0300d48c02111e Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:179
	if (process.env.N8N_LICENSE_CERT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f25f0d8dd1637c7e Environment-variable access.
repo/packages/testing/containers/helm-stack.ts:180
		extraEnvs.push({ name: 'N8N_LICENSE_CERT', value: process.env.N8N_LICENSE_CERT });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6839d533f7e853be Filesystem access.
repo/packages/testing/containers/helm-stack.ts:331
	writeFileSync(kubeConfigPath, namedKubeconfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f3c50b3ea496d9c Filesystem access.
repo/packages/testing/containers/helm-stack.ts:349
		writeFileSync(defaultKubeconfig, merged);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cbc584a47a8be36 Filesystem access.
repo/packages/testing/containers/helm-start-stack.ts:124
		writeFileSync(values['url-file'], stack.baseUrl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46b38eea111c9ebe Filesystem access.
repo/packages/testing/containers/helm-start-stack.ts:129
		writeFileSync(values['kubeconfig-file'], stack.kubeConfigPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73f4e69c1732c717 Environment-variable access.
repo/packages/testing/containers/helpers/utils.ts:12
	const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81252d8b7ada5032 Environment-variable access.
repo/packages/testing/containers/network-stabilization.ts:18
	if (!process.env.CI || os.platform() !== 'linux') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31d57ba9658a96ed Environment-variable access.
repo/packages/testing/containers/pull-test-images.ts:111
	if (failures.length > 0 && process.env.STRICT_IMAGE_PULL === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6622862c073b71d Filesystem access.
repo/packages/testing/containers/service-stack.ts:83
	writeFileSync(devEnvFilePath(), lines.join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25f0cb05be130a87 Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:48
	N8N_ENCRYPTION_KEY: process.env.N8N_ENCRYPTION_KEY ?? 'test-encryption-key',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b19f87e31e5c7dd Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:55
	N8N_LICENSE_TENANT_ID: process.env.N8N_LICENSE_TENANT_ID ?? '1001',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a0d3abbb68d212c Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:56
	N8N_LICENSE_ACTIVATION_KEY: process.env.N8N_LICENSE_ACTIVATION_KEY ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ceba97684291dc5e Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:57
	N8N_LICENSE_CERT: process.env.N8N_LICENSE_CERT ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab485112d01fc9b2 Environment-variable access.
repo/packages/testing/containers/services/n8n.ts:119
			if (!process.env.N8N_LICENSE_ACTIVATION_KEY && !process.env.N8N_LICENSE_CERT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71504d94826d9d92 Environment-variable access.
repo/packages/testing/containers/services/ngrok.ts:48
		const authToken = process.env.NGROK_AUTHTOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6be4bf6aa25a7ea Filesystem access.
repo/packages/testing/containers/services/proxy.ts:2
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97144f3a2f80cd91 Filesystem access.
repo/packages/testing/containers/services/proxy.ts:205
					const fileContent = await fs.readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55b52388bf63dee7 Filesystem access.
repo/packages/testing/containers/services/proxy.ts:488
				await fs.writeFile(filePath, JSON.stringify(processedExpectation, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74dff9a321dbf92c Environment-variable access.
repo/packages/testing/containers/telemetry.ts:62
	const ref = process.env.GITHUB_REF ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72c30a8bbe6dbc14 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:66
		sha: process.env.GITHUB_SHA?.slice(0, 8) ?? 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba1a034af267a89c Environment-variable access.
repo/packages/testing/containers/telemetry.ts:67
		branch: process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME ?? 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c85c1120d653178b Environment-variable access.
repo/packages/testing/containers/telemetry.ts:74
		runId: process.env.GITHUB_RUN_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #babbb03ae9cb8c60 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:75
		job: process.env.GITHUB_JOB,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63942782fc0cf3e7 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:76
		workflow: process.env.GITHUB_WORKFLOW,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05a7731d45e2ca06 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:77
		attempt: process.env.GITHUB_RUN_ATTEMPT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1acac19fd83d3b1b Environment-variable access.
repo/packages/testing/containers/telemetry.ts:78
			? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61c277d8c3867267 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:85
	if (!process.env.CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f00f46f5f8ce8a01 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:89
	if (process.env.RUNNER_ENVIRONMENT === 'github-hosted') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b283c5fd82529cb1 Environment-variable access.
repo/packages/testing/containers/telemetry.ts:182
		const isVerbose = process.env.CONTAINER_TELEMETRY_VERBOSE === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ceb42bb2f24daa5c Environment-variable access.
repo/packages/testing/containers/telemetry.ts:183
		const webhookUrl = process.env.QA_METRICS_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28f1e84209b3b6cb Environment-variable access.
repo/packages/testing/containers/telemetry.ts:211
		const repo = process.env.GITHUB_REPOSITORY ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0687bd3e0c38c5a Environment-variable access.
repo/packages/testing/containers/telemetry.ts:283
		const webhookUser = process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #700fcd449601f89b Environment-variable access.
repo/packages/testing/containers/telemetry.ts:284
		const webhookPassword = process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1193c4d6e5d231e8 Environment-variable access.
repo/packages/testing/containers/test-containers.ts:84
	let value = process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b18e7bba4dc0fcb3 Environment-variable access.
repo/packages/testing/containers/test-containers.ts:87
		value = process.env.N8N_DOCKER_IMAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #245f48587f77e943 Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:92
			fs.writeFileSync(
				path.join(tempDir, 'tsconfig.json'),
				JSON.stringify({
					compilerOptions: {
						target: 'ES2020',
						module: 'ESNext',
						moduleResolution: 'node',
						strict: true,
					},
					include: ['**/*.ts'],
				}),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86a7ed223bc6193e Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:106
			fs.writeFileSync(
				path.join(tempDir, 'janitor.config.js'),
				`module.exports = {
					rootDir: '${tempDir}',
					patterns: {
						pages: ['pages/**/*.ts'],
						components: [],
						flows: [],
						tests: ['tests/**/*.spec.ts'],
						services: [],
						fixtures: [],
						helpers: [],
						factories: [],
						testData: [],
					},
					excludeFromPages: [],
					facade: { file: 'pages/AppPage.ts', className: 'AppPage', excludeTypes: [] },
					fixtureObjectName: 'app',
					apiFixtureName: 'api',
					rawApiPatterns: [],
					flowLayerName: 'Composable',
					architectureLayers: [],
					rules: {},
				};`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #479bb97796682a83 Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:142
			fs.writeFileSync(path.join(tempDir, 'pages', 'CleanPage.ts'), 'export class CleanPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69288fba28be110b Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:165
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'VerbosePage.ts'),
				'export class VerbosePage {}',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4511b96aa8058c73 Filesystem access.
repo/packages/testing/janitor/src/cli.test.ts:186
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'BaselinePage.ts'),
				'export class BaselinePage {}',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6faf0431078291cc Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:451
	const attempt = Number(process.env.GITHUB_RUN_ATTEMPT ?? '1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c40b32c026636a7 Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:460
		firstNonEmpty(options.url, process.env.JANITOR_FILTER_SHARD_URL) ?? DEFAULT_FILTER_SHARD_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c276768fbe5c77bc Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:461
	const runId = process.env.GITHUB_RUN_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86b836d8213d943c Filesystem access.
repo/packages/testing/janitor/src/cli.ts:546
		const includeRaw = fs.readFileSync(options.includeSpecsFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71834bd634ceed3a Filesystem access.
repo/packages/testing/janitor/src/cli.ts:568
				const raw = JSON.parse(fs.readFileSync(metricsPath, 'utf-8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e80a45a31d539dfd Environment-variable access.
repo/packages/testing/janitor/src/cli.ts:610
	const env = process.env.CHANGED_FILES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38428fc8f6c154e7 Filesystem access.
repo/packages/testing/janitor/src/cli.ts:670
	const inputs = files.map((f) => ({ text: fs.readFileSync(f, 'utf8'), spec: f }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1fd69b4b689f656 Filesystem access.
repo/packages/testing/janitor/src/cli.ts:672
	fs.writeFileSync(options.outLcov, result.lcov);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9913c1ddff20f275 Filesystem access.
repo/packages/testing/janitor/src/cli.ts:674
	fs.writeFileSync(options.outMap, JSON.stringify(encodeImpactMap(result.impactMap)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08245e28c4b43b7a Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:25
	writeFileSync(
		join(root, 'pnpm-workspace.yaml'),
		`packages:\n${opts.patterns.map((p) => `  - '${p}'`).join('\n')}\n`,
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dabff07f638b13e3 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:29
	writeFileSync(join(root, 'package.json'), JSON.stringify({ name: 'monorepo-root' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3dacb81f3b81737 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:38
		writeFileSync(join(pkgDir, 'package.json'), JSON.stringify(pkg));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e6627421cee5ef4 Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.test.ts:42
		writeFileSync(
			join(root, 'turbo.json'),
			JSON.stringify({
				tasks: Object.fromEntries(opts.turboTasks.map((t) => [t.taskId, { inputs: t.inputs }])),
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08a24e81a1a9595b Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.ts:18
		return JSON.parse(readFileSync(path, 'utf-8')) as T;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bdc3de1cf7cec7a Filesystem access.
repo/packages/testing/janitor/src/core/affected-packages-analyzer.ts:42
		(parseYaml(readFileSync(wsFile, 'utf-8')) as { packages?: string[] } | null)?.packages ?? [];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57df7399e9546953 Filesystem access.
repo/packages/testing/janitor/src/core/ast-diff-analyzer.ts:81
		const currentContent = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0dd9d1bd7fceb9a Filesystem access.
repo/packages/testing/janitor/src/core/baseline.test.ts:42
			fs.writeFileSync(path.join(tempDir, '.janitor-baseline.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddb685a27f51c9c4 Filesystem access.
repo/packages/testing/janitor/src/core/impact-analyzer.ts:315
				const content = fs.readFileSync(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ffd472f25a9ebae2 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:24
		fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7119bf6a88f72c02 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:49
		fs.writeFileSync(
			path.join(tempDir, 'tsconfig.json'),
			JSON.stringify({
				compilerOptions: {
					target: 'ES2020',
					module: 'ESNext',
					moduleResolution: 'node',
					strict: true,
				},
				include: ['**/*.ts'],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9806c4e4de3ab11 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:203
			fs.writeFileSync(
				path.join(tempDir, 'workflows', 'simple-webhook.json'),
				JSON.stringify({ name: 'Simple Webhook' }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8401f5d877b9cbe4 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:207
			fs.writeFileSync(
				path.join(tempDir, 'workflows', 'complex-flow.json'),
				JSON.stringify({ name: 'Complex Flow' }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #362cc51bc5301da7 Filesystem access.
repo/packages/testing/janitor/src/core/inventory-analyzer.test.ts:346
			fs.writeFileSync(
				path.join(tempDir, 'workflows', 'test-workflow.json'),
				JSON.stringify({ name: 'Test' }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #143aa8f018ac2396 Filesystem access.
repo/packages/testing/janitor/src/core/method-usage-analyzer.ts:114
			const content = fs.readFileSync(testFilePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2893a494fd8a7ca Filesystem access.
repo/packages/testing/janitor/src/core/project-loader.test.ts:24
		fs.writeFileSync(path.join(tempDir, 'tsconfig.json'), JSON.stringify(tsconfig, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23f1e7f0266866e4 Filesystem access.
repo/packages/testing/janitor/src/core/project-loader.test.ts:52
			fs.writeFileSync(path.join(pagesDir, 'TestPage.ts'), 'export class TestPage { foo() {} }');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fee224ff881a2e31 Filesystem access.
repo/packages/testing/janitor/src/core/project-loader.test.ts:65
			fs.writeFileSync(
				path.join(tempDir, 'TestClass.ts'),
				`export class TestClass {
					publicMethod() { return 1; }
					private privateMethod() { return 2; }
				}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fc1ff4d5ace1f61 Filesystem access.
repo/packages/testing/janitor/src/core/read-lockfile-importers.ts:25
		doc = parse(readFileSync(lockPath, 'utf8')) as typeof doc;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f6519d7ed15ed68 Filesystem access.
repo/packages/testing/janitor/src/core/read-manifest-diffs.ts:17
		return existsSync(abs) ? readFileSync(abs, 'utf8') : '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6eb5cc17a968141 Filesystem access.
repo/packages/testing/janitor/src/core/scope-analyzer.test.ts:12
	writeFileSync(join(pkgDir, 'package.json'), JSON.stringify({ name: 'some-pkg' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b7537fea5967f95 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:28
		fs.writeFileSync(path.join(tempDir, 'pages', '.gitkeep'), '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc1a0b47b425dcae Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:29
		fs.writeFileSync(path.join(tempDir, 'tests', '.gitkeep'), '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #366b968c510687fc Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:32
		fs.writeFileSync(
			path.join(tempDir, 'tsconfig.json'),
			JSON.stringify({
				compilerOptions: {
					target: 'ES2020',
					module: 'ESNext',
					moduleResolution: 'node',
					strict: true,
					skipLibCheck: true,
					noEmit: true,
				},
				include: ['**/*.ts'],
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40ef0d061fbadbf1 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:48
		fs.writeFileSync(
			path.join(tempDir, 'package.json'),
			JSON.stringify({
				name: 'tcr-test',
				scripts: {
					typecheck: 'tsc --noEmit',
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c72e54237e7342b7 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:97
			fs.writeFileSync(path.join(tempDir, 'pages', 'NewPage.ts'), 'export class NewPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9661d8650295891a Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:108
			fs.writeFileSync(path.join(tempDir, 'pages', 'TestPage.ts'), 'export class TestPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cbbcbf098417cb0 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:112
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'TestPage.ts'),
				'export class TestPage { modified() {} }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97dec0b42ef7a948 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:136
			fs.writeFileSync(
				path.join(newDir, 'new-feature.spec.ts'),
				'import { test } from "@playwright/test"; test("new feature", () => {});',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64d6b9a1d2ed3d58 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:158
			fs.writeFileSync(
				path.join(newDir, 'staged-feature.spec.ts'),
				'export const test = { name: "staged feature test" };\n',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49f5d72862a29e27 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:167
			fs.writeFileSync(
				path.join(tempDir, 'package.json'),
				JSON.stringify({ name: 'tcr-test', scripts: { typecheck: 'node -e ""' } }),
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07e038168039e20d Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:188
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'ToDelete.ts'),
				'export class ToDelete { method() {} }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a6d837e24cc63b1 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:205
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'OldName.ts'),
				'export class OldName { method() {} }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8dbb367b852100c8 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:225
			fs.writeFileSync(
				path.join(tempDir, 'MethodClass.ts'),
				`export class MethodClass {
	existing() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #565b854a45219d78 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:234
			fs.writeFileSync(
				path.join(tempDir, 'MethodClass.ts'),
				`export class MethodClass {
	existing() {}
	newMethod() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69f2367d07bded17 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:254
			fs.writeFileSync(
				path.join(tempDir, 'RemoveClass.ts'),
				`export class RemoveClass {
	keepMe() {}
	removeMe() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2684185020bc4a87 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:264
			fs.writeFileSync(
				path.join(tempDir, 'RemoveClass.ts'),
				`export class RemoveClass {
	keepMe() {}
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfc7422ae0e14e13 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:283
			fs.writeFileSync(
				path.join(tempDir, 'ModifyClass.ts'),
				`export class ModifyClass {
	myMethod() { return 1; }
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b22a8d57592e474 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:292
			fs.writeFileSync(
				path.join(tempDir, 'ModifyClass.ts'),
				`export class ModifyClass {
	myMethod() { return 2; }
}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e8adc78dec2a012 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:313
			fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), 'export class LargePage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59063f61630d44c8 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:318
			fs.writeFileSync(path.join(tempDir, 'pages', 'LargePage.ts'), largeContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a379b45db658953 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:330
			fs.writeFileSync(path.join(tempDir, 'pages', 'SmallPage.ts'), 'export class SmallPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1775903a40d5589b Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:334
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'SmallPage.ts'),
				'export class SmallPage { x = 1; }',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bdb7a943d7a994e Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:387
			fs.writeFileSync(path.join(tempDir, 'pages', 'OtherPage.ts'), 'export class OtherPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9006dff28fd0a265 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:400
			fs.writeFileSync(
				path.join(tempDir, 'pages', 'PageA.ts'),
				`import { PageB } from './PageB';
				export class PageA {}`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a706a2c87373da6 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:405
			fs.writeFileSync(path.join(tempDir, 'pages', 'PageB.ts'), 'export class PageB {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ba0c89c41353302 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:437
			fs.writeFileSync(path.join(tempDir, 'pages', 'DryRunPage.ts'), 'export class DryRunPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d72bf2819cbcfdd Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:452
			fs.writeFileSync(path.join(tempDir, 'pages', 'ResultPage.ts'), 'export class ResultPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d881aed407bfdf0b Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:483
			fs.writeFileSync(
				path.join(tempDir, 'tests', 'example.spec.ts'),
				'import { test } from "@playwright/test"; test("example", () => {});',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bafaffc9bc8527df Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:569
			fs.writeFileSync(path.join(tempDir, 'pages', 'FailPage.ts'), 'export class FailPage {}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c222f8ddcbb26107 Filesystem access.
repo/packages/testing/janitor/src/core/tcr-executor.test.ts:574
			fs.writeFileSync(headFile, 'corrupted');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de8e34bc873181cd Environment-variable access.
repo/packages/testing/janitor/vitest.config.ts:9
	process.env.CI === 'true' ? { pool: 'forks' as const, maxWorkers: '50%' } : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7dd0520b459c143a Filesystem access.
repo/packages/testing/performance/scripts/check-regression.mjs:13
import { readFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e830b7e0cec2086 Filesystem access.
repo/packages/testing/performance/scripts/check-regression.mjs:34
const baseline = JSON.parse(readFileSync(BASELINE_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8919987ed4b74ede Filesystem access.
repo/packages/testing/performance/scripts/check-regression.mjs:35
const current = JSON.parse(readFileSync(CURRENT_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a0ddcede23ba21f Filesystem access.
repo/packages/testing/performance/scripts/extract-expressions.mjs:12
import { readFileSync, writeFileSync, readdirSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e01adce820b4370 Filesystem access.
repo/packages/testing/performance/scripts/extract-expressions.mjs:81
		const wf = JSON.parse(readFileSync(join(inputDir, file), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #101854df8f0da111 Filesystem access.
repo/packages/testing/performance/scripts/extract-expressions.mjs:166
writeFileSync(outputPath, JSON.stringify(fixture, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6d9a22a2fb8a79c Filesystem access.
repo/packages/testing/performance/scripts/save-baseline.mjs:9
import { readFileSync, writeFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1488359450c351a Filesystem access.
repo/packages/testing/performance/scripts/save-baseline.mjs:39
const results = JSON.parse(readFileSync(resultsPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7987636dc5c6e596 Filesystem access.
repo/packages/testing/performance/scripts/save-baseline.mjs:69
writeFileSync(baselinePath, JSON.stringify(results, null, '\t'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6775194ed3d2835d Environment-variable access.
repo/packages/testing/performance/vitest.config.ts:5
	plugins: [process.env.CODSPEED ? codspeedPlugin() : null].filter(Boolean),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2e89d42d6e7b2c3 Environment-variable access.
repo/packages/testing/playwright/coverage-options.ts:13
export const COVERAGE_ENABLED = process.env.COVERAGE_ENABLED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a927250a5975303 Environment-variable access.
repo/packages/testing/playwright/currents.config.ts:4
	recordKey: process.env.CURRENTS_RECORD_KEY ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bd232b448f29aa8 Environment-variable access.
repo/packages/testing/playwright/currents.config.ts:5
	projectId: process.env.CURRENTS_PROJECT_ID ?? 'nHHLA5',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7141a0e8ee343bb4 Filesystem access.
repo/packages/testing/playwright/fixtures/backend-v8-coverage.ts:84
					writeFileSync(
						join(specDir, `raw-${slugify(testInfo.testId)}.json`),
						JSON.stringify({ result }),
					);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97a73e1c40a59777 Filesystem access.
repo/packages/testing/playwright/fixtures/backend-v8-coverage.ts:88
					writeFileSync(join(specDir, '.spec'), spec);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #737eeb62917972a9 Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:64
	const raw = process.env.N8N_TEST_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69911728cbde173b Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:124
				...(process.env.N8N_COVERAGE_DIR ? { coverageHostDir: process.env.N8N_COVERAGE_DIR } : {}),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3406aaacea0dfc93 Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:144
			if (process.env.N8N_CONTAINERS_KEEPALIVE === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b68463767ba91ba Environment-variable access.
repo/packages/testing/playwright/fixtures/base.ts:156
			const envBaseURL = process.env.N8N_BASE_URL ?? n8nContainer?.baseUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c1d2b144d60b5e6 Environment-variable access.
repo/packages/testing/playwright/fixtures/langsmith.ts:20
			const client = process.env.LANGSMITH_API_KEY ? new Client() : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f949ce3f86def78 Environment-variable access.
repo/packages/testing/playwright/fixtures/langsmith.ts:46
				project_name: process.env.LANGSMITH_PROJECT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfafffc689e778d1 Environment-variable access.
repo/packages/testing/playwright/fixtures/observability.ts:31
	if (process.env.CONTAINER_TELEMETRY_VERBOSE === '1') return true;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #22d15b784aab1d4a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/testing/playwright/fixtures/quarantine.ts:12
		const res = await fetch(QUARANTINE_WEBHOOK_URL, { signal: controller.signal });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #07875a237989253c Environment-variable access.
repo/packages/testing/playwright/fixtures/quarantine.ts:69
			if (process.env.CURRENTS_RECORD_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4e43c55e6d6c18e Environment-variable access.
repo/packages/testing/playwright/fixtures/quarantine.ts:80
			if (process.env.CURRENTS_RECORD_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a0848450f3a945b Filesystem access.
repo/packages/testing/playwright/fixtures/v8-coverage.ts:86
			writeFileSync(join(specDir, '.spec'), spec);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a71df0b671e64432 Environment-variable access.
repo/packages/testing/playwright/global-setup.ts:16
	const resetE2eDb = process.env.RESET_E2E_DB;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09fff3c3909b2023 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:30
const ALLOW_CONTAINER_ONLY = process.env.PLAYWRIGHT_ALLOW_CONTAINER_ONLY === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45608e7fb218ed04 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:176
				N8N_INSTANCE_AI_MODEL: process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-4o-mini',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e82bcc1741656019 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:178
				...(process.env.N8N_AI_OPENAI_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23c4a7bd623bd2ab Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:179
					N8N_AI_OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3403af69eae5a1c Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:180
					OPENAI_API_KEY: process.env.N8N_AI_OPENAI_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3101a6dd2093173b Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:182
				...(process.env.LANGSMITH_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6dcd4d3f1139ad82 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:183
					LANGSMITH_API_KEY: process.env.LANGSMITH_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec82c1d6f96ed802 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:185
				...(process.env.ANTHROPIC_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #957cf1a08eb66877 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:186
					ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5daea5213eff522e Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:188
				...(process.env.OPENROUTER_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60c87954a172ec8f Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:189
					OPENROUTER_API_KEY: process.env.OPENROUTER_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a103decd339632c1 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:191
				...(process.env.CEREBRAS_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e98f5cccca54446 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:192
					CEREBRAS_API_KEY: process.env.CEREBRAS_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfb94a9e09949d39 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:195
				...(process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e91c3c5b87241761 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:196
					N8N_INSTANCE_AI_SANDBOX_ENABLED: process.env.N8N_INSTANCE_AI_SANDBOX_ENABLED,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #455e0d6b9092de68 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:198
						process.env.N8N_INSTANCE_AI_SANDBOX_PROVIDER ?? 'daytona',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f565bc520606d53 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:199
					N8N_INSTANCE_AI_SANDBOX_IMAGE: process.env.N8N_INSTANCE_AI_SANDBOX_IMAGE ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c95511b8e0f8060 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:201
				...(process.env.DAYTONA_API_URL && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #361022312fc72bfd Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:202
					DAYTONA_API_URL: process.env.DAYTONA_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3dd224ff91639ae Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:204
				...(process.env.DAYTONA_API_KEY && {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc3a880dffccbca7 Environment-variable access.
repo/packages/testing/playwright/playwright-projects.ts:205
					DAYTONA_API_KEY: process.env.DAYTONA_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #145a981bdb35ca9a Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:13
const IS_CI = !!process.env.CI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5555cb01396a82dd Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:14
const IS_DEV = !!process.env.N8N_EDITOR_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a05d38dc495900f0 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:22
	const testEnv = process.env.N8N_TEST_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82b65b46cd833a5b Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:52
const SKIP_WEB_SERVER = process.env.PLAYWRIGHT_SKIP_WEBSERVER === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b95b5dc354904dd Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:109
		headless: process.env.SHOW_BROWSER !== 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5088971d8344ce5 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:113
		currentsFixturesEnabled: !!process.env.CI,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9359b8cb35ea323 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:119
				['junit', { outputFile: process.env.PLAYWRIGHT_JUNIT_OUTPUT_NAME ?? 'results.xml' }],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60a0c18c57ac8dff Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:122
				...(process.env.CURRENTS_RECORD_KEY ? [currentsReporter(currentsConfig)] : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c33e99135b80eea9 Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:125
				...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57124178dba55a9e Environment-variable access.
repo/packages/testing/playwright/playwright.config.ts:132
				...(process.env.LANGSMITH_API_KEY ? ([['./reporters/langsmith-eval.ts']] as const) : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #923a0c4b9e2b17e9 Filesystem access.
repo/packages/testing/playwright/reporters/benchmark-summary-reporter.ts:2
import { appendFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f016759bacc6c986 Environment-variable access.
repo/packages/testing/playwright/reporters/benchmark-summary-reporter.ts:242
		const summaryPath = process.env.GITHUB_STEP_SUMMARY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb4b082981debf1b Environment-variable access.
repo/packages/testing/playwright/reporters/langsmith-eval.ts:23
		if (process.env.LANGSMITH_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb6e2e03bba8c370 Environment-variable access.
repo/packages/testing/playwright/reporters/langsmith-eval.ts:26
		const project = process.env.LANGSMITH_PROJECT ?? 'unset';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #598a97909c0a6d1e Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:40
		this.webhookUrl = options.webhookUrl ?? process.env.QA_METRICS_WEBHOOK_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90febf2b6aa07101 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:41
		this.webhookUser = options.webhookUser ?? process.env.QA_METRICS_WEBHOOK_USER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #255d948cec319cb8 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:42
		this.webhookPassword = options.webhookPassword ?? process.env.QA_METRICS_WEBHOOK_PASSWORD;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9dee3ef21cc55a73 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:133
		const ref = process.env.GITHUB_REF ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2fb4934070b2a8f Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:135
		const runId = process.env.GITHUB_RUN_ID ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4db46d1988c1b5f Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:140
				sha: (process.env.GITHUB_SHA ?? this.gitFallback('rev-parse HEAD'))?.slice(0, 8) ?? null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed39343faf8c789a Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:142
					process.env.GITHUB_HEAD_REF ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #651e771fa6785015 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:143
					process.env.GITHUB_REF_NAME ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2c08c83ce7eb44f Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:150
					runId && process.env.GITHUB_REPOSITORY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b908bf91a6456c92 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:151
						? `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${runId}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a15e3d5b6c8771ff Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:153
				workflow: process.env.GITHUB_WORKFLOW ?? null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d643b2484134f961 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:154
				job: process.env.GITHUB_JOB ?? null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94847ced7fbf6acb Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:155
				attempt: process.env.GITHUB_RUN_ATTEMPT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12db8cdce8518f86 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:156
					? parseInt(process.env.GITHUB_RUN_ATTEMPT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #655caa3a4de248c1 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:160
				provider: !process.env.CI

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04151ae11f519540 Environment-variable access.
repo/packages/testing/playwright/reporters/metrics-reporter.ts:162
					: process.env.RUNNER_ENVIRONMENT === 'github-hosted'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4342438d59637d31 Filesystem access.
repo/packages/testing/playwright/scripts/aggregate-coverage.mjs:96
		writeFileSync(path.join(dir, `${label}-${i}.lcov`), transform(readFileSync(file, 'utf8'))),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efed81fd7a9b8271 Filesystem access.
repo/packages/testing/playwright/scripts/ast-viewer.ts:11
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfb1ee47eef7ba3e Environment-variable access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:23
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04f2bdd60dabf261 Environment-variable access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:24
const IMAGE_ROOT_PREFIX = process.env.IMAGE_ROOT_PREFIX ?? '/usr/local/lib/node_modules/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94d36ff5b504d2ba Filesystem access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:40
				const name = JSON.parse(readFileSync(pkgJson, 'utf8')).name as string;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ddec0dd1e882ec90 Filesystem access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:113
				source = readFileSync(r.bytesFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0ac0152c5d596b4 Filesystem access.
repo/packages/testing/playwright/scripts/backend-coverage-resolver.ts:119
				const map = JSON.parse(readFileSync(`${r.bytesFile}.map`, 'utf8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #081473538077d84c Filesystem access.
repo/packages/testing/playwright/scripts/build-test-image.mjs:4
import { writeFileSync, existsSync, mkdirSync, copyFileSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64bc8543b56c5436 Filesystem access.
repo/packages/testing/playwright/scripts/build-test-image.mjs:51
		writeFileSync(
			dockerfilePath,
			`FROM ${targetImage}
COPY e2e.controller.js /usr/local/lib/node_modules/n8n/dist/controllers/e2e.controller.js
`,
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c47e65a2c2a1671b Filesystem access.
repo/packages/testing/playwright/scripts/canvas-perf-sentinels.mjs:82
		return readFileSync(attachment.path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f17a9159acb667c Environment-variable access.
repo/packages/testing/playwright/scripts/canvas-perf-sentinels.mjs:150
	const summaryPath = process.env.GITHUB_STEP_SUMMARY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7f54116ca4e0c8e Filesystem access.
repo/packages/testing/playwright/scripts/canvas-perf-sentinels.mjs:161
	const raw = readFileSync(path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e6e11c9a4f7711a Environment-variable access.
repo/packages/testing/playwright/scripts/coverage-analysis.mjs:87
const TOKEN = process.env.CODECOV_API_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6d8d63bdc39c74d Filesystem access.
repo/packages/testing/playwright/scripts/coverage-pipeline.test.ts:39
		writeFileSync(join(sibling, 'specA', '.spec'), 'tests/e2e/x.spec.ts');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #391b9e335a7f328d Filesystem access.
repo/packages/testing/playwright/scripts/distribute-tests.mjs:232
	writeFileSync(allowPath, [...union].join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e927791c010c148 Environment-variable access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:32
const IMAGE_DIST_ROOT = process.env.IMAGE_DIST_ROOT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bfcef9e0413ef24 Environment-variable access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:37
	const dir = process.env.N8N_COVERAGE_DIR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c8e27ae8ae490e2 Filesystem access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:44
			parsed = JSON.parse(readFileSync(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42fe23ce023080e8 Filesystem access.
repo/packages/testing/playwright/scripts/emit-shard-coverage.ts:64
			JSON.parse(readFileSync(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #617222d345838abc Filesystem access.
repo/packages/testing/playwright/scripts/emit-spec-backend-lcovs.ts:47
					parsed = JSON.parse(readFileSync(join(dir, rf), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ab29ca1b6e35d0a Filesystem access.
repo/packages/testing/playwright/scripts/fetch-currents-metrics.mjs:12
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f1ffbbd4e1a8b3e Environment-variable access.
repo/packages/testing/playwright/scripts/fetch-currents-metrics.mjs:86
	const apiKey = process.env.CURRENTS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5494fe18a8fade0 Filesystem access.
repo/packages/testing/playwright/scripts/fetch-currents-metrics.mjs:130
	fs.writeFileSync(OUTPUT_PATH, JSON.stringify(output, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f486824a7165bcf Filesystem access.
repo/packages/testing/playwright/scripts/impact-map.mjs:98
const map = buildMap(parseLcov(readFileSync(lcovPath, 'utf8')), specId);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1fbb09e99809c08 Filesystem access.
repo/packages/testing/playwright/scripts/impact-map.mjs:99
const diff = parseDiff(readFileSync(diffPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff04f3edefb93bd1 Filesystem access.
repo/packages/testing/playwright/scripts/import-jaeger-traces.mjs:44
const raw = JSON.parse(readFileSync(tracesFile, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85d3f16eda868f54 Filesystem access.
repo/packages/testing/playwright/scripts/import-jaeger-traces.mjs:52
writeFileSync(
	wrappedFile,
	JSON.stringify({
		data: traces,
		total: traces.length,
		limit: traces.length,
		offset: 0,
		errors: null,
	}),
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca15af22120dd355 Filesystem access.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:49
		body: readFileSync(metricsFile),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58e741ab6c547930 Filesystem access.
repo/packages/testing/playwright/scripts/import-victoria-data.mjs:59
		body: readFileSync(logsFile),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b9ec82f22ba30b7 Environment-variable access.
repo/packages/testing/playwright/scripts/run-coverage-shard.mjs:36
	const image = process.env.TEST_IMAGE_N8N ?? 'n8nio/n8n:local';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df3ba6757f72e3e6 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-instance-ai.mjs:25
const apiKey = process.env.ANTHROPIC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd6668bf7ec4e933 Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-instance-ai.mjs:40
		return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0e92105e8eb8f97 Filesystem access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:39
import { mkdtempSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc136dec33aefa5c Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:69
if (process.env.N8N_BASE_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9823bb380986e5fb Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:70
	backendUrl = process.env.N8N_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #635c588f53939d9a Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:72
	brokerPort = process.env.N8N_RUNNERS_BROKER_PORT ?? String(await getFreePort());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfb83d0bf99a4aab Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:86
		return process.env.N8N_TEST_ENV ? JSON.parse(process.env.N8N_TEST_ENV) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f46ab6aa1bb80c1f Environment-variable access.
repo/packages/testing/playwright/scripts/run-local-isolated.mjs:99
	N8N_LOG_LEVEL: process.env.N8N_LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7671c79a962f5e3b Environment-variable access.
repo/packages/testing/playwright/scripts/select-affected-e2e.mjs:72
	const changedFiles = process.argv.slice(2).join(',') || process.env.CHANGED_FILES || '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73702a7100e602eb Environment-variable access.
repo/packages/testing/playwright/scripts/select-affected-e2e.mjs:77
		allSpecs: process.env.ALL_SPECS_FILE,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72c477b2597c9e02 Environment-variable access.
repo/packages/testing/playwright/scripts/select-affected-e2e.mjs:78
		base: process.env.BASE_REF,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #808c6eebd7e1fcf9 Filesystem access.
repo/packages/testing/playwright/scripts/select-affected-e2e.test.ts:33
			fs.writeFileSync(p, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05f223388be0a028 Filesystem access.
repo/packages/testing/playwright/scripts/select-affected-e2e.test.ts:42
			fs.writeFileSync(p, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b56b8803c70a25f Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:75
		writeFileSync(
			join(laneDir, 'test-results.json'),
			JSON.stringify(testResultsWithReports(specs)),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8ea0fbe020e4ea9 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:94
		const written = JSON.parse(readFileSync(join(laneDir, looseFiles[0]), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ce6cbf53f67bed66 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:116
		writeFileSync(
			join(root, 'test-results.json'),
			JSON.stringify({ suites: [{ specs: [{ tests: [{ results: [{ attachments: [] }] }] }] }] }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cab746334fb26de3 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.test.ts:127
		writeFileSync(join(root, 'test-results.json'), '{ not valid json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93f5afbb034761b7 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:91
		args['hardware-runner'] ?? process.env.SIZING_MATRIX_RUNNER ?? DEFAULT_HARDWARE.runner;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1438d9ca6f018cf1 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:94
		: process.env.SIZING_MATRIX_VCPU

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00b3793e6d534d9b Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:95
			? Number(process.env.SIZING_MATRIX_VCPU)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0024d64b6d4c693 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:99
		: process.env.SIZING_MATRIX_RAM_GB

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23bff9072e69dbb9 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:100
			? Number(process.env.SIZING_MATRIX_RAM_GB)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61e40f0f38d615cb Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:113
		const pkg = JSON.parse(readFileSync(join(REPO_ROOT, 'packages/cli/package.json'), 'utf8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85364ff18f9769e6 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:124
		const head = readFileSync(join(REPO_ROOT, '.git/HEAD'), 'utf8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0684cc0d88e58381 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:127
			return readFileSync(join(REPO_ROOT, '.git', refPath), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbe91abe6033c9ca Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:139
	const overrides = JSON.parse(readFileSync(path, 'utf8')) as SpecMapping;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea64ce3150c32af9 Environment-variable access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:181
	const apiKey = process.env.CURRENTS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #676399201f8b1e78 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:221
	writeFileSync(outPath, buf);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d781d3d415dcfeab Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:288
			report = JSON.parse(readFileSync(file, 'utf8')) as JSONReport;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bc5442a54d4e774 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:296
			writeFileSync(join(laneDir, `${stem}.run-report.${index}.json`), body);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7a06e1a53aad63f Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:305
		const report = JSON.parse(readFileSync(path, 'utf8')) as RunReport;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caf99c699341c99d Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:367
	writeFileSync(args.out, JSON.stringify(matrix, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0bf2626e3f5ddc8 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-aggregate.ts:372
		writeFileSync(args.markdownOut, renderMarkdown(matrix));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #619df8b02d4825f2 Filesystem access.
repo/packages/testing/playwright/scripts/sizing-matrix-topologies.test.ts:72
		const source = readFileSync(workerCmd, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow production #a0fd9c893511f894 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/api-helper.ts:660 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/api-helper.ts:662 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/api-helper.ts:660
		const response = await this.request.post('/rest/login', {
			data: {
				emailOrLdapLoginId: credentials.email,
				password: credentials.password,
			},
			maxRetries: 3,
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow production #ff3661bbdc370940 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/public-api-helper.ts:182 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/public-api-helper.ts:164 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/public-api-helper.ts:182
			const acceptResponse = await isolatedContext.post('/rest/invitations/accept', {
				data: { token, firstName, lastName, password },
			});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow production #b9520bd78f268f37 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/user-api-helper.ts:39 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/user-api-helper.ts:31 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/user-api-helper.ts:39
		const inviteResponse = await this.api.request.post('/rest/invitations', {
			data: [{ email: user.email, role: user.role }],
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow production #8a86dbc415d871c5 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
repo/packages/testing/playwright/services/user-api-helper.ts:55 · flow /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/user-api-helper.ts:31 → /tmp/closeopen-eiu3royx/repo/packages/testing/playwright/services/user-api-helper.ts:55
		const acceptResponse = await this.api.request.post('/rest/invitations/accept', {
			data: {
				token,
				firstName: user.firstName,
				lastName: user.lastName,
				password: user.password,
			},
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs production #d7d19dccf3621bd2 Filesystem access.
repo/packages/testing/playwright/services/workflow-api-helper.ts:2
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2efc04e8925f01e4 Filesystem access.
repo/packages/testing/playwright/services/workflow-api-helper.ts:345
		const fileContent = readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #199a9c832567a36e Filesystem access.
repo/packages/testing/playwright/utils/benchmark/run-heap-analysis.ts:148
		unboundGrowthOutput = await readFile(or.analysisOutputFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #661e9781eeff6035 Filesystem access.
repo/packages/testing/playwright/utils/benchmark/run-heap-analysis.ts:159
		shapeGrowthOutput = await readFile(sr.analysisOutputFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #650049030d5ede88 Filesystem access.
repo/packages/testing/playwright/utils/benchmark/run-heap-analysis.ts:233
	await writeFile(reportPath, JSON.stringify(report, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8f93f5fc7f38737 Filesystem access.
repo/packages/testing/playwright/utils/path-helper.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #946a7081139f743d Filesystem access.
repo/packages/testing/playwright/utils/performance-helper.ts:342
			await writeFile(`${outputDir}/${label}-smaps-raw.txt`, data.raw);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c1f40079d2bed98 Filesystem access.
repo/packages/testing/playwright/utils/performance-helper.ts:351
		await writeFile(`${outputDir}/${label}-rss-breakdown.json`, JSON.stringify(summary, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d48febc1b2c94ead Environment-variable access.
repo/packages/testing/playwright/utils/url-helper.ts:14
	return process.env.N8N_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c2efd1b4a37c789c Environment-variable access.
repo/packages/testing/playwright/utils/url-helper.ts:23
	return process.env.N8N_EDITOR_URL ?? process.env.N8N_BASE_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b66708f6cbbaa44 Filesystem access.
repo/packages/testing/rules-engine/src/baseline.ts:33
		const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #003f6f81aedfc7b6 Filesystem access.
repo/packages/testing/rules-engine/src/baseline.ts:74
	fs.writeFileSync(filePath, JSON.stringify(baseline, null, '\t') + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d4846a6ecd3e201 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:49
		writeFileSync(join(bs, 'spec_a', '.spec'), 'tests/e2e/a.spec.ts');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d8f24c4fd268e76 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:50
		writeFileSync(join(bs, 'spec_a', 'raw-1.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d92f67a768a8d046 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:52
		writeFileSync(join(bs, 'no_marker', 'raw-1.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2d86e4f1dcefb7d Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:54
		writeFileSync(join(bs, 'no_raw', '.spec'), 'x');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2774142d45f6a7e1 Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:57
		writeFileSync(join(bs, 'spec_jsonl', '.spec'), 'tests/e2e/b.spec.ts');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e28daf1eb5356fde Filesystem access.
repo/packages/testing/test-impact/src/map-build.test.ts:58
		writeFileSync(join(bs, 'spec_jsonl', 'raw-1.jsonl'), '{}\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1d97c0430f3295b Filesystem access.
repo/packages/testing/test-impact/src/map-build.ts:66
		const spec = readFileSync(specMarker, 'utf8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df949ce406cb443a Filesystem access.
repo/packages/testing/test-impact/src/map-build.ts:84
		writeFileSync(
			join(outDir, `${slug}${suffix}.lcov`),
			forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd57f5b0c372bd19 Filesystem access.
repo/packages/testing/test-impact/src/map-build.ts:86
			forceSpecTn(readFileSync(lcovPath, 'utf8'), spec),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd82a0eb6da526a7 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:29
		fs.writeFileSync(p, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f66b925611fd188 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:57
		fs.writeFileSync(mapPath, '{not valid json,,,');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #050056dd717e4abc Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:73
		fs.writeFileSync(mapPath, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #525809cae9f1b5d7 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:92
		fs.writeFileSync(mapPath, JSON.stringify(interned));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88786e7852100dbf Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:109
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f47cd4ab8a81fd8 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:127
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb9bab4e3b21928e Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:140
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #317edaf91741247d Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:155
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b13ef39fb593cd6f Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:169
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abb6112b58e6e20f Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:191
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c14096d771ea297 Filesystem access.
repo/packages/testing/test-impact/src/select.test.ts:204
		fs.writeFileSync(mapPath, JSON.stringify(map));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b47540578a9ea6fb Filesystem access.
repo/packages/testing/test-impact/src/select.ts:70
		const parsed: unknown = JSON.parse(fs.readFileSync(mapFile, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9af0667ace2e86c Filesystem access.
repo/packages/testing/test-impact/src/select.ts:93
		? parseSpecList(fs.readFileSync(input.allSpecsFile, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13b0b3cc4e7fc492 Environment-variable access.
repo/scripts/agent-setup.mjs:122
	NODE_OPTIONS: process.env.NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4502bd2aef5566eb Environment-variable access.
repo/scripts/agent-setup.mjs:123
		? `${process.env.NODE_OPTIONS} ${NODE_OPTS}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f4cbbb21af41427 Filesystem access.
repo/scripts/agent-setup.mjs:167
	const content = await readFile(path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df6c0b34c6dd63a7 Filesystem access.
repo/scripts/agent-setup.mjs:201
	writeFileSync(summaryPath, JSON.stringify(summary, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39104cdee7c39dd6 Filesystem access.
repo/scripts/backend-module/setup.mjs:35
		const content = await readFile(path.join(templateDir, template), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf3aa71e869bd35a Filesystem access.
repo/scripts/backend-module/setup.mjs:36
		await fs.writeFile(target, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d21312c390963682 Environment-variable access.
repo/scripts/build-n8n.mjs:15
const isCI = process.env.CI === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e3c379aab77a7d5 Environment-variable access.
repo/scripts/build-n8n.mjs:19
	process.env.CI === 'true' && process.env.INCLUDE_TEST_CONTROLLER !== 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e80a9655287b960c Environment-variable access.
repo/scripts/build-n8n.mjs:23
process.env.FORCE_COLOR = isCI ? '0' : '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7563904c8e8f7d81 Environment-variable access.
repo/scripts/build-n8n.mjs:131
if (process.env.CI !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6db82d521f52c6da Filesystem access.
repo/scripts/build-n8n.mjs:148
		const packageJsonContent = await fs.readFile(packageJsonPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e353878b6219fb8 Filesystem access.
repo/scripts/build-n8n.mjs:165
		await fs.writeFile(packageJsonPath, JSON.stringify(packageJson, null, 2), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3aa73d3e7a2c9196 Filesystem access.
repo/scripts/build-n8n.mjs:186
	const content = await fs.readFile(cliPackagePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0534cb219ea84ed5 Filesystem access.
repo/scripts/build-n8n.mjs:189
	await fs.writeFile(cliPackagePath, JSON.stringify(packageJson, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9778cd9998ee7433 Environment-variable access.
repo/scripts/build-n8n.mjs:198
const generateLicenses = process.env.N8N_GENERATE_LICENSES === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d5d7ea5d6de68b4 Environment-variable access.
repo/scripts/build-n8n.mjs:200
	process.env.npm_config_shamefully_hoist = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c10d23336327cae Environment-variable access.
repo/scripts/build-n8n.mjs:256
		if (process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf310779c2d73ce8 Environment-variable access.
repo/scripts/build-n8n.mjs:267
if (process.env.CI !== 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3f246d9fb4efd14 Filesystem access.
repo/scripts/check-workspace-deps.mjs:12
		const content = readFileSync(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f352bfa14c968b1 Filesystem access.
repo/scripts/check-zod-peer-deps.mjs:55
		const pkg = JSON.parse(readFileSync(file, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b43ec840e85cedd5 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:16
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45f95df85c80b010 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:26
	if (process.env.DOCKER_PLATFORM) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #762642f8b8389fc7 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:27
		return process.env.DOCKER_PLATFORM;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c65bb0da997d7981 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:115
	const override = process.env.CONTAINER_ENGINE?.toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6b8cdd552214e85 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:143
const noCache = process.env.DOCKER_BUILD_NO_CACHE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8164ac33b8e01026 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:144
const withBaseImage = process.env.DOCKER_BUILD_BASE_IMAGE === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02d458da987e501e Environment-variable access.
repo/scripts/dockerize-n8n.mjs:145
const nodeVersion = process.env.NODE_VERSION || '24.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11169b4bb04c21a3 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:156
		imageBaseName: process.env.IMAGE_BASE_NAME || 'n8nio/n8n',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96566261cfac7b0a Environment-variable access.
repo/scripts/dockerize-n8n.mjs:157
		imageTag: process.env.IMAGE_TAG || 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae1c6a19e457f4b6 Environment-variable access.
repo/scripts/dockerize-n8n.mjs:164
		imageBaseName: process.env.RUNNERS_IMAGE_BASE_NAME || 'n8nio/runners',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b306226bf7eb4914 Filesystem access.
repo/scripts/format.mjs:3
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7536c79952d6b88 Filesystem access.
repo/scripts/generate-emoji-data.mjs:126
	const rawData = JSON.parse(readFileSync(compactDataPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96e78113c29a9793 Filesystem access.
repo/scripts/generate-emoji-data.mjs:133
	const fullData = JSON.parse(readFileSync(fullDataPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #440f590c63d9a713 Filesystem access.
repo/scripts/generate-emoji-data.mjs:240
	writeFileSync(OUTPUT_PATH, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3806b55a6462cc0a Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:48
	const lucideJson = JSON.parse(readFileSync(LUCIDE_JSON_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f1fe5af2c705ac5 Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:57
			cache = JSON.parse(readFileSync(CACHE_PATH, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e9988e16598b8af Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:79
		writeFileSync(CACHE_PATH, JSON.stringify(cache, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73f81c0673b573ff Filesystem access.
repo/scripts/generate-lucide-icon-data.mjs:128
	writeFileSync(OUTPUT_PATH, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a5c4346c53718db Filesystem access.
repo/scripts/grind.mjs:70
	const pkg = JSON.parse(readFileSync(resolve(pkgRootDir, 'package.json'), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00b495a354d82140 Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:10
const BASE = process.env.N8N_BASE_URL ?? 'http://localhost:5678';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8aaea0b534549325 Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:11
const KEY = process.env.N8N_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe6e76e508ba5689 Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:17
const CLEAR = (process.env.CLEAR ?? 'false').toLowerCase() === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e08ffb7751a2ea21 Environment-variable access.
repo/scripts/instance-seeding/seedInstance.mjs:18
const PERSONAL_WORKFLOWS = Number(process.env.WF_MULTIPLIER) || 50;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a3e941399445742 Filesystem access.
repo/scripts/licenses/check-sbom-licenses.mjs:43
	const raw = await readFile(SPDX_IDS_PATH, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8d8ac145e7848cf Filesystem access.
repo/scripts/licenses/check-sbom-licenses.mjs:212
		sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #715377956f13f01d Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:53
		const raw = await readFile(OVERRIDES_PATH, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a210754fcdaa7c50 Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:124
				const pkg = JSON.parse(await readFile(path.join(dir, entry.name), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e1dd1ac7afdf35d Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:272
	const sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #401aba215d74187b Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:279
		licenseText = (await readFile(licenseFile, 'utf-8')).trim() || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #839bc166cc4deb1b Filesystem access.
repo/scripts/licenses/enrich-sbom.mjs:319
	await writeFile(outputPath, JSON.stringify(enriched, null, 2) + '\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec8b596a050acdd3 Filesystem access.
repo/scripts/licenses/enrich-sbom.test.mjs:251
			await writeFile(path.join(dir, rel), JSON.stringify(json));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94441ae3ce8f4735 Filesystem access.
repo/scripts/licenses/pipeline.test.mjs:53
		const sbom = JSON.parse(await readFile(enriched, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c82e001aa58aa074 Filesystem access.
repo/scripts/licenses/properties.test.mjs:71
		const raw = JSON.parse(readFileSync(path.join(HERE, 'spdx-license-ids.json'), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #455d33000fb0358b Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:90
			const text = await readFile(path.join(resolvedPkgDir, candidate), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6573373ae0131737 Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:123
		const raw = await readFile(OVERRIDES_PATH, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fcbe9090799681d Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:254
	const sbom = JSON.parse(await readFile(sbomPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #148e43b4e2275b64 Filesystem access.
repo/scripts/licenses/render-licenses-md.mjs:285
	await writeFile(outputPath, markdown);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9866131664ef1e92 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:418
		await writeFile(path.join(pkgDir, 'LICENSE'), 'PKGA LICENSE TEXT');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ff5dceadc257a17 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:426
		await writeFile(path.join(pkgDir, 'LICENSE.md'), 'SCOPED PKGB TEXT');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a707e73f255766e Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:434
		await writeFile(path.join(pkgDir, 'README.md'), 'not a license');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cb0dc831d5efa32 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:435
		await writeFile(path.join(pkgDir, 'CHANGELOG'), 'not a license');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9bd4906d1641d87 Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:436
		await writeFile(path.join(pkgDir, 'package.json'), '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96687f435a7ae56b Filesystem access.
repo/scripts/licenses/render-licenses-md.test.mjs:437
		await writeFile(path.join(pkgDir, 'COPYING'), 'COPYING IS A LICENSE');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #381a023d1de4cbd0 Filesystem access.
repo/scripts/mutation-health/build-matrix.mjs:202
	writeFileSync(file, JSON.stringify(coverageMap));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51b6c950d5205995 Filesystem access.
repo/scripts/mutation-health/build-matrix.mjs:210
		return parseLedgerBody(readFileSync(ledgerFile, 'utf8')).rows;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c1225a99b3c418f Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:241
	const sourceFile = (process.env.SOURCE_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc70ba7bca7aad1b Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:242
	const requestedMode = (process.env.REQUESTED_MODE ?? 'both').trim() || 'both';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adaf9f3a575c1fa6 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:243
	const topNRaw = (process.env.TOP_N ?? '6').trim() || '6';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec6dc678017598f8 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:244
	const ledgerFile = (process.env.LEDGER_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a445c94370b5c63 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:245
	const signalsFile = (process.env.SIGNALS_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #546ea377b8f86baa Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:246
	const coverageFile = (process.env.COVERAGE_FILE ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d01dd630cc957ce4 Environment-variable access.
repo/scripts/mutation-health/build-matrix.mjs:267
	const bootstrapRaw = (process.env.BOOTSTRAP_PACKAGES ?? '').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02a3ecd68e3eac9a Filesystem access.
repo/scripts/mutation-health/emit-payload.mjs:309
	const summary = JSON.parse(await readFile(summaryPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b76367f63da64ffe Filesystem access.
repo/scripts/mutation-health/emit-payload.mjs:331
		const signals = JSON.parse(await readFile(signalsPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3d952c4f2761eaa Filesystem access.
repo/scripts/mutation-health/emit-payload.mjs:362
	await writeFile(outPath, JSON.stringify({ ledger, events }, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8586177d8cc479ac Filesystem access.
repo/scripts/mutation-health/ledger.mjs:48
	const raw = await readFile(path, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbd6ad11672a088f Filesystem access.
repo/scripts/mutation-health/ledger.test.mjs:116
		writeFileSync(file, body(MULTI_PKG_FIXTURE));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3476377bfe8978a4 Filesystem access.
repo/scripts/mutation-health/ledger.test.mjs:123
		writeFileSync(file, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5c997a252dad945 Filesystem access.
repo/scripts/mutation-health/ledger.test.mjs:130
		writeFileSync(file, body(MULTI_PKG_FIXTURE));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eefcc65e0c9eb6dc Environment-variable access.
repo/scripts/mutation-health/mutate.mjs:67
const THRESHOLD = Number(process.env.STRYKER_THRESHOLD ?? 80);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78a11de3aa794944 Filesystem access.
repo/scripts/mutation-health/mutate.mjs:394
		await writeFile(summaryJsonPath, JSON.stringify(summary, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c030d7dd1be36d63 Filesystem access.
repo/scripts/mutation-health/mutate.mjs:407
	const raw = JSON.parse(await readFile(rawJsonPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e3bf15249f7ce415 Filesystem access.
repo/scripts/mutation-health/mutate.mjs:419
	await writeFile(summaryJsonPath, JSON.stringify(summary, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbe5b0c2e7204434 Filesystem access.
repo/scripts/mutation-health/pick-next.mjs:369
		return JSON.parse(await readFile(resolved, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9c94a5a9b7d7698 Filesystem access.
repo/scripts/mutation-health/pick-next.mjs:497
	const pkgName = JSON.parse(await readFile(pkgJsonPath, 'utf8')).name;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f4892c347092610 Environment-variable access.
repo/scripts/mutation-health/stryker.default.mjs:34
	concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc59f7c89ac821cd Environment-variable access.
repo/scripts/prepare.mjs:6
if (process.env.CI || process.env.DOCKER_BUILD) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78ddc62b0edbce97 Environment-variable access.
repo/scripts/reset.mjs:8
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84a2d75aae6baf85 Environment-variable access.
repo/scripts/reset.mjs:32
const nodeOptions = process.env.NODE_OPTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da69c596e5dc8350 Environment-variable access.
repo/scripts/reset.mjs:33
	? `${process.env.NODE_OPTIONS} --max-old-space-size=${mem}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b033e85a18439afe Environment-variable access.
repo/scripts/scan-n8n-image.mjs:11
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a43950fe4f9420a Environment-variable access.
repo/scripts/scan-n8n-image.mjs:18
	const resolved = path.resolve(process.env[envVar] || path.join(rootDir, defaultRelPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c302beed723f4342 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:28
	imageBaseName: process.env.IMAGE_BASE_NAME || 'n8nio/n8n',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20d717933cc10123 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:29
	imageTag: process.env.IMAGE_TAG || 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d174d677e1d47b3 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:30
	trivyImage: process.env.TRIVY_IMAGE || 'aquasec/trivy:latest',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcb546bd611c3187 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:31
	severity: process.env.TRIVY_SEVERITY || 'CRITICAL,HIGH,MEDIUM,LOW',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44a9503f78afd840 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:32
	outputFormat: process.env.TRIVY_FORMAT || 'table',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f2bfc5b9c762f31 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:33
	outputFile: process.env.TRIVY_OUTPUT || null,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #037791e1a248e2ff Environment-variable access.
repo/scripts/scan-n8n-image.mjs:34
	scanTimeout: process.env.TRIVY_TIMEOUT || '10m',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac4ef876a86eacec Environment-variable access.
repo/scripts/scan-n8n-image.mjs:35
	ignoreUnfixed: process.env.TRIVY_IGNORE_UNFIXED === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96b945d2f8c1fc67 Environment-variable access.
repo/scripts/scan-n8n-image.mjs:36
	scanners: process.env.TRIVY_SCANNERS || 'vuln',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb6b56c5a0ef593c Environment-variable access.
repo/scripts/scan-n8n-image.mjs:37
	quiet: process.env.TRIVY_QUIET === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d9d1766fdd94edf Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:11
process.env.FORCE_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29565ba3d63faa1b Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:13
const IMAGE = process.env.SMOKE_IMAGE || 'n8nio/n8n:local';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9835ca050cb4806b Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:24
	ref: process.env.CLOUD_CHART_REF || 'main',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d624bf5b5b394102 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:27
	chartPath: process.env.CLOUD_CHART_PATH || 'packages/instance-controller/charts/n8napp/n8n',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6dbefc9392a8b87 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:29
		process.env.CLOUD_CHART_VALUES ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cee2a2eee38e349 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:81
const cloud = process.env.SMOKE_SKIP_CLOUD === 'true' ? [] : await fetchCloudInvocations();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #840de53ef70f4651 Environment-variable access.
repo/scripts/smoke-n8n-image.mjs:82
if (process.env.SMOKE_SKIP_CLOUD !== 'true' && cloud.length === 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4cf8b1adeb7f6db Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:62
		const pkg = JSON.parse(readFileSync(join(asDir, 'package.json'), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b72aabce14361a0a Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:78
	const pkg = JSON.parse(readFileSync(join(dir, 'package.json'), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9c9f484f52e7623 Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:212
		? JSON.parse(readFileSync(resultsFile, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61406b0554a2bd41 Filesystem access.
repo/scripts/typescript-migration/benchmark.mjs:221
	writeFileSync(resultsFile, `${JSON.stringify(data, null, 2)}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71f9ff43b4ce3c83 Filesystem access.
repo/scripts/typescript-migration/summarize.mjs:96
		.map((f) => JSON.parse(readFileSync(join(RESULTS_DIR, f), 'utf8')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d42565549f1753e Filesystem access.
repo/scripts/typescript-migration/summarize.mjs:121
	writeFileSync(out, `${md.join('\n')}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/instance-ai

npm first-party
high pii_flow production #6c140810cc12526f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219 · flow /tmp/closeopen-eiu3royx/repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:222 → /tmp/closeopen-eiu3royx/repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:219
	const response = await fetch(getOpenAiResponsesUrl(model.url), {
		method: 'POST',
		headers: {
			Authorization: `Bearer ${model.apiKey}`,
			'Content-Type': 'application/json',
		},
		body: JSON.stringify(requestBody),
		signal: abortSignal,
	});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2d05725209553939 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:74 · flow /tmp/closeopen-eiu3royx/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:75 → /tmp/closeopen-eiu3royx/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:74
		const response = await fetch(new URL(path, this.config.baseUrl), {
			headers: { Authorization: `Bearer ${this.config.apiKey}` },
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #ea717e7a43431789 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:91 · flow /tmp/closeopen-eiu3royx/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:94 → /tmp/closeopen-eiu3royx/repo/packages/@n8n/instance-ai/evaluations/langtracer/client.ts:91
		const response = await fetch(new URL(path, this.config.baseUrl), {
			method,
			headers: {
				Authorization: `Bearer ${this.config.apiKey}`,
				'Content-Type': 'application/json',
			},
			body: JSON.stringify(body),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 324 low-confidence finding(s)
low env_fs test-only #26e9ca9882b188a4 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/case-files-schema.test.ts:19
		const raw = jsonParse<unknown>(readFileSync(join(WORKFLOWS_DIR, file), 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #368ccc396684c6f3 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:18
			originalEnv[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a42495b416e2b4c1 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:19
			delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7153b1ba7dbabb2a Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:26
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0fc5ccef71a41a2f Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:28
				process.env[key] = originalEnv[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #adf1bfaa2f763f52 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:35
			process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ceb16b3d7731467 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:36
			process.env.GITHUB_SHA = '357e949547671e2cd1c017eb4e7c809cd55bd121';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #efcdd441ca18fd6b Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:40
			process.env.LANGSMITH_BRANCH = 'feature-branch';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #32bfb29f94f10a37 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:41
			process.env.GITHUB_HEAD_REF = 'should-not-be-used';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2772f2bc7f798fc5 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:42
			process.env.GITHUB_REF_NAME = '30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be430d669cdd7239 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:48
			process.env.GITHUB_HEAD_REF = 'feature-x';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #448ab84e99156ee2 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:49
			process.env.GITHUB_REF_NAME = '30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03e4075355a42995 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:55
			process.env.GITHUB_REF_NAME = 'master';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b922046160c229e8 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:61
			process.env.LANGSMITH_BRANCH = '30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65ef9a25cb245b1d Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:67
			process.env.LANGSMITH_BRANCH = 'feature//thing';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5087d6a7d36b4332 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:73
			delete process.env.GITHUB_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92e980eee6dbe280 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:74
			process.env.LANGSMITH_BRANCH = 'feature-x';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0911c4d5ac04ef3e Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:86
			process.env.LANGSMITH_BRANCH = 'should-not-be-used';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #08bc97d889525578 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:109
			originalEnv[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f35896821f3b5691 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:110
			delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff14c6a2f262f7c3 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:117
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5678537576168475 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:119
				process.env[key] = originalEnv[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #28ffe353ae99e0eb Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:129
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #427ee35d98536403 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:130
		process.env.GITHUB_EVENT_NAME = 'pull_request_review';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42c9ffa165ad4a26 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:131
		process.env.GITHUB_RUN_ID = '12345';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee2d3f138feeee26 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:141
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f03caf133b059b9 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:142
		process.env.LANGSMITH_BRANCH = 'feature-x';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #20b39b9335988731 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:143
		process.env.LANGSMITH_REVISION_ID = '357e949547671e2cd1c017eb4e7c809cd55bd121';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f8171839238358aa Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/ci-metadata.test.ts:144
		process.env.GITHUB_REF = 'refs/pull/30711/merge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cbdbe965251eceb8 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/conversation-seed.test.ts:53
		writeFileSync(path, JSON.stringify(makeSeed()));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f0db78b2cc9d2a0 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/conversation-seed.test.ts:62
		writeFileSync(path, JSON.stringify({ messages: [{ id: 'm1' }] }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #000dab82e4806fb1 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/conversation-seed.test.ts:69
		writeFileSync(path, JSON.stringify({ messages: [] }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b79cd7b73f0bba0 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/data-workflows-schema.test.ts:9
import { readdirSync, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a09885f5fcf0ff43 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/data-workflows.test.ts:9
import { readdirSync, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7da6bc6443628498 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder-timeout.test.ts:3
import { mkdtempSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6064a268b0ec6e6 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder.test.ts:3
import { mkdtempSync, readFileSync, rmSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b4e306a5a64f9a42 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder.test.ts:221
		const logged = readFileSync(String(result.logFile), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0b8d945df15c95e9 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/mcp-builder.test.ts:271
			const parsed: unknown = JSON.parse(readFileSync(path, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f82ae9f1a2d7c93a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/prebuilt-workflows.test.ts:1
import { mkdtempSync, rmSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c623ba53753a42ad Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/prebuilt-workflows.test.ts:30
		writeFileSync(path, JSON.stringify(content));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ef5e21743b1bbba Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/prebuilt-workflows.test.ts:56
		writeFileSync(path, '{ this is not json');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2af2bcbe7f516fe Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/__tests__/stub-services.test.ts:15
	await fs.writeFile(file, JSON.stringify(entries), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c11b1719c4c3efd2 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/checklist/verifier.ts:38
const VERIFIER_DEBUG = process.env.N8N_EVAL_VERIFIER_DEBUG === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c499c8533ee59b70 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/args.ts:190
	if (validated.buildViaMcp && !process.env.LANGSMITH_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #600c8da6c23bbede Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:8
import { existsSync, mkdirSync, readFileSync, readdirSync, unlinkSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26deff66d9f413ed Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:248
	const content = readFileSync(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dc105195c3d0ef6 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:373
	writeFileSync(args.manifestPath, JSON.stringify(manifest, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eb07e489e2552a3 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:402
	writeFileSync(args.statsPath, JSON.stringify(stats, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c9e275ad53a2851 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/build-mcp-manifest.ts:572
	console.log(readFileSync(args.manifestPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83e0e672c9479560 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:31
	const isCI = process.env.GITHUB_ACTIONS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b443e1401672914 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:39
		trigger: process.env.GITHUB_EVENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72b2864cb855ddf4 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:40
		runId: process.env.GITHUB_RUN_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e21e2c71dbfcf5fa Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:42
			process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35bbd9281ee6dd2d Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:43
		commitSha: process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7da33667bb5be738 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:45
		prNumber: process.env.GITHUB_REF?.match(/refs\/pull\/(\d+)\//)?.[1],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a7d77537a491634 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:70
	if (process.env.GITHUB_ACTIONS !== 'true') return undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68b15194b61954e2 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:73
		process.env.LANGSMITH_BRANCH ?? process.env.GITHUB_HEAD_REF ?? process.env.GITHUB_REF_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1057fdb5baa4d851 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/ci-metadata.ts:74
	const sha = process.env.GITHUB_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cf4cdb3211809ca Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:163
		fs.readFile(summaryPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea75bc772d86dc58 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:164
		fs.readFile(resultsPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4219d46f7756c91e Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:421
		return await fs.readFile(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c572a22acc3f87a8 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/compare-pairwise.ts:1256
	await fs.writeFile(args.out, html, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9079e98fa7772cfe Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:11
import { mkdirSync, unlinkSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #294c17cccc65e2bf Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:392
		const hasLangSmith = Boolean(process.env.LANGSMITH_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b397e4f806d408e6 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:435
		const commitSha = process.env.LANGSMITH_REVISION_ID ?? process.env.GITHUB_SHA;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad65b1dca6847ce5 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:1628
	writeFileSync(jsonPath, JSON.stringify(report, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1464d88b559c5ea Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/index.ts:1634
	writeFileSync(
		prCommentPath,
		formatComparisonMarkdown(evaluation, outcome, {
			commitSha,
			slugByTestCase,
			rerun,
			gate,
			passMetrics: { passAtK: metrics.passAtK, passHatK: metrics.passHatK },
			experimentUrl,
		}),
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8ae985f174ce45f Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:18
import { existsSync, readFileSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5b82b897aab5c4f Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:39
	const content = readFileSync(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c840b3b5a89da66f Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:69
	writeFileSync(tmpPath, JSON.stringify({ mcpServers: { [serverName]: block } }), { mode: 0o600 });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62e1da93daa79b30 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/mcp-builder.ts:314
			writeFileSync(logFile, stdout || stderr || fallback);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53c434c653b3159a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:81
		const content = readFileSync(exampleIdsFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bc6e9f03e3b1486 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:105
		baseUrl: get('--base-url') ?? process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #351f02c529f49012 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:189
	const content = readFileSync(absolute, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17b66d59cbb6dbc7 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:456
				await fs.writeFile(workflowPath, JSON.stringify(record.workflow, null, 2), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a597412ec76d1eca Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:460
	await fs.writeFile(jsonlPath, lines.join('\n') + '\n', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11c1090a6b26ad08 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:501
	await fs.writeFile(csvPath, [csvHeader, ...csvRows].join('\n') + '\n', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ef1039a14d1ce24 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:592
	await fs.writeFile(
		path.join(outputDir, 'summary.json'),
		JSON.stringify(summary, null, 2),
		'utf8',
	);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #510bcbb9a8f116db Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:617
		await fs.writeFile(reportFile, html, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c250d3bc56c733e Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/cli/pairwise.ts:637
	const apiKey = process.env.N8N_AI_ANTHROPIC_KEY ?? process.env.ANTHROPIC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f592144bbb62a5d9 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/report.ts:124
				fs.readFile(summaryPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #414e6f71958a5785 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/report.ts:125
				fs.readFile(resultsPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fb69e781d261167 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/cli/report.ts:674
	await fs.writeFile(args.reportFile, html, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #850dc7b1681c3f05 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:142
		const loginEmail = email ?? process.env.N8N_EVAL_EMAIL ?? '[email protected]';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ac6c6742409834f Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/clients/n8n-client.ts:143
		const loginPassword = password ?? process.env.N8N_EVAL_PASSWORD ?? 'PlaywrightTest123';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #93ccd324fb0469c1 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:19
		await writeFile(join(dir, 'README.md'), '# hello');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5080c1a9d72e7c58 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:26
		await writeFile(join(dir, 'docs', 'workflow.md'), '...');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ef1012a43bb2d446 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:32
		await writeFile(join(dir, 'readme.txt'), '...');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7fe53feada56ac2 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:40
			await writeFile(join(outside, 'secret.md'), 'should not be readable');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bc4a5cbde3457cf2 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:54
			await writeFile(join(parent, 'sibling.md'), '# sibling');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #95ba4badd774a884 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:83
		await writeFile(join(dir, 'leftover.md'), '# still here');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #420ce5728f4bc36c Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:93
		await writeFile(join(dir, 'project', 'briefing.md'), '# moved');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31d1adce3c7b2e11 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:114
		await writeFile(join(dir, 'doc.md'), '# Architecture\n\nThis describes the workflow.');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ebf4fc55f8d9a5a Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:124
		await writeFile(join(dir, 'doc.md'), 'random unrelated content');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #708a5880ed9ed99d Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/__tests__/graders-fs.test.ts:134
		await writeFile(join(dir, 'doc.md'), '# Architecture only');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #250e0e23affd0dfe Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:137
		const raw = await readFile(join(dataDir, file), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f11ec282827f5811 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:213
		const raw = await readFile(packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #776e8694302b0d99 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:295
	await writeFile(reportPath, JSON.stringify(report, null, 2), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69b7f584e8ce05fd Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/cli.ts:302
		await writeFile(htmlPath, renderHtml(report), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #854e78b0162e1826 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/graders/fs.ts:75
			content = await readFile(absPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b70e547e4a3622a5 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/render-existing.ts:15
const report = jsonParse<RunReport>(readFileSync(inputPath, 'utf-8'), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2b86f2184a19eaf Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/render-existing.ts:18
writeFileSync(outputPath, renderHtml(report), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #140bce07758b6f69 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/computer-use/runner.ts:205
	const raw = await readFile(fixturePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b69cd4813151705 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/credentials/seeder.ts:120
		const envToken = template.envVar ? process.env[template.envVar] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7839e2d18c5d946 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/data/discovery/index.ts:1
import { readFileSync, readdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f375c2436744a13 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/data/discovery/index.ts:13
	const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77c0be65893f675d Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/discovery/cli.ts:37
const DEFAULT_MODEL = process.env.N8N_INSTANCE_AI_EVAL_MODEL ?? 'anthropic/claude-sonnet-4-6';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c8dbd46daf66259 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/discovery/cli.ts:266
	if (!process.env.ANTHROPIC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45b4c9a9f9ef3889 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/export-latest-verifier-request.ts:292
	return jsonParse<T>(readFileSync(filePath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f1bca3a2fadb5ac Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/export-latest-verifier-request.ts:354
		model: (process.env.N8N_INSTANCE_AI_MODEL ?? 'openai/gpt-5.5').split('/').at(-1) ?? 'gpt-5.5',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53eb5ed1e65d3612 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/export-latest-verifier-request.ts:404
	writeFileSync(outputPath, JSON.stringify(requestBody, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19c2f747ac4d8eb1 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/conversation-seed.ts:63
		raw = JSON.parse(readFileSync(filePath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80b53cb0b93c0ed8 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:90
		process.env.LANGSMITH_ENDPOINT ?? process.env.LANGCHAIN_ENDPOINT ?? US_DEFAULT_ENDPOINT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #719bd65f1209c6d4 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:92
	const homeKey = process.env.LANGSMITH_API_KEY ?? process.env.LANGCHAIN_API_KEY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #901a0cd9e8063c93 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:98
	const usHost = bareHost(process.env.LANGSMITH_ENDPOINT_US ?? US_DEFAULT_ENDPOINT);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d91091f52f98c98c Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/langsmith-seed.ts:100
		const usKey = process.env.LANGSMITH_API_KEY_US ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eff50ecbf059ec9e Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/prebuilt-workflows.ts:20
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48bebe8e2e4c4ea4 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/prebuilt-workflows.ts:36
		raw = JSON.parse(readFileSync(path, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e8d53cad4f5ba5c Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:115
	const raw = process.env.N8N_EVAL_MAX_CONCURRENT_SCENARIOS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cefca7bf9cfceb0 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:209
		await writeFile(
			filePath,
			JSON.stringify(
				{
					timestamp,
					workflowId: input.workflowId,
					testCaseName: input.testCaseName,
					scenarioName: input.scenarioName,
					passed: input.passed,
					result: input.result ?? null,
					verificationResults: input.verificationResults,
					verifierAttempts: input.verifierAttempts,
					buildTrace: input.buildTrace ?? null,
				},
				null,
				2,
			),
			'utf8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83f3c7650a580591 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:1553
		process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5550872b4fac0a8e Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:1554
			process.env.N8N_AI_ANTHROPIC_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65faf165a56fad68 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/harness/runner.ts:1555
			process.env.ANTHROPIC_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b8e7b08d1282d5b Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/harness/stub-services.ts:325
		content = await fs.readFile(jsonPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f8b929d76c342ef Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/run-debug-report.ts:25
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5fad2c9c032805f Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/run-debug-report.ts:426
	fs.writeFileSync(reportPath, html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #851d70da2e8315dc Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/run-debug-report.ts:427
	fs.writeFileSync(path.join(reportDir, 'workflow-eval-llm-debug.html'), html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da58ff4c6321afed Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/workflow-report.ts:10
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24c575231f6533c6 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/workflow-report.ts:1641
	fs.writeFileSync(reportPath, html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5aa6d3cab9e413ec Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/report/workflow-report.ts:1644
	fs.writeFileSync(path.join(reportDir, 'workflow-eval-report.html'), html);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa6bf396cd472463 Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:56
		modelId: process.env.N8N_INSTANCE_AI_EVAL_MODEL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59c5edba2f5a855c Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:58
		baseUrl: process.env.N8N_EVAL_BASE_URL ?? 'http://localhost:5678',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f94808de87faa57 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:125
		const raw = readFileSync(join(DATA_DIR, file), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f7e3eca51795c1e Environment-variable access.
repo/packages/@n8n/instance-ai/evaluations/subagent/cli.ts:218
	const apiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16181f218cbe20d8 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/utils/get-json-files.ts:1
import { readdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d693286c0bc7fee2 Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/utils/load-eval-cases.ts:1
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c200a30485fae71e Filesystem access.
repo/packages/@n8n/instance-ai/evaluations/utils/load-eval-cases.ts:16
	const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de55063b0d495f21 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:38
	return process.env.N8N_VERSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5248cd99614a6ff3 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:55
	const apiKey = process.env.DAYTONA_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcf6b4c07976bf93 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:60
	const apiUrl = process.env.DAYTONA_API_URL || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f02bc3c741d59d97 Environment-variable access.
repo/packages/@n8n/instance-ai/scripts/build-snapshot.cjs:63
	const baseImage = process.env.SANDBOX_IMAGE || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a2b062c7e6754e9 Filesystem access.
repo/packages/@n8n/instance-ai/scripts/print-prompts.ts:12
import { mkdirSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53c42bc6caf0f693 Filesystem access.
repo/packages/@n8n/instance-ai/scripts/print-prompts.ts:146
			writeFileSync(target, renderFile(agent, variant), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76be8d8567a9c8d2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:3
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c63be96e6039167 Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:10
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ceff03bc96ec8741 Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:12
		process.env.N8N_ENABLED_MODULES = enabledModules;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34fe078a72c47f91 Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:21
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee594b71ea85e6a8 Environment-variable access.
repo/packages/@n8n/instance-ai/src/agent/__tests__/system-prompt.test.ts:23
		process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2388aa56ac6c4ef1 Filesystem access.
repo/packages/@n8n/instance-ai/src/knowledge-base/materialize-knowledge-base.ts:177
			entry.content ?? (await readFile(join(referenceSourceDir, entry.fileName), 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e1097d7da353f9eb Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:7
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54735acab69b5d2e Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:12
			delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3466cc006f5dfee7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:14
			process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4284cc4a07065122 Filesystem access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:19
		const skill = readFileSync(
			join(INSTANCE_AI_SKILLS_DIR, 'workflow-builder', 'SKILL.md'),
			'utf-8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1288d72d25a206ba Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:369
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29939ccc2fac8f25 Environment-variable access.
repo/packages/@n8n/instance-ai/src/skills/__tests__/runtime-skills.test.ts:371
		process.env.N8N_ENABLED_MODULES = enabledModules;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9441f229f73aa679 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:527
				const originalE2ETests = process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2fea2429e6f539e4 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:528
				process.env.E2E_TESTS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f0c0313a5fd4bf0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:563
						delete process.env.E2E_TESTS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c50a8eddb562eb66 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/__tests__/executions.tool.test.ts:565
						process.env.E2E_TESTS = originalE2ETests;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #290ea5ffd1695d76 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/instance-ai/src/tools/__tests__/n8n-docs.tool.test.ts:127
		expect(registry.byUrl.get(GOOGLE_OAUTH_URL)?.title).toBe('Google: OAuth2 single service');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #9f4f67b611d85207 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/instance-ai/src/tools/__tests__/n8n-docs.tool.test.ts:128
		expect(registry.byUrl.get(FIGMA_CREDENTIALS_URL)?.title).toBe('Figma credentials');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3521b2e46ef4da3e Environment-variable access.
repo/packages/@n8n/instance-ai/src/tools/executions.tool.ts:189
	if (process.env.E2E_TESTS !== 'true' || allowList === undefined) return undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07c91986939bc17b Filesystem access.
repo/packages/@n8n/instance-ai/src/tools/workflows/build-workflow.tool.ts:230
		const raw = readFileSync(
			join(INSTANCE_AI_SKILLS_DIR, POST_BUILD_FLOW_SKILL_ID, 'SKILL.md'),
			'utf-8',
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b77aa155782c2292 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:346
	const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0bb0d84f46a9e854 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:347
	const originalLangSmithTracing = process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7792f86ed69db69a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:348
	const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbef735578b4b2c0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:349
	const originalLangSmithProject = process.env.LANGSMITH_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #430e08d314ae4aa2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:350
	const originalLangChainProject = process.env.LANGCHAIN_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #90d0f9c990882c2b Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:351
	const originalTraceInternal = process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2ff92140f9f42cca Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:352
	const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #73de7326dab98075 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:357
		process.env.LANGSMITH_API_KEY = 'test-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #934909b0fb3c1507 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:358
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a4af22cc8752e776 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:359
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4f09174364e803a4 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:360
		delete process.env.LANGSMITH_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #59eb06f39511531a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:361
		delete process.env.LANGCHAIN_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c4d3aee48c41f7b3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:362
		delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4814b393a5a78da0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:363
		delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a53758bd28cb30e1 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:367
		process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd492caa9c08358a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:369
			delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b3c96742b080e69 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:371
			process.env.LANGSMITH_TRACING = originalLangSmithTracing;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ca6a51be99f323b Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:374
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #866e0c3ea1e2f470 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:376
			process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e86c53ab9fe5aeba Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:379
			delete process.env.LANGSMITH_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ec835edd7065c05a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:381
			process.env.LANGSMITH_PROJECT = originalLangSmithProject;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d77d33f374be02bc Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:384
			delete process.env.LANGCHAIN_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92ad46fea75f18eb Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:386
			process.env.LANGCHAIN_PROJECT = originalLangChainProject;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7a2d63a5a451896d Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:389
			delete process.env.N8N_INSTANCE_AI_TRACE_INTERNAL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #534ff1e0c5fd1ce9 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:391
			process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = originalTraceInternal;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #356124e4d5e85eb1 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:394
			delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9f3ce396a8d2394 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:396
			process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a2c52046d2bbd75d Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:478
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #387bb90c0097623f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:479
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8f872e93ea7a76a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:489
		expect(process.env.LANGSMITH_TRACING).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #246b6eadad431a4f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:490
		expect(process.env.LANGCHAIN_TRACING_V2).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2897fb2f9a0a410 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:506
		process.env.LANGSMITH_PROJECT = 'instance-ai-evals';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #268b60c03f1f6031 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1152
		process.env.N8N_INSTANCE_AI_TRACE_INTERNAL = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d091deb597ffb35a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1962
		delete process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1a624bf139de5886 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1963
		delete process.env.LANGCHAIN_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3da28e191e9d8199 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1964
		delete process.env.LANGSMITH_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7b5d2a308317a4eb Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1965
		delete process.env.LANGCHAIN_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a608361f04a3599 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1966
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4822811523b2343b Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1967
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cb6ed47761db0f3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:1988
		process.env.N8N_DIAGNOSTICS_ENABLED = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5887f98453ec7881 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2134
		process.env.LANGCHAIN_TRACING_V2 = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c9b64a57aa28e13 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2154
	const originalLangSmithApiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35b94405ee551a5f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2155
	const originalLangSmithTracing = process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92744ff0c524f7c3 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2156
	const originalLangChainTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12c9dc315fa0b3ce Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2157
	const originalDiagnosticsEnabled = process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c49a4af5757a97d Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2162
		process.env.LANGSMITH_API_KEY = 'test-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5847b496e5e97fd6 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2163
		delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c5a5c03a3264b3f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2164
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f43af07c57bc84f Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2165
		delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d634e9652445000a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2169
		process.env.LANGSMITH_API_KEY = originalLangSmithApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e72c707c05160c6 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2171
			delete process.env.LANGSMITH_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0193813788999b9a Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2173
			process.env.LANGSMITH_TRACING = originalLangSmithTracing;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #97ad9434b1d384eb Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2176
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42557b665c7933bb Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2178
			process.env.LANGCHAIN_TRACING_V2 = originalLangChainTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #18511533c6881839 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2181
			delete process.env.N8N_DIAGNOSTICS_ENABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3ac04c0fb3b1f3a8 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2183
			process.env.N8N_DIAGNOSTICS_ENABLED = originalDiagnosticsEnabled;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #916bf6980f47d412 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2217
		delete process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c0bdf34de567d5a0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/__tests__/langsmith-tracing.test.ts:2218
		process.env.LANGCHAIN_TRACING_V2 = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #993c812b245e029e Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:671
	return process.env.LANGSMITH_PROJECT ?? process.env.LANGCHAIN_PROJECT ?? DEFAULT_PROJECT_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #388765fd46d68786 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:675
	if (readBooleanEnvFlag(process.env.N8N_DIAGNOSTICS_ENABLED) === false) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ea566ae98ad1ca2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:680
		process.env.LANGCHAIN_TRACING_V2 ?? process.env.LANGSMITH_TRACING,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2ea943f6636d03d Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:690
		process.env.LANGSMITH_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #017e5b07f4561a49 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:691
			process.env.LANGCHAIN_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9025f65d2755fe1 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:692
			process.env.LANGSMITH_ENDPOINT ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf2e8259f28c28a7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:693
			process.env.LANGCHAIN_ENDPOINT ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2e2e904905b8f3d Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:700
		process.env.N8N_INSTANCE_AI_TRACE_INTERNAL === 'true' ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace60225a5fef141 Environment-variable access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:701
		process.env.N8N_INSTANCE_AI_TRACE_INCLUDE_INTERNAL === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cc918733ddfc83c Filesystem access.
repo/packages/@n8n/instance-ai/src/tracing/langsmith-tracing.ts:1496
				return extractPackageVersion(JSON.parse(await readFile(packageJsonPath, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8f0225afea83f99 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:3
const ORIGINAL_ENABLED_MODULES = process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #98af3cebea8518fa Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:8
			delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f03a84b8eb47d1d4 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:10
			process.env.N8N_ENABLED_MODULES = ORIGINAL_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0eebb45d629c4bda Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:15
		delete process.env.N8N_ENABLED_MODULES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe4a4bdb2ce69bcb Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:21
		process.env.N8N_ENABLED_MODULES = 'instance-ai';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #daf4b2883e95e11d Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:27
		process.env.N8N_ENABLED_MODULES = 'instance-ai,agents';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #365ef1fb817151c5 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/agent-feature-enabled.test.ts:33
		process.env.N8N_ENABLED_MODULES = ' instance-ai, agents ';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8f3479e1e1a06d76 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:38
		delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb9d97e7b47e12ad Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:54
		process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df71e0315c840e2e Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:63
		process.env.N8N_INSTANCE_AI_MODEL_API_KEY = 'generic-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #68efc72c159bfdd0 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:64
		process.env.N8N_AI_ANTHROPIC_KEY = 'legacy-anthropic-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #125089c702e3a9ed Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:65
		process.env.ANTHROPIC_API_KEY = 'provider-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3f6c6760267a632c Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/__tests__/eval-agents.test.ts:73
		process.env.OPENAI_API_KEY = 'openai-key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be47b545f1c3d487 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/agent-feature-enabled.ts:5
		(process.env.N8N_ENABLED_MODULES ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a1705128e96ea99 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:38
		process.env.N8N_INSTANCE_AI_EVAL_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be742ac96bcb72dd Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:39
		process.env.N8N_INSTANCE_AI_MODEL ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a89f9e16fa431e20 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:47
	const providerKey = providerKeyEnv ? process.env[providerKeyEnv] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab0e2abeb37637e5 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:49
		process.env.N8N_INSTANCE_AI_MODEL_API_KEY ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea9d30eeaf4a1e81 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:50
		(provider === 'anthropic' ? process.env.N8N_AI_ANTHROPIC_KEY : undefined) ??

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bb50a80753ab632 Environment-variable access.
repo/packages/@n8n/instance-ai/src/utils/eval-agents.ts:68
	const url = process.env.N8N_INSTANCE_AI_MODEL_URL?.trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ce021e7f31307d2 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:155
		const cachedArchive = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #42ba5ba6f7f5b30a Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:157
		const cachedEtag = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #605e68924c1c08a2 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:159
		const cachedSha = await fsp.readFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea1cb4f6e7f0370f Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:272
		await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #824767ff0d968bb7 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:273
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"pre-existing"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c309d3d6653409c4 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:274
		await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54d0f581e30b0915 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:316
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"orphan"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1acfe946dcb1bdad Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:332
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3ff1651ffc953ac Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:354
		await fsp.writeFile(path.join(blockedArchivePath, 'block'), '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c93aa41f22de4c8 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:362
		const etagOnDisk = await fsp.readFile(path.join(cacheDir, 'etag.txt'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0c2a1b698df1162c Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:442
		await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), corruptArchive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b92ab9b09d621b00 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:443
		await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"stale"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91fbdeb87b41586e Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:444
		await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'exact');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a02d91da753b091c Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:446
		await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), 'deadbeef'.repeat(8));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0d5bf62219737891 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:523
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), legacyArchive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b0568c035c4c70a6 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:524
			await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"legacy-etag"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abab8a1f8080a7da Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:525
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(legacyArchive));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cce3e942c89314b0 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:539
			const channelOnDisk = await fsp.readFile(path.join(cacheDir, 'channel.txt'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e18c2bed1e819405 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:547
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz'), archive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0ceda6fa1edf05dd Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:548
			await fsp.writeFile(path.join(cacheDir, 'etag.txt'), '"latest-etag"');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e6452b96e40dcdd Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:549
			await fsp.writeFile(path.join(cacheDir, 'templates.tar.gz.sha256'), sha256Hex(archive));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd8adb993a0c2677 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:550
			await fsp.writeFile(path.join(cacheDir, 'channel.txt'), 'latest');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4bc9b4e916fabf6b Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:609
		delete process.env.N8N_INSTANCE_AI_TEMPLATES_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #725872d67fb7c32d Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:610
		delete process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aa5361d198042e89 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:611
		delete process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7d184ca8e9104334 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:616
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '6';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #749974bb66fbb869 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:623
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = 'banana';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a45cf616d9c89ad Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:635
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2fd9179743bbe214 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:638
		process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS = '-4';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cb442f54904d4437 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:644
		process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #19f25a44bac23a77 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/builder-templates-service.test.ts:645
		process.env.N8N_INSTANCE_AI_TEMPLATES_URL = 'https://example.com/v2';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b4d4808684f63780 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/lazy-runtime-workspace.test.ts:171
		await lazyWorkspace.filesystem?.readFile('/workspace/report.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #84ac70723baafbf7 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/lazy-runtime-workspace.test.ts:194
		await lazyWorkspace.filesystem?.readFile('/workspace/report.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9576a22a49298119 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/lazy-runtime-workspace.test.ts:210
		await lazyWorkspace.filesystem?.readFile('/workspace/report.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5955fa3978fba76 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:90
		delete process.env[LINK_WORKSPACE_SDK_ENV];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #295f7011c82c5e73 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:92
		process.env[LINK_WORKSPACE_SDK_ENV] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d0609396bf24d7e1 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:227
		process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #547ee187fabe913b Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:229
		delete process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e44fad715c4fee2 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/sandbox-setup.test.ts:242
	const originalLinkSdk = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d3e5e8513a3833aa Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/scoped-workspace.test.ts:87
		await workspace.filesystem?.writeFile('src/workflow.ts', 'code', { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8385fd525dadeef2 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/scoped-workspace.test.ts:101
			workspace.filesystem?.readFile('/workspace/builders/agent-2/src/workflow.ts'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d88cda860625ac19 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:33
		await expect(readFile(join(stagingDir, 'skills/demo/SKILL.md'), 'utf-8')).resolves.toBe(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca4f3012e905629e Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:37
			readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d14ad091ec655c02 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:52
		await expect(readFile(join(first.stagingDir, 'package.json'), 'utf-8')).resolves.toBe(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #957e668e3713a36e Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:78
			readFile(join(results[0].stagingDir, 'skills/post-build-flow/SKILL.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #02bd8d65ad82ac96 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-image-context.test.ts:81
			readFile(join(results[0].stagingDir, 'knowledge-base/templates/example.ts'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a3ff71a9e2e45855 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:162
			readFile(join(stagingDir, 'skills/data-table-manager/SKILL.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6944d4355d81fd9e Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:165
			readFile(
				join(stagingDir, 'skills/data-table-manager/references/data-table-playbook.md'),
				'utf-8',
			),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2dbacea46d62dd00 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:171
			readFile(join(stagingDir, 'skills/registry.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cda1d453dea9b0f4 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:174
			readFile(join(stagingDir, 'skills/.manifest.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #144f7ef5cfc20926 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:177
			readFile(join(stagingDir, 'knowledge-base/best-practices/scheduling.md'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4d16bf28162f097b Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:180
			readFile(join(stagingDir, 'knowledge-base/best-practices/index.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1462c617b1ef2c7a Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/__tests__/snapshot-manager.test.ts:183
			readFile(join(stagingDir, 'knowledge-base/.manifest.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a93af6124619ea16 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:238
			const buffer = await fsp.readFile(archivePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f77227a7eb03303 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:281
			const raw = await fsp.readFile(path.join(this.cacheDir, ETAG_FILENAME), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45c9d584bcf005db Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:290
			const raw = await fsp.readFile(path.join(this.cacheDir, SHA256_FILENAME), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e8fc1eaddecf910 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:299
			const raw = (await fsp.readFile(path.join(this.cacheDir, CHANNEL_FILENAME), 'utf-8')).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5003ceac831a69c6 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:552
		await fsp.writeFile(tmp, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b770bde69c404083 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:592
	const url = process.env.N8N_INSTANCE_AI_TEMPLATES_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #114313d08b5a73f7 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:593
	const hoursRaw = process.env.N8N_INSTANCE_AI_TEMPLATES_REFRESH_HOURS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ab634ccf6048c00 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/builder-templates-service.ts:594
	const disabled = process.env.N8N_INSTANCE_AI_TEMPLATES_DISABLED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20f516279ffa5dbf Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/lazy-runtime-workspace.ts:225
		return await (await this.getFilesystem()).readFile(path, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea902ca992eb42b0 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/lazy-runtime-workspace.ts:229
		await (await this.getFilesystem()).writeFile(path, content, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #384fe2dddbc6d7e1 Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/pack-workspace-sdk.ts:45
	const v = process.env[ENV_FLAG];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b62f00e99ac5dc5 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/pack-workspace-sdk.ts:94
		const tarball = await readFile(tarballPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12248b9de6a8beda Environment-variable access.
repo/packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:125
	const linkFlag = process.env.N8N_INSTANCE_AI_SANDBOX_LINK_SDK;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #48395b6d98b00f0e Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:361
		await filesystem.writeFile(path, content, { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94b7963113f10409 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/sandbox-setup.ts:380
			const content = await filesystem.readFile(path, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5aa13221ccfa7503 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/scoped-workspace.ts:75
		return await this.filesystem.readFile(resolvePath(this.root, path), options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76d133459dd48087 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/scoped-workspace.ts:79
		await this.filesystem.writeFile(resolvePath(this.root, path), content, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58fd03d760fb752f Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/snapshot-image-context.ts:39
		await writeFile(targetPath, content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b3a4dc9d5d19c30 Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/workspace-files.ts:43
			return decodeWorkspaceFileContent(await filesystem.readFile(filePath, { encoding: 'utf-8' }));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bde5763c226aa2c Filesystem access.
repo/packages/@n8n/instance-ai/src/workspace/workspace-files.ts:80
			await workspace.filesystem.writeFile(filePath, content, { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/cli

npm first-party
high pii_flow production #c2633023a88b6051 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/cli/src/client.ts:90 · flow /tmp/closeopen-eiu3royx/repo/packages/@n8n/cli/src/client.ts:49 → /tmp/closeopen-eiu3royx/repo/packages/@n8n/cli/src/client.ts:90
			response = await fetch(url.toString(), { method, headers, body });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 23 low-confidence finding(s)
low env_fs test-only #9c342d5f64d57085 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:25
		delete process.env.N8N_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #180a6d6067535177 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:26
		delete process.env.N8N_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f347191ccae9b92d Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:36
		process.env.N8N_URL = 'https://env.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff6d5fa78ce6d00b Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:37
		process.env.N8N_API_KEY = 'env_key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9ec6d3916312f8f Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:49
		process.env.N8N_URL = 'https://env.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13bb429ff07cc299 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:50
		process.env.N8N_API_KEY = 'env_key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d7cc33251b852e10 Environment-variable access.
repo/packages/@n8n/cli/src/__tests__/config.test.ts:88
		process.env.N8N_API_KEY = 'env_key';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bb4957ecfac9a56 Filesystem access.
repo/packages/@n8n/cli/src/base-command.ts:156
			return fs.readFileSync(0, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17818d2affaebe6c Filesystem access.
repo/packages/@n8n/cli/src/base-command.ts:159
			return fs.readFileSync(flags.file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02a70d96e4ca834c Filesystem access.
repo/packages/@n8n/cli/src/commands/package/export.ts:69
			fs.writeFileSync(flags.output, archive);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01013d34b05111ad Filesystem access.
repo/packages/@n8n/cli/src/commands/package/import.ts:68
			const buffer = fs.readFileSync(flags.file);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0428aa029dcff7e1 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:39
		const content = fs.readFileSync(skillSource, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b986bd3bba973f2 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:61
		fs.writeFileSync(targetFile, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e29fd94a6a1983f Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:77
			const existing = fs.readFileSync(targetFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c74c71e098545a7 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:82
			fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7975a76e5c5e924 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:85
			fs.writeFileSync(targetFile, stripped);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #964617a7154da7c6 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:95
			const existing = fs.readFileSync(targetFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d9a7c0ce3a90bc7 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:100
			fs.writeFileSync(targetFile, `${existing}\n\n${stripped}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1db38cc9bc13090 Filesystem access.
repo/packages/@n8n/cli/src/commands/skill/install.ts:103
			fs.writeFileSync(targetFile, stripped);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d6a1e36fc544ec9 Filesystem access.
repo/packages/@n8n/cli/src/config.ts:21
		const raw = fs.readFileSync(CONFIG_FILE, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3c3516ef74eeb14 Filesystem access.
repo/packages/@n8n/cli/src/config.ts:30
	fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', {
		mode: 0o600,
	});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15b3dea5de3be0aa Environment-variable access.
repo/packages/@n8n/cli/src/config.ts:52
		url: flags.url ?? process.env.N8N_URL ?? config.url,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3449198577dbaac9 Environment-variable access.
repo/packages/@n8n/cli/src/config.ts:53
		apiKey: flags.apiKey ?? process.env.N8N_API_KEY ?? config.apiKey,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/computer-use

npm first-party
high pii_flow production #28617afae0013201 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/@n8n/computer-use/src/gateway-client.ts:302 · flow /tmp/closeopen-eiu3royx/repo/packages/@n8n/computer-use/src/gateway-client.ts:308 → /tmp/closeopen-eiu3royx/repo/packages/@n8n/computer-use/src/gateway-client.ts:302
		const response = await fetch(url, {
			method: 'POST',
			headers,
			body: JSON.stringify({
				rootPath: this.dir,
				tools,
				hostIdentifier: `${os.userInfo().username}@${os.hostname()}`,
				toolCategories: this.activeToolCategories,
			}),
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 37 low-confidence finding(s)
low env_fs production #f360d75fb357b3d0 Environment-variable access.
repo/packages/@n8n/computer-use/src/config.test.ts:102
		process.env.N8N_GATEWAY_ALLOWED_ORIGINS = 'https://from-env.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45496e087b2f7572 Environment-variable access.
repo/packages/@n8n/computer-use/src/config.ts:78
	return process.env[`${ENV_PREFIX}${name}`];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #965c9ec6dd8984f8 Environment-variable access.
repo/packages/@n8n/computer-use/src/config.ts:167
	const logLevel = envString('LOG_LEVEL') ?? process.env.LOG_LEVEL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f06e613937120d30 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:44
		await fs.writeFile(path.join(dir, 'settings.json'), JSON.stringify(initial), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f8965efdd4e6c93 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:87
		await fs.writeFile(filePath, 'not-json', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b89f901360875d20 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:102
		const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b0425e1c674f64c Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:121
		await fs.writeFile(file, existing, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd5846cf89d5ffac Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:124
		const raw = await fs.readFile(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #768b4dade01f1302 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.test.ts:243
		const raw = await fs.readFile(path.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ffe25d264eaa88ad Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.ts:107
		await fs.writeFile(filePath, JSON.stringify(initialSettings, null, 2), {
			encoding: 'utf-8',
			mode: 0o600,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #763db301874c5378 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.ts:264
		await fs.writeFile(this.filePath, JSON.stringify(this.persistent, null, 2), {
			encoding: 'utf-8',
			mode: 0o600,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a91d5b576edd3f3 Filesystem access.
repo/packages/@n8n/computer-use/src/settings-store.ts:277
		const raw = await fs.readFile(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2dadd70949c6fa59 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:102
		const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51bf78545e2db7c3 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:123
		const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53faa2c2c2ffe1d3 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:137
		await fs.writeFile(file, existing, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a29485de85167c67 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:141
		const raw = await fs.readFile(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #790b7717aaf83f19 Filesystem access.
repo/packages/@n8n/computer-use/src/startup-config-cli.test.ts:150
		const raw = await fs.readFile(nodePath.join(tmpDir, '.n8n-gateway', 'settings.json'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ba8fe80ed363d33 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/edit-file.ts:38
		const content = await fs.readFile(resolvedReadablePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea02110187659697 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/edit-file.ts:44
		await fs.writeFile(resolvedWritablePath, content.replace(oldString, newString), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6acd8942ec81714e Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/read-file.ts:47
		const fileContent = await fs.readFile(resolvedPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8174c7fd19af1c7 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/search-files.test.ts:29
	await fs.writeFile(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #858c97dbe4b4d47f Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/search-files.test.ts:231
			await fs.writeFile(path.join(baseDir, 'binary.dat'), Buffer.from([0xff, 0xfe, 0xfd, 0xfc]));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e66061b09cf1d0fc Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/search-files.ts:95
				const fileContent = await fs.readFile(fullPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afba20554651d263 Filesystem access.
repo/packages/@n8n/computer-use/src/tools/filesystem/write-file.ts:35
		await fs.writeFile(resolvedPath, content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4dc810e131e88363 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/index.ts:18
		if (process.env.WAYLAND_DISPLAY && !process.env.DISPLAY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64e43be8d482afe1 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:259
	const originalWaylandDisplay = process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbf838e26dcc8e2a Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:260
	const originalDisplay = process.env.DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec3b68af377948f6 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:265
			delete process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fd5c4bf8c914dd8 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:267
			process.env.WAYLAND_DISPLAY = originalWaylandDisplay;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea615d4a05154156 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:270
			delete process.env.DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de02c09792329182 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:272
			process.env.DISPLAY = originalDisplay;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a82e28744a0a11ed Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:278
		process.env.WAYLAND_DISPLAY = 'wayland-0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1486d9ab2470f9f Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:279
		delete process.env.DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6953de2b3d30206a Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:287
		delete process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c95e5a5b313aaad2 Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:288
		process.env.DISPLAY = ':0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #33f1f9bacb5b25ab Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:297
		delete process.env.WAYLAND_DISPLAY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ff7c3486a3c2eba Environment-variable access.
repo/packages/@n8n/computer-use/src/tools/mouse-keyboard/mouse-keyboard.test.ts:298
		process.env.DISPLAY = ':0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/mcp-apps

npm first-party
medium telemetry production #cc509e6828df9e42 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:120
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDER_FAILED, {
			...getPreviewTelemetryPayload(),
			reason,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9207058d86f756b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:129
		telemetry.track(
			WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_RENDERED_SUCCESSFULLY,
			getPreviewTelemetryPayload(),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0572656bcc388e93 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:147
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.OPEN_IN_N8N_CLICKED, {
			...getPreviewTelemetryPayload(),
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #473d0ac22b4153c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:193
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_COMPLETED, {
			...getPreviewToolCallTelemetryPayload(requestId),
			duration_ms: Math.max(0, Math.round(performance.now() - startedAt)),
			outcome,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2b5d028f5c3adf3d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:212
		telemetry.track(WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_CRASHED, {
			...getPreviewTelemetryPayload(),
			...(message ? { error_message: sanitizeTelemetryErrorMessage(message) } : {}),
			source: WORKFLOW_PREVIEW_CRASH_SOURCES.PREVIEW_IFRAME_ERROR,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #5c0a3464a13bf66b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/apps/workflow-preview/composables/use-workflow-preview.ts:234
		telemetry.track(
			WORKFLOW_PREVIEW_TELEMETRY_EVENTS.PREVIEW_TOOL_CALL_REQUESTED,
			getPreviewToolCallTelemetryPayload(requestId),
		);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bc26b57cd5f58e67 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/composables/use-mcp-app-crash-telemetry.ts:33
		telemetry.track(event, {
			app,
			...getMcpClientTelemetryProperties(hostVersion.value),
			error_message: sanitizeTelemetryErrorMessage(getErrorMessage(error)),
			source,
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #2882abdc4dced210 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/composables/use-mcp-app-telemetry.ts:48
			telemetry.track(events.renderFailed, {
				app,
				...getMcpClientTelemetryProperties(hostVersion.value),
				error_message: getConnectionErrorReason(connectionError.value),
				reason: renderFailedReason,
			});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fae98ddf822056ba Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:54
		telemetry.track('Test event', { boot_ms: 42 });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #0a8ea57c6f19e69f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:70
		telemetry.track('Test event', {
			apiKey: 'secret-api-key',
			error_message: 'Authorization: Bearer abc.def-ghi_jkl/mno=',
		});

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7fe60b1807085a63 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:93
		telemetry.track('Test event');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f9b6ec60b676f3c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:103
		telemetry.track('Test event');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6f5689eeb000bedb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:111
		telemetry.track('Test event');

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b42b49e1aa6b9664 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.test.ts:118
		telemetry.track('Test event', { reason: 'x' });

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #41801c5dc4082790 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/mcp-apps/src/telemetry/index.ts:88
			this.rudderStack?.track(
				event,
				{
					...sanitizedProperties,
					instance_id: this.config.instanceId,
					version_cli: this.config.versionCli,
				},
				// Send a fake IP so RudderStack does not capture the user's real one.
				{ context: { ip: '0.0.0.0' } },
			);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 2 low-confidence finding(s)
low env_fs production #4f2f95260977401e Filesystem access.
repo/packages/@n8n/mcp-apps/src/server/resource-loader.ts:35
	const html = await readFile(join(getPackageRoot(), 'dist', 'apps', fileName), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2750fda824bf18a Filesystem access.
repo/packages/@n8n/mcp-apps/src/server/sdk-version.test.ts:31
			const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8')) as PackageJson;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/agents

npm first-party
medium telemetry test-only #6a77e8f36d9a33e5 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:10
		tracker.track(inner);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #c4b7d64672aea397 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:34
		tracker.track(a);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #272caf25399e0698 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:35
		tracker.track(b);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #1cad28df0aababbf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:46
		tracker.track(rejected);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #e94a629424671d15 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:58
		tracker.track(inner);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry test-only #50d936b57ba1c309 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/__tests__/background-task-tracker.test.ts:67
		tracker.track(Promise.resolve());

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #70898bfc8667e744 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/loop/agent-runtime.ts:669
		this.backgroundTasks.track(titlePromise);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8a528c891dabffc9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/memory/memory-orchestrator.ts:373
		this.backgroundTasks.track(queued);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #f261df8b39861fd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/agents/src/runtime/memory/scoped-memory-task-runner.ts:130
		this.tracker.track(queued);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 92 low-confidence finding(s)
low env_fs test-only #747054182ebcb74c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/fixtures/generate-bulk-vector-fixture.ts:87
	if (!process.env.OPENAI_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9570856d095d7c22 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/fixtures/generate-bulk-vector-fixture.ts:139
	await writeFile(OUT_PATH, JSON.stringify(fixture));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #165f72920fc299c7 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-pinecone.test.ts:21
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #16bbbdbc5812a7b8 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-pinecone.test.ts:22
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7dc24bdc6d204e2d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-postgres.test.ts:20
const PG_URL = process.env.PG_VECTOR_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #342c53e48e034ded Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-postgres.test.ts:21
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b5f6a77e1ff1f2f2 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-qdrant.test.ts:18
const QDRANT_URL = process.env.QDRANT_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ac1a05e4a6db4aa8 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-qdrant.test.ts:19
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #616718241d03a2f3 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-qdrant.test.ts:20
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fe7f3c668b03fd6a Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:21
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a19f23f8d85b59b Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:22
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #90bbcb5121c3c264 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:23
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #346924b6c12ab855 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/agent-vector-store-supabase.test.ts:24
const hasKeys = Boolean(process.env.ANTHROPIC_API_KEY) && Boolean(process.env.OPENAI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #791ecb36fae38873 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/helpers.ts:24
		return Boolean(process.env[envVar]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f995733d25a6336d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/helpers.ts:26
	const isReplayMode = Boolean(process.env.CI);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9338fed06fc4b258 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/pg-vector-store.test.ts:14
const PG_URL = process.env.PG_VECTOR_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c001fc9670108b85 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/pinecone-vector-store.test.ts:17
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #858c67c3fdabd2d2 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/qdrant-vector-store.test.ts:14
const QDRANT_URL = process.env.QDRANT_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4077c0e7a0039e06 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/qdrant-vector-store.test.ts:15
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2692ded3d7899cb5 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/supabase-vector-store.test.ts:22
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #91ed36d688c26ac8 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/supabase-vector-store.test.ts:23
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1809394c0f888f4a Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/supabase-vector-store.test.ts:24
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6101e428961b5a4d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:36
		previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5abec74e3ea05182 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:37
		process.env.LANGCHAIN_TRACING_V2 = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c4f0186cfcb8023b Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:68
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a0b5b451ee39bd1d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/telemetry-langsmith.test.ts:70
			process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #100076ad5b169cc1 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vcr.ts:13
export const IS_RECORD_MODE = process.env.VCR_MODE === 'record';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6e7cde18dcfbbe16 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vcr.ts:19
export const IS_REPLAY_MODE = Boolean(process.env.CI);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37faada5df045d4f Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-pinecone.test.ts:21
const PINECONE_API_KEY = process.env.PINECONE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1f4b4047a58407fc Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-postgres.test.ts:20
const PG_URL = process.env.PG_VECTOR_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3de8797c6428a3f4 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-qdrant.test.ts:19
const QDRANT_URL = process.env.QDRANT_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #538cce096510d16e Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-qdrant.test.ts:20
const QDRANT_API_KEY = process.env.QDRANT_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4deb17726a87fc73 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-supabase.test.ts:22
const SUPABASE_URL = process.env.SUPABASE_TEST_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b3eb41a20ea6726c Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-supabase.test.ts:23
const SUPABASE_API_KEY = process.env.SUPABASE_TEST_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #21a576147e9feb7e Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-bulk-supabase.test.ts:24
const SUPABASE_DB_URL = process.env.SUPABASE_TEST_DB_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a14c3957d66cdc6 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/vector-store-helpers.ts:43
		readFileSync(path.resolve(__dirname, '../fixtures/bulk-vector-fixture.json'), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64694a0eb257fe00 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:113
		await memFs.writeFile('/project/index.ts', 'console.log("hello")');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ee9adb51237fefd7 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:114
		await memFs.writeFile('/project/README.md', '# Project');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d28bea2e3bd058fd Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:176
		await memFs.writeFile('/data.json', '{"key": "value", "count": 42}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7f1367d9b489eb7e Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:206
		await memFs.writeFile('/project/source.txt', 'alpha');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9f7a5938613d3aa Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:207
		await memFs.writeFile('/project/remove-me/old.txt', 'remove this');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #02138f133e4bdce2 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/integration/workspace-agent.test.ts:296
		await memFs.writeFile(
			'/project/config.ts',
			[
				'export const region = "OLD_REGION";',
				'export const owner = "OLD_OWNER";',
				'export const status = "OLD_STATUS";',
			].join('\n'),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2e2bd55b64a05274 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:76
	const previousTracingV2 = process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e8da46291a245d07 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:89
		delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc97a7a8e501347d Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:94
			delete process.env.LANGCHAIN_TRACING_V2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a5e2e3b1bd8c438 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:96
			process.env.LANGCHAIN_TRACING_V2 = previousTracingV2;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8cda2abddad7ab7 Environment-variable access.
repo/packages/@n8n/agents/src/__tests__/langsmith-telemetry.test.ts:132
		expect(process.env.LANGCHAIN_TRACING_V2).toBe('true');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #663eafab45558ae7 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/base-filesystem.test.ts:211
			const content = await fs.readFile('/test');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ce853adae57d247 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/base-filesystem.test.ts:221
			await expect(fs.readFile('/test')).rejects.toThrow();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0a5851d40093dd11 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/sandbox/daytona-sandbox.test.ts:549
		await expect(filesystem.readFile('/workspace/file.txt')).resolves.toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #67e076d709384ab7 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/sandbox/n8n-sandbox-filesystem.test.ts:62
		await filesystem.writeFile('/workspace/nested/file.txt', 'hello', { recursive: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #750f21d34f6c33b5 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/sandbox/n8n-sandbox-filesystem.test.ts:76
		const content = await filesystem.readFile('/workspace/file.txt', { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ebbdb77c73cdbcaa Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/test-utils.ts:93
		const content = await this.readFile(src);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ad9896b373c0e7f Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/test-utils.ts:94
		await this.writeFile(dest, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #670d1afbcbae21b6 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:215
			await memFs.writeFile('/log.txt', 'line1\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #010fd4055dbac8ad Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:218
			const content = await memFs.readFile('/log.txt', { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1aad2ff083756027 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:223
			await memFs.writeFile('/original.txt', 'original');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63414b10bb15405a Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:226
			expect(await memFs.readFile('/copy.txt', { encoding: 'utf-8' })).toBe('original');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #956d6920d75968c2 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:230
			expect(await memFs.readFile('/moved.txt', { encoding: 'utf-8' })).toBe('original');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #917320169f9dd364 Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:235
			await memFs.writeFile('/deep/nested/file.txt', 'data');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #173668dfda090e9d Filesystem access.
repo/packages/@n8n/agents/src/__tests__/workspace/workspace-integration.test.ts:244
			await expect(memFs.readFile('/nonexistent')).rejects.toThrow('ENOENT');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c55e0c0dd7c9d9e4 Environment-variable access.
repo/packages/@n8n/agents/src/integrations/langsmith.ts:361
		process.env.LANGCHAIN_TRACING_V2 ??= 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8ea9d9f05ba6ca71 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:195
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4f1d0cb662f06086 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:196
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f794e262d55a2ca9 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:282
		process.env.HTTPS_PROXY = 'http://proxy:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5988b36d87f41c81 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:289
		process.env.HTTP_PROXY = 'http://proxy:9090';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1d0c0a5419e5037a Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:308
		process.env.HTTPS_PROXY = 'http://https-proxy:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #572c003d0901a81e Environment-variable access.
repo/packages/@n8n/agents/src/runtime/__tests__/model-factory.test.ts:309
		process.env.HTTP_PROXY = 'http://http-proxy:9090';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c60975533570e47 Environment-variable access.
repo/packages/@n8n/agents/src/runtime/model/model-factory.ts:40
	const proxyUrl = process.env.HTTPS_PROXY ?? process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #b4ff2fdf7c3fad93 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/agents/src/sdk/catalog.ts:129
	const response = await fetch(MODELS_DEV_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #31fe4ac39231cc48 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:1
import { mkdtempSync, mkdirSync, rmSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c93153825981d10 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:277
			writeFileSync(
				join(skillDir, 'SKILL.md'),
				`---
name: workflow-builder
description: Build workflows.
---

Use the workflow SDK.`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f66c47ad67d2b208 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:286
			writeFileSync(join(skillDir, 'references', 'guide.md'), 'Guide text');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #be933bf07583f292 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:287
			writeFileSync(join(skillDir, 'examples', 'slack.workflow.ts'), 'export default {};');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7c0dbaebc821321 Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:329
			writeFileSync(
				join(intentSkillDir, 'SKILL.md'),
				`---
name: intent-recognition
description: Classify intent.
---

Classify automation intent.`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cd2016af32b27a8f Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:338
			writeFileSync(join(intentSkillDir, 'references', 'taxonomy.md'), 'Taxonomy text');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #067da6e7a540f74c Filesystem access.
repo/packages/@n8n/agents/src/skills/__tests__/runtime-skills.test.ts:339
			writeFileSync(
				join(workflowSkillDir, 'SKILL.md'),
				`---
name: workflow-builder
description: Build workflows.
---

Use the workflow SDK.`,
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e0701973ce6fc4b Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:3
import { existsSync, lstatSync, readdirSync, readFileSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd002c31f6861ca3 Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:115
				content: readFileSync(join(skill.directory, normalizedPath), 'utf-8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8853c4172bcd346d Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:131
		const content = readFileSync(skillPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b68d363da20f930 Filesystem access.
repo/packages/@n8n/agents/src/skills/registry.ts:317
			sha256: createHash('sha256').update(readFileSync(abs)).digest('hex'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #242edede43463cfd Filesystem access.
repo/packages/@n8n/agents/src/workspace/filesystem/n8n-sandbox-filesystem.ts:49
		const content = await client.readFile(sandboxId, path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dcea62828655fd1 Filesystem access.
repo/packages/@n8n/agents/src/workspace/filesystem/n8n-sandbox-filesystem.ts:65
		await client.writeFile(sandboxId, path, content, options?.overwrite ?? true);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9b20c91cf5b1894 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/batch-str-replace-file.ts:61
				const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e5f8fc911bab105 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/batch-str-replace-file.ts:74
				await filesystem.writeFile(input.path, editedContent, { overwrite: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b7b79e5cb8ce417 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/read-file.ts:22
			const content = await filesystem.readFile(input.path, {
				encoding: (input.encoding ?? 'utf-8') as BufferEncoding,
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb6aa04fd729cac5 Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/str-replace-file.ts:38
				const content = await filesystem.readFile(input.path, { encoding: 'utf-8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fba0f061ba6e099e Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/str-replace-file.ts:51
				await filesystem.writeFile(input.path, editedContent, { overwrite: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db8c69cc746ed6fd Filesystem access.
repo/packages/@n8n/agents/src/workspace/tools/write-file.ts:26
			await filesystem.writeFile(input.path, input.content, { recursive: input.recursive });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c06ede9e7f68d2d Filesystem access.
repo/packages/@n8n/agents/vitest.integration.setup.ts:11
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeac56199be75143 Environment-variable access.
repo/packages/@n8n/agents/vitest.integration.setup.ts:174
	process.env.OPENAI_API_KEY = 'sk-proj-1234567890';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c32e0046812bd53 Environment-variable access.
repo/packages/@n8n/agents/vitest.integration.setup.ts:175
	process.env.ANTHROPIC_API_KEY = 'sk-proj-1234567890';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/errors

npm first-party
medium telemetry production #683be0a2eb2b8e89 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/errors/src/application.error.ts:1
import type { Event } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #fd0d612a0765ae49 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/errors/src/types.ts:1
import type { Event } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

first-party (npm): packages/@n8n/task-runner

npm first-party
medium telemetry test-only #285143b27321a4b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/task-runner/src/__tests__/task-runner-sentry.test.ts:1
import type { ErrorEvent } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #3f1cc309f0347672 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/task-runner/src/task-runner-sentry.ts:2
import type { ErrorEvent, Exception } from '@sentry/core';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 6 low-confidence finding(s)
low env_fs test-only #98bfd573ac899a2f Environment-variable access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts:508
				process.env.N8N_RUNNERS_TASK_BROKER_URI = 'http://127.0.0.1:5679';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27e59285c678ef2a Filesystem access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts:1098
		const packageJson = JSON.parse(fs.readFileSync('package.json', 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #044028df866d86e9 Filesystem access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/require-resolver-global-modules.test.ts:39
		fs.writeFileSync(
			scriptPath,
			`const Module = require("module");
if (process.env.NODE_PATH) { Module._initPaths(); }
try {
  require("${packageName}");
  console.log(JSON.stringify({ success: true }));
} catch (e) {
  console.log(JSON.stringify({ success: false, error: e.message }));
}`,
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aae3672bcf943e3d Filesystem access.
repo/packages/@n8n/task-runner/src/js-task-runner/__tests__/require-resolver-global-modules.test.ts:51
		fs.writeFileSync(
			scriptNoInitPath,
			`process.env.NODE_PATH = "${nodeModulesPath}";
try {
  require("${packageName}");
  console.log(JSON.stringify({ success: true }));
} catch (e) {
  console.log(JSON.stringify({ success: false, error: e.message }));
}`,
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a6ff41a6d329c87 Environment-variable access.
repo/packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts:193
		if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15333aa1e7d1a3fe Environment-variable access.
repo/packages/@n8n/task-runner/src/start.ts:14
if (process.env.NODE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/nodes-langchain

npm first-party
medium telemetry production #e54a5f2befaf4f4c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/sqlite.ts:32
	temp.track();

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 9 low-confidence finding(s)
low env_fs production #30c7a43ddda13268 Filesystem access.
repo/packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/sqlite.ts:2
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ab1946c594164c6 Filesystem access.
repo/packages/@n8n/nodes-langchain/nodes/agents/Agent/agents/SqlAgent/other/handlers/sqlite.ts:35
	fs.writeFileSync(tempDbPath, bufferString);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #6f5361fe86b6a106 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/nodes-langchain/nodes/mcp/McpClientTool/__test__/McpClientTool.node.test.ts:304
			const url = new URL('https://my-mcp-endpoint.ai/sse');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #2445ad2f7559cf86 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/nodes-langchain/nodes/mcp/McpClientTool/__test__/McpClientTool.node.test.ts:356
			const url = new URL('https://my-mcp-endpoint.ai/sse');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #6cc6bbca51da08cd Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/nodes-langchain/nodes/mcp/McpClientTool/__test__/McpClientTool.node.test.ts:2036
			await expect(customFetch!(new URL('https://allowed.example/sse'), {} as any)).rejects.toThrow(

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #4382795a78513955 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/__tests__/microsoft-utils.test.ts:573
			process.env.ENABLE_OBSERVABILITY = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2bd83a57478106e1 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/__tests__/microsoft-utils.test.ts:574
			process.env.ENABLE_A365_OBSERVABILITY_EXPORTER = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1445fef34df67531 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/microsoft-utils.ts:334
		process.env.ENABLE_OBSERVABILITY === 'true' &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbce064330e16b69 Environment-variable access.
repo/packages/@n8n/nodes-langchain/nodes/vendors/Microsoft/microsoft-utils.ts:335
		process.env.ENABLE_A365_OBSERVABILITY_EXPORTER === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/workflow

npm first-party
medium telemetry production #aeec37e4013e3c03 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/workflow/src/errors/base/base.error.ts:1
import type { Event } from '@sentry/node';

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 4 low-confidence finding(s)
low env_fs production #ed21ac32a6b34890 Environment-variable access.
repo/packages/workflow/src/expression.ts:552
						env: process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false' ? {} : process.env,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82172974ba2165f0 Filesystem access.
repo/packages/workflow/src/interfaces.ts:7
import type { PathLike } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09f2019e4a107f39 Environment-variable access.
repo/packages/workflow/src/workflow-data-proxy-env-provider.ts:16
		? process.env.N8N_BLOCK_ENV_ACCESS_IN_NODE !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac06ef41c5ec26d0 Environment-variable access.
repo/packages/workflow/stryker.config.mjs:30
	concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/ai-utilities

npm first-party
expand_more 61 low-confidence finding(s)
low env_fs production #20fa10f5e49b4895 Environment-variable access.
repo/packages/@n8n/ai-utilities/integration-tests/openai.ts:136
			if (process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5068b43c38be4aae Filesystem access.
repo/packages/@n8n/ai-utilities/scripts/copy-tokenizer-json.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #61c89edb0e74851d Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/follow-redirects.test.ts:149
		const url = new URL('https://example.com');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #bff5e5e76675e22f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:27
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2eb214a3560515b8 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:28
		delete process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9f628fe00aa8a89c Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:29
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fb08aeaa217b899 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:30
		delete process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #66efc2b44da4bb41 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:31
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd38793784583d74 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:32
		delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76cdadbf97fd7a71 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:33
		delete process.env.N8N_AI_TIMEOUT_MAX;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2cbc4d555e870af0 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:59
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fad8d864d278fe1d Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:76
			process.env.https_proxy = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bb7f6b9a5afec6e7 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:89
			process.env.HTTP_PROXY = 'http://http-proxy.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9d786c7b5080c9d5 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:90
			process.env.http_proxy = 'http://http-proxy-lowercase.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f03998e77f12a096 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:91
			process.env.HTTPS_PROXY = 'https://https-proxy.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #89b2f8ffb53a053f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:92
			process.env.https_proxy = 'https://https-proxy-lowercase.example.com:8080';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2913b4e8cfd112bb Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:108
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fcea3830461a22a Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:117
			process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ece9599f42fe9ad4 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:127
			process.env.HTTP_PROXY = httpProxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e41f5ada67233ab5 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:128
			process.env.HTTPS_PROXY = httpsProxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24adf1ef874553e5 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:137
			process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41894b6afef71b9d Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:138
			process.env.NO_PROXY = 'localhost,127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #86d2008e56f28b6d Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:148
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6d10d6ca32a45696 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:149
			process.env.NO_PROXY = '*.internal.company.com,localhost';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #071ebcbf10fc2adb Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:159
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #616162128bee5ac7 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:160
			process.env.NO_PROXY = 'localhost,127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #23266c4442bcf8cb Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:169
			process.env.https_proxy = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #03634ac70fbd45c8 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:170
			process.env.no_proxy = 'localhost';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #779e95bd90ab5e71 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:181
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6bfdd460ff876705 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:235
			process.env.N8N_AI_TIMEOUT_MAX = '300000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6aebfdeec046dc7f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:259
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8dd7109a1e7f550f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:260
		delete process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f5ff9877eeb40be9 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:261
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d71170675dbb4f93 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:262
		delete process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bbe7554ff5f3dd5d Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:263
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #37e65244de92ce77 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:264
		delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #11095c94bccf6bb7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:318
			const url = new URL('https://api.openai.com/v1');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #a690c30f350580be Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:343
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0f906a334a6ba734 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:356
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2643ff7016bf8c9f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:375
			process.env.HTTP_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #8b449f7b4e8f926a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:377
			const url = new URL('http://api.example.com/data');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #4771e39a6bc4e1ba Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:388
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #27b4f67d07ae6834 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:401
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #af99cc7f7654eb4c Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:402
			process.env.NO_PROXY = 'localhost,127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6a365ef1e08b5d31 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/http-proxy-agent.test.ts:415
			process.env.HTTPS_PROXY = proxyUrl;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea1d0c9174c0586b Filesystem access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/n8n-binary-loader.real-pdf.test.ts:31
		const pdfBuffer = readFileSync(
			join(__dirname, '../../../../../nodes-base/nodes/ReadPdf/test/sample.pdf'),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c39111b1498e15ba Filesystem access.
repo/packages/@n8n/ai-utilities/src/__tests__/utils/tokenizer/tiktoken.test.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f0a340558f1fd1c Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:14
		writeFileSync(join(setDir, 'mode_manual.ts'), '// manual mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8fd4c5aec936bdb6 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:15
		writeFileSync(join(setDir, 'mode_raw.ts'), '// raw mode def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d93b54f4f91102ff Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:19
		writeFileSync(join(msgDir, 'operation_post.ts'), '// slack post def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76704701f53b0b9c Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/__tests__/get-node-type-definition.test.ts:20
		writeFileSync(join(msgDir, 'operation_update.ts'), '// slack update def');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #901d953557fb31a3 Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/get.ts:531
				(variant) => `// ── mode: ${variant.mode} ──\n${readFileSync(variant.filePath, 'utf-8')}`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcf09b56efa4221b Filesystem access.
repo/packages/@n8n/ai-utilities/src/node-catalog/get.ts:555
		const content = readFileSync(pathResult.filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9ca6f42b7951276 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/http-proxy-agent.ts:37
const DEFAULT_TIMEOUT = parseInt(process.env.N8N_AI_TIMEOUT_MAX ?? '3600000', 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62a35fdb521e6d4d Filesystem access.
repo/packages/@n8n/ai-utilities/src/utils/n8n-binary-loader.ts:8
import { createWriteStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29cd9f21b1a3d512 Filesystem access.
repo/packages/@n8n/ai-utilities/src/utils/tokenizer/tiktoken.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f877ec80c9b84d48 Filesystem access.
repo/packages/@n8n/ai-utilities/src/utils/tokenizer/tiktoken.ts:11
	const content = await readFile(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70f3171d036bf2c5 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:13
	if (process.env.N8N_VECTOR_STORE_MAX_MEMORY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #868bc68d77a77f7f Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:14
		const parsed = parseInt(process.env.N8N_VECTOR_STORE_MAX_MEMORY, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40f69d13fed9610b Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:22
	if (process.env.N8N_VECTOR_STORE_TTL_HOURS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a2dd0b8f7cf1758 Environment-variable access.
repo/packages/@n8n/ai-utilities/src/utils/vector-store/MemoryManager/config.ts:23
		const parsed = parseInt(process.env.N8N_VECTOR_STORE_TTL_HOURS, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/ai-workflow-builder.ee

npm first-party
expand_more 66 low-confidence finding(s)
low env_fs test-only #7e7aa81ef8782b61 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/cli.test.ts:403
				delete process.env.LANGSMITH_DATASET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c269c643c1f88d96 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/csv-prompt-loader.test.ts:18
		fs.writeFileSync(csvPath, content, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #721e9b2962f87754 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:5
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6383f96422c4ac6d Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:157
			expect(fs.readFileSync(promptPath, 'utf-8')).toBe('Create a test workflow');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2a4f2ffc3e3c5ec0 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:170
			const workflow = jsonParse<ParsedWorkflow>(fs.readFileSync(workflowPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8489f4e772419da3 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:186
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #bd008fb8ab996f64 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:200
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e5a09cea53414f84 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:222
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74d6f8c6d7085320 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:242
			expect(fs.readFileSync(errorPath, 'utf-8')).toBe('Generation failed: timeout');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6ebbebfbcbbd133d Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:271
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cc2ab4aa3a449369 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:288
			const feedback = jsonParse<ParsedFeedback>(fs.readFileSync(feedbackPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a03ae46c90ee6de Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:321
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f1e3b7e3fad3258 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:333
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #35950850a6e2b3c7 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:346
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9ab4ec1eb023f4c8 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:361
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #29fbda347cf45366 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/__tests__/output.test.ts:388
			const savedSummary = jsonParse<ParsedSummary>(fs.readFileSync(summaryPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21788c9dd344c2ce Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/argument-parser.ts:602
	return process.env.LANGSMITH_DATASET_NAME ?? 'workflow-builder-canvas-prompts';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b3c4dd7d949301b Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/ci-metadata.ts:27
	const isCI = process.env.GITHUB_ACTIONS === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25297dddde7a460c Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/ci-metadata.ts:35
		trigger: process.env.GITHUB_EVENT_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c104be90ed23ae0e Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/ci-metadata.ts:36
		runId: process.env.GITHUB_RUN_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aef2e5b129a54eda Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/cli/csv-prompt-loader.ts:49
	const rows = parseCsv(readFileSync(resolvedPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9fceca60c5158150 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:71
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #925e6d85a082da45 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:112
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a5a52ab785a20b7 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:187
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #43545cadeed9bba5 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:212
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c2871bab162bbc2b Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:267
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #532ec7cd7edbe44e Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:322
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7f17f4c814ff9a39 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:363
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5b0dae12c3c9576f Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:392
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #abc10382e51b5fc9 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/__tests__/csv-writer.test.ts:429
		const content = readFileSync(outputPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39281f489c83a913 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/csv-writer.ts:254
		writeFileSync(outputPath, '', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96056144455585d6 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/csv-writer.ts:306
	writeFileSync(outputPath, lines.join('\n') + '\n', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bedcaab70580ae5 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:8
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2a4001f1d7d223b Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:67
			fs.writeFileSync(path.join(exampleDir, 'prompt.txt'), result.prompt, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98fbefcf4d949de4 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:72
				fs.writeFileSync(
					path.join(exampleDir, 'workflow.json'),
					JSON.stringify(workflowForExport, null, 2),
					'utf-8',
				);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50eced2c3194b4c7 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:81
				fs.writeFileSync(path.join(exampleDir, 'code.ts'), result.generatedCode, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fce95cd7b439c0f1 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:86
				fs.writeFileSync(path.join(exampleDir, 'response.txt'), result.agentTextResponse, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23f8654bdaa1a257 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:91
			fs.writeFileSync(
				path.join(exampleDir, 'feedback.json'),
				JSON.stringify(feedbackOutput, null, 2),
				'utf-8',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea7b15da4a4c2c16 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:99
				fs.writeFileSync(path.join(exampleDir, 'error.txt'), result.error, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #999e3456a38f506e Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/output.ts:107
			fs.writeFileSync(
				path.join(outputDir, 'summary.json'),
				JSON.stringify(summaryOutput, null, 2),
				'utf-8',
			);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76d575196aa23f8b Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/harness/runner.ts:1362
	process.env.LANGSMITH_TRACING = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c2984ff694eea29 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/langsmith/trace-filters.ts:154
	const envValue = process.env.LANGSMITH_MINIMAL_TRACING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f60134e5daeaed75 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/lifecycles/introspection-analysis.ts:63
				await fs.writeFile(summaryPath, summaryContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ba0866282ce8943 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/evaluators/workflow-similarity.ts:111
			writeFile(generatedPath, JSON.stringify(generatedWorkflow)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0dbf60f8d7fd233 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/programmatic/evaluators/workflow-similarity.ts:112
			writeFile(groundTruthPath, JSON.stringify(groundTruthWorkflow)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fd42502f4b3827b Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:4
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32509767bc542a75 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:87
	const apiKey = process.env[envVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f0e44144ebb3012 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:151
	const apiKey = process.env.LANGSMITH_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f852105acb9adec Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:308
	const envConcurrency = process.env.EVALUATION_CONCURRENCY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff45aad3248e50be Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:323
	return process.env.GENERATE_TEST_CASES === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ef9ac78b7c2a7db Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/environment.ts:331
	const envCount = process.env.GENERATE_TEST_CASES_COUNT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #195c9b54e8adf413 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.test.ts:1
import { readFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #189eb604f5aede6d Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.ts:1
import { readFileSync, existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d7ae2413fb88f92 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.ts:20
	const disabledNodesEnv = process.env.N8N_EVALS_DISABLED_NODES ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #261f459e89865ba8 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/load-nodes.ts:72
	const nodesData = readFileSync(nodesPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e170e55d9514eb6 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/pin-data-generator.ts:11
import { existsSync, readFileSync, readdirSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c8a4d46dc4739e1 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/pin-data-generator.ts:143
							const content = readFileSync(join(entryPath, nodeFile), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9b7993b78a8273e Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/evaluations/support/pin-data-generator.ts:218
				return JSON.parse(readFileSync(schemaFile, 'utf-8')) as Record<string, unknown>;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2feeebda304eb8a9 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/categorize-prompts.ts:3
import { writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bffb8a28f8316106 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/categorize-prompts.ts:31
	const parsedConcurrency = parseInt(process.env.CONCURRENCY ?? '', 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3c7b2500ccbd6f0 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/categorize-prompts.ts:154
	writeFileSync(summaryPath, summaryLines.join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91ce33754fbfe34e Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/workflow-to-mermaid.ts:3
import { readFileSync, writeFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e667bed4bdb7e354 Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/workflow-to-mermaid.ts:132
	const content = readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56df24eaad6ec3ad Filesystem access.
repo/packages/@n8n/ai-workflow-builder.ee/scripts/workflow-to-mermaid.ts:204
		writeFileSync(outputFile, markdownContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5126cde9f642d72c Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/src/ai-workflow-builder-agent.service.ts:146
			const envConfig = { apiKey: process.env.N8N_AI_ANTHROPIC_KEY ?? '' };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f7b9b84bef93e85 Environment-variable access.
repo/packages/@n8n/ai-workflow-builder.ee/src/tools/add-node.tool.ts:165
				if (process.env.E2E_TESTS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/api-types

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #19826741bc75c06d Environment-variable access.
repo/packages/@n8n/api-types/src/schemas/password.schema.ts:6
const envMinLength = parseInt(process.env.N8N_PASSWORD_MIN_LENGTH ?? '', 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/backend-common

npm first-party
expand_more 13 low-confidence finding(s)
low env_fs test-only #6a18d901684aacb4 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/__tests__/logger.test.ts:528
			delete process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74c3fd0374dcc21f Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/__tests__/logger.test.ts:564
			process.env.NO_COLOR = '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c85ecf795105e820 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/__tests__/logger.test.ts:590
			delete process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bec0f9aa4e1ca01 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/logger.ts:35
	private readonly noColor = process.env.NO_COLOR !== undefined && process.env.NO_COLOR !== '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b41cf76c6de225b8 Environment-variable access.
repo/packages/@n8n/backend-common/src/logging/logger.ts:39
		process.env.NO_COLOR !== 'false' && process.env.NO_COLOR !== '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f3488297e061aa4e Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:22
		process.env.N8N_DISABLED_MODULES = 'insights';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #536434ee774a7457 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:55
		process.env.N8N_ENABLED_MODULES = 'instance-ai';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7ff47a6fec91b1c8 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:90
		process.env.N8N_ENABLED_MODULES = 'insights';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9007814f85605bf0 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/module-registry.test.ts:91
		process.env.N8N_DISABLED_MODULES = 'insights';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1929e99365fa844d Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/modules.config.test.ts:13
	process.env.N8N_ENABLED_MODULES = 'insights,invalidModule';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e791861926ec5476 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/__tests__/modules.config.test.ts:18
	process.env.N8N_DISABLED_MODULES = 'insights,invalidModule';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71834ff209a8e00c Filesystem access.
repo/packages/@n8n/backend-common/src/modules/module-registry.ts:5
import { existsSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #494de31760114c66 Environment-variable access.
repo/packages/@n8n/backend-common/src/modules/module-registry.ts:96
			const dir = process.env.NODE_ENV === 'test' && srcDirExists ? 'src' : 'dist';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/backend-network

npm first-party
expand_more 116 low-confidence finding(s)
low env_fs test-only #ecb481fb7a249c91 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:98
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1fa70ac1f33645d5 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:99
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #785d5e2588f17a31 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:100
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e14a0cc4c64e491c Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:101
		delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3955dee9f8544529 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:216
		if (env.HTTP_PROXY) process.env.HTTP_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0bed57ffdc1a6a7e Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:217
		if (env.HTTPS_PROXY) process.env.HTTPS_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b8174ca1dee21498 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:218
		if (env.ALL_PROXY === true) process.env.ALL_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #049696c99aabbe9a Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:219
		if (env.ALL_PROXY && env.ALL_PROXY !== true) process.env.ALL_PROXY = env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17d05cdf0cf3d4b1 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:220
		if (env.NO_PROXY) process.env.NO_PROXY = env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a4f86abc94a8968 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:240
			process.env.HTTP_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #52c858f9b5276acf Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/http-proxy.test.ts:256
			process.env.HTTP_PROXY = proxyServer.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress test-only #56d212fa56aa5ced Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/backend-network/src/http/__tests__/legacy-request.test.ts:227
			expect(validateUrl).toHaveBeenCalledWith(new URL(`${baseUrl}/ok`));

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress test-only #448246cc3989770a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/@n8n/backend-network/src/http/__tests__/outbound-http.test.ts:71
		const url = new URL('https://api.example.com/data');

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs test-only #e643fd482e54f583 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:61
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c14e4922ab990c93 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:62
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #df5b074e4ad622d6 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:63
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7dbbd622cb4e39e5 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:64
		delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #358816f250dfdf40 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:86
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d1c8315e013e21a7 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:111
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #72cb093c66ad9efc Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:112
			process.env.NO_PROXY = '127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8c34f8a9e560b8a6 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:146
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #88f9f7eb5c0e9232 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-integration.test.ts:172
			process.env.HTTP_PROXY = proxy.url;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1609a58f8f2d45a9 Filesystem access.
repo/packages/@n8n/backend-network/src/http/__tests__/transport-subpath-purity.test.ts:69
		const source = readFileSync(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c94827a42bc2e1b6 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:75
			savedEnv[key] = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e6b39d47ac05f95a Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:79
		process.env.HTTP_PROXY = 'http://127.0.0.1:1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2d4b477d44d7a480 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:80
		process.env.HTTPS_PROXY = 'http://127.0.0.1:1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75b693d515a9deb4 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:81
		process.env.NO_PROXY = '127.0.0.1,localhost';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #44fee08e4c26d37d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:89
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #adb35308a180a60d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/ssrf-redirect.test.ts:91
				process.env[key] = savedEnv[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #54832e9c0cf581d9 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:577
			if (isProxyVar(key)) delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #83f1a4226eb5812d Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:598
		process.env.HTTPS_PROXY = 'http://env-proxy:3128';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #58ffb2a95be33d67 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:603
		process.env.HTTP_PROXY = 'http://env-proxy:3128';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b551ce54471556e7 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:608
		process.env.HTTP_PROXY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f965d66391e44e8b Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:613
		process.env.HTTP_PROXY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #108f5827f4c58201 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/axios/__tests__/utils.test.ts:614
		process.env.HTTPS_PROXY = 'http://env-proxy:3128';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53e3c451d41040e5 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:12
			HTTP_PROXY: process.env.HTTP_PROXY ?? process.env.http_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a136e7e205d832ef Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:13
			HTTPS_PROXY: process.env.HTTPS_PROXY ?? process.env.https_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50f532a1d3a62e95 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:14
			NO_PROXY: process.env.NO_PROXY ?? process.env.no_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e51f22ea3ed7b0e9 Environment-variable access.
repo/packages/@n8n/backend-network/src/http/http-proxy.ts:15
			ALL_PROXY: process.env.ALL_PROXY ?? process.env.all_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eeacfbf9113bb71d Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:6
	const originalNoProxy = process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #13bf7b3c8610ed26 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:7
	const originalNoProxyLower = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #47cdb3d0343fa072 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:11
			delete process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #107e64c15bc617a6 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:13
			process.env[name] = value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #10de5028c07f9a75 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:20
		delete process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0460f6e243f9cc19 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:33
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #75b2d2f3e61237d3 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:37
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #34d723c54e482e11 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:40
		expect(process.env.NO_PROXY).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #afd6915488e95492 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:44
		process.env.NO_PROXY = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2fc66ea8942081b3 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:48
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #82fd058dd78c62d6 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:51
		expect(process.env.NO_PROXY).toBe('');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #69139227034a829c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:55
		process.env.NO_PROXY = 'example.com,internal.net';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9175c3d8b9f57ac7 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:59
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com,internal.net');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7308f4f623ddef11 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:62
		expect(process.env.NO_PROXY).toBe('example.com,internal.net');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e7d42a1fd29d68cc Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:66
		process.env.NO_PROXY = '127.0.0.1, localhost, example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #31735d0fffbc2f1c Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:70
		expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #76ab35e4fc564512 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:73
		expect(process.env.NO_PROXY).toBe('127.0.0.1, localhost, example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #07bca445251dbb7f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:77
		process.env.NO_PROXY = '127.0.0.1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b61e96f9ae5140c3 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:81
		expect(process.env.NO_PROXY).toBe('localhost,127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4a10ba257a4e5308 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:84
		expect(process.env.NO_PROXY).toBe('127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f9f852ec38e78606 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:88
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #45b678c4aeee0447 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:93
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ca73e668d88ce666 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:94
		expect(process.env.no_proxy).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2c62d0156c2c5884 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:97
		expect(process.env.NO_PROXY).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #12a1cea3e22cdea8 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:98
		expect(process.env.no_proxy).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8e91141cb73538a5 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:102
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6f0d27b259668d9f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:103
		process.env.no_proxy = 'internal.lan';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2b0bfbc3d1364a89 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:108
		expect(process.env.no_proxy).toBe('127.0.0.1,localhost,internal.lan');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #aa80f4a0334e3c4e Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:109
		expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,internal.lan');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ea2e9e7c82056685 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:112
		expect(process.env.no_proxy).toBe('internal.lan');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a090d377ac0e7ccb Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:113
		expect(process.env.NO_PROXY).toBeUndefined();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #4c70c232a4b01ae8 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:117
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #348d2faa6a2ec21d Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:127
			process.env.NO_PROXY = 'example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #07b545f62463ea47 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:130
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #846e81e582459869 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:135
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #65e566801cc2f94d Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:139
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3e7de607798f3433 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:143
			expect(process.env.NO_PROXY).toBe('example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #473c2779b976a6eb Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:147
			process.env.NO_PROXY = 'example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #96db3ac4bf2f214f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:154
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c7415eaacba38832 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:157
			expect(process.env.NO_PROXY).toBe('example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #53831a65a7312407 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:161
			delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c13d646c576aa2be Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:164
			expect(process.env.NO_PROXY).toBe('127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a5ca800e214fd9da Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:167
			expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #20b8bd7fd69f927f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:171
			expect(process.env.NO_PROXY).toBe('example.internal,127.0.0.1');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #1850dc2cfbb5d75a Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:178
			delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #77011da676b924d8 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:182
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5a5b9b4b7f72a5b1 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:185
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #64a34b964ad9bc7f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:192
			process.env.NO_PROXY = 'first.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #adb7f206196ede37 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:195
			expect(process.env.NO_PROXY).toBe('first.example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a9213d1fa645dadb Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:199
			process.env.NO_PROXY = 'second.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #480d196ba5f77641 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:201
			expect(process.env.NO_PROXY).toBe('127.0.0.1,localhost,second.example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #74bd24bfc72f0cce Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/no-proxy-patch.test.ts:204
			expect(process.env.NO_PROXY).toBe('second.example.com');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9110335e6666bda Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:7
		delete process.env.HTTP_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7c145ad8ad98ad83 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:8
		delete process.env.HTTPS_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #89e8e7e71535c473 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:9
		delete process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ade21c53069ab85b Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:10
		delete process.env.ALL_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #81026376ac059644 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:14
		process.env.HTTP_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #17ccdc85b02b50e4 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:24
		process.env.HTTP_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a7cc19803b1e4462 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:25
		process.env.NO_PROXY = 'api.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b67d4591d5ef6ed4 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:31
		process.env.ALL_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #92ecd72cfe8b820e Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:37
		process.env.HTTPS_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e9e265140a627567 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:43
		process.env.HTTP_PROXY = PROXY_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #a9d2408d6148b203 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-resolution.test.ts:44
		process.env.NO_PROXY = 'api.example.com';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #24d84b4bc5af2fe8 Filesystem access.
repo/packages/@n8n/backend-network/src/proxy/__tests__/proxy-subpath-purity.test.ts:73
		const source = readFileSync(file, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc5fc253f350f788 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:38
		value: process.env[name],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4275824585bdd6e6 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:44
		delete process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c75bf427503f6f2a Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:46
		process.env[name] = captured.value;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #712f50880fb7736e Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:55
	const lower = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a96eb3cd959cad9 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:57
	const upper = process.env.NO_PROXY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb92c2407bd544bd Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:101
		process.env.NO_PROXY = merged;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf887a2b229d1c59 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/no-proxy-patch.ts:102
		process.env.no_proxy = merged;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23cd2db84adeb60f Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:74
		process.env.HTTP_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84127ecd7b2187ed Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:75
		process.env.http_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2c990bb43af8387 Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:76
		process.env.HTTPS_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d315ff685d29a1a Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:77
		process.env.https_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73516126b53d60ae Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:78
		process.env.ALL_PROXY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5efe080d79d7a77d Environment-variable access.
repo/packages/@n8n/backend-network/src/proxy/proxy-resolution.ts:79
		process.env.all_proxy,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/backend-test-utils

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #c84d005ca921cd46 Environment-variable access.
repo/packages/@n8n/backend-test-utils/src/test-db.ts:45
	const templateDb = dbType === 'postgresdb' ? process.env.N8N_TEST_TEMPLATE_DB : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/benchmark

npm first-party
expand_more 24 low-confidence finding(s)
low env_fs test-only #c64335446f09e86c Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:37
	const n8nTag = argv.n8nDockerTag || process.env.N8N_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #881e1634165e85ed Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:38
	const benchmarkTag = argv.benchmarkDockerTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b4e0bd0f057fb802 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:39
	const k6ApiToken = argv.k6ApiToken || process.env.K6_API_TOKEN || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e536f8a6e658dace Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:41
		argv.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c4c08f7d39b0b15f Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:43
		argv.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #0415bdcd1af2f3c4 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:44
	const baseRunDir = argv.runDir || process.env.RUN_DIR || '/n8n';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #441676071263f389 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:45
	const n8nLicenseCert = argv.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e0c6689d02030f21 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:46
	const n8nLicenseActivationKey = process.env.N8N_LICENSE_ACTIVATION_KEY || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #e43b00422add7a5b Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:47
	const n8nLicenseTenantId = argv.n8nLicenseTenantId || process.env.N8N_LICENSE_TENANT_ID || '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5203fbf4d175f65b Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run-for-n8n-setup.mjs:76
				PATH: process.env.PATH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51a8e577a481e294 Filesystem access.
repo/packages/@n8n/benchmark/scripts/run.mjs:9
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fcfb6f229951990b Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:103
	const n8nTag = args.n8nTag || process.env.N8N_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #adcfb13db78913c2 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:104
	const benchmarkTag = args.benchmarkTag || process.env.BENCHMARK_DOCKER_TAG || 'latest';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3c1f306802ec54df Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:105
	const k6ApiToken = args.k6ApiToken || process.env.K6_API_TOKEN || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #d9079e477a4e3ef5 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:107
		args.resultWebhookUrl || process.env.BENCHMARK_RESULT_WEBHOOK_URL || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #8948ea58342c46bb Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:109
		args.resultWebhookAuthHeader || process.env.BENCHMARK_RESULT_WEBHOOK_AUTH_HEADER || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7f1b033f4b058523 Environment-variable access.
repo/packages/@n8n/benchmark/scripts/run.mjs:110
	const n8nLicenseCert = args.n8nLicenseCert || process.env.N8N_LICENSE_CERT || undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #9b47c0ee8a107a2b Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-data-loader.ts:44
		const fileContent = fs.readFileSync(credentialFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #cf0dcd9cd4f4e36d Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-data-loader.ts:55
		const fileContent = fs.readFileSync(workflowFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41fbb8f459962609 Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-data-loader.ts:66
		const fileContent = fs.readFileSync(dataTableFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #11f7a8202ee670fb Filesystem access.
repo/packages/@n8n/benchmark/src/scenario/scenario-loader.ts:77
				fs.readFileSync(scenarioManifestPath, 'utf8'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b9408fa515ea229f Filesystem access.
repo/packages/@n8n/benchmark/src/test-execution/k6-executor.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #79b2f0a726ef56e2 Filesystem access.
repo/packages/@n8n/benchmark/src/test-execution/k6-executor.ts:158
		const testScript = fs.readFileSync(fullTestScriptPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #2eaa5a79b14ac4fc Filesystem access.
repo/packages/@n8n/benchmark/src/test-execution/k6-executor.ts:170
		const summaryReport = fs.readFileSync(summaryReportPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/config

npm first-party
expand_more 6 low-confidence finding(s)
low env_fs production #b38a432163844c32 Environment-variable access.
repo/packages/@n8n/config/src/configs/database.config.ts:146
	const raw = process.env.N8N_DB_PING_TIMEOUT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #185cf03057524179 Filesystem access.
repo/packages/@n8n/config/src/decorators.ts:3
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ed6e8897d45d0b5 Environment-variable access.
repo/packages/@n8n/config/src/decorators.ts:20
	if (envName in process.env) return process.env[envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #827afc6c4b5f2c0d Environment-variable access.
repo/packages/@n8n/config/src/decorators.ts:23
	const filePath = process.env[`${envName}_FILE`];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4771c716eab4a075 Filesystem access.
repo/packages/@n8n/config/src/decorators.ts:25
		const value = readFileSync(filePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9002b143812a3f5e Environment-variable access.
repo/packages/@n8n/config/src/utils/utils.ts:9
	const userHome = process.env.N8N_USER_FOLDER ?? process.env[homeVarName] ?? process.cwd();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/db

npm first-party
expand_more 33 low-confidence finding(s)
low env_fs production #7388fd4bdfc511f4 Filesystem access.
repo/packages/@n8n/db/scripts/new-migration.mjs:74
	const original = readFileSync(indexPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bef62aee316c1b02 Filesystem access.
repo/packages/@n8n/db/scripts/new-migration.mjs:100
	writeFileSync(indexPath, lines.join('\n'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5860bda83b7b315e Filesystem access.
repo/packages/@n8n/db/scripts/new-migration.mjs:129
	writeFileSync(targetFile, migrationTemplate(className));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0078346f36f6f5f0 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:55
	const args = { command: null, dbType: null, docker: !!process.env.CI };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99642e143bc27c78 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:115
		process.env.DB_TYPE = 'sqlite';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #764dcc9e0e084a49 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:116
		process.env.DB_SQLITE_DATABASE = file;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69efe35d93dbecd4 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:117
		process.env.DB_TABLE_PREFIX = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #231b1d457918427b Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:137
	process.env.DB_TYPE = 'postgresdb';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #272907b4529925e8 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:138
	process.env.DB_POSTGRESDB_HOST = conn.host;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #657cef790784e7a1 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:139
	process.env.DB_POSTGRESDB_PORT = String(conn.port);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c75b34c4f953ac1d Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:140
	process.env.DB_POSTGRESDB_DATABASE = conn.database;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f3f02b16c4b1929 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:141
	process.env.DB_POSTGRESDB_USER = conn.username;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e978a8a430fe4198 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:142
	process.env.DB_POSTGRESDB_PASSWORD = conn.password;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #461227fff4750a87 Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:143
	process.env.DB_POSTGRESDB_SCHEMA = conn.schema;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bddff1f63e9de06c Environment-variable access.
repo/packages/@n8n/db/scripts/schema-docs.mjs:144
	process.env.DB_TABLE_PREFIX = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #c1757681e415e382 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:106
const externalHost = process.env.DB_POSTGRESDB_HOST ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #6380096bb6decd89 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:169
				port: Number(process.env.DB_POSTGRESDB_PORT ?? '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #3b2269a3c4ee5a08 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:170
				username: process.env.DB_POSTGRESDB_USER ?? 'postgres',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b21f77de2f5ba509 Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:171
				password: process.env.DB_POSTGRESDB_PASSWORD ?? 'postgres',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f0f1227a3c6680d Environment-variable access.
repo/packages/@n8n/db/src/connection/__tests__/db-connection-monitor.recovery.postgres.test.ts:172
				database: process.env.DB_POSTGRESDB_DATABASE ?? 'postgres',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05b733c4bee2a8bd Environment-variable access.
repo/packages/@n8n/db/src/connection/db-connection.ts:60
		if (process.env.N8N_DB_PING_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2acf0aff9bdba9b1 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:31
				readFile(this.privateKeyPath, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6dcafb0b6726f75 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:32
				readFile(this.publicKeyPath, { encoding: 'utf8' }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c4ef58d920dab61 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:111
				writeFile(this.privateKeyPath, privateKey, { encoding: 'utf8', mode: 0o600 }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94bedf23d0d74002 Filesystem access.
repo/packages/@n8n/db/src/migrations/common/1711390882123-MoveSshKeysToDatabase.ts:112
				writeFile(this.publicKeyPath, publicKey, { encoding: 'utf8', mode: 0o600 }),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b78548a4249575d Filesystem access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:6
import { readFileSync, rmSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e3917ccee8198ae Filesystem access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:20
		const surveyFile = readFileSync(filename, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd5c68b39c6e630c Environment-variable access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:46
	if (process.env.NODE_ENV === 'test') return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #334d28678d13ade1 Environment-variable access.
repo/packages/@n8n/db/src/migrations/migration-helpers.ts:58
	if (process.env.NODE_ENV === 'test') return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a1baefaa4cee564 Filesystem access.
repo/packages/@n8n/db/src/migrations/sqlite/1690000000002-MigrateIntegerKeysToString.ts:3
import { statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8efbec75db3dc81 Environment-variable access.
repo/packages/@n8n/db/src/migrations/sqlite/1690000000002-MigrateIntegerKeysToString.ts:191
const migrationsPruningEnabled = process.env.MIGRATIONS_PRUNING_ENABLED === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01f65b6e1bed90ec Filesystem access.
repo/packages/@n8n/db/vite.config.ts:75
			const next = fs.existsSync(norm) ? fs.readFileSync(norm, 'utf-8') : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53a3ada005285e67 Filesystem access.
repo/packages/@n8n/db/vite.config.ts:93
				const text = cached ?? (fs.existsSync(f) ? fs.readFileSync(f, 'utf-8') : undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/eslint-config

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #010581f97ed96ee2 Environment-variable access.
repo/packages/@n8n/eslint-config/src/configs/base.ts:418
			'unused-imports/no-unused-imports': process.env.NODE_ENV === 'development' ? 'warn' : 'error',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf969ef521da5bf2 Environment-variable access.
repo/packages/@n8n/eslint-config/src/configs/base.ts:436
			'n8n-local-rules/no-skipped-tests': process.env.NODE_ENV === 'development' ? 'warn' : 'error',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2373f14d95e55e4b Environment-variable access.
repo/packages/@n8n/eslint-config/src/configs/frontend.ts:8
const isCI = process.env.CI === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/eslint-plugin-community-nodes

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #5e9f37a258579f06 Filesystem access.
repo/packages/@n8n/eslint-plugin-community-nodes/src/utils/file-utils.ts:78
		const content = readFileSync(packageJsonPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1229bfb423b87d6 Filesystem access.
repo/packages/@n8n/eslint-plugin-community-nodes/src/utils/file-utils.ts:127
		const sourceCode = readFileSync(credentialFilePath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bcb1074971e9f2a Filesystem access.
repo/packages/@n8n/eslint-plugin-community-nodes/src/utils/file-utils.ts:250
		const sourceCode = readFileSync(nodeFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/expression-runtime

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #b12c49418d46df5e Filesystem access.
repo/packages/@n8n/expression-runtime/src/bridge/isolated-vm-bridge.ts:70
			return await readFile(path.join(dir, BUNDLE_RELATIVE_PATH), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/extension-sdk

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #e824e176803ad6fd Filesystem access.
repo/packages/@n8n/extension-sdk/scripts/create-json-schema.ts:3
import { writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe4a3ea79c6342a4 Filesystem access.
repo/packages/@n8n/extension-sdk/scripts/create-json-schema.ts:21
	await writeFile(resolve(rootDir, filepath), formattedSchema);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/json-schema-to-zod

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #07ff5ebb2f02c7ba Filesystem access.
repo/packages/@n8n/json-schema-to-zod/postcjs.cjs:1
require('fs').writeFileSync('./dist/cjs/package.json', '{"type":"commonjs"}', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2647ad91ff3ad5c Filesystem access.
repo/packages/@n8n/json-schema-to-zod/postesm.cjs:1
require('fs').writeFileSync('./dist/esm/package.json', '{"type":"module"}', 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/local-gateway

npm first-party
expand_more 4 low-confidence finding(s)
low env_fs production #6218643125c70edd Filesystem access.
repo/packages/@n8n/local-gateway/scripts/copy-assets.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9be65cb2f806aa0 Filesystem access.
repo/packages/@n8n/local-gateway/scripts/copy-renderer.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea205ca7c5a5c4d8 Filesystem access.
repo/packages/@n8n/local-gateway/src/main/tray.ts:33
	img.addRepresentation({ scaleFactor: 1.0, buffer: fs.readFileSync(path1x) });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e8a9fe03e885fb6 Filesystem access.
repo/packages/@n8n/local-gateway/src/main/tray.ts:35
		img.addRepresentation({ scaleFactor: 2.0, buffer: fs.readFileSync(path2x) });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/mcp-browser

npm first-party
expand_more 17 low-confidence finding(s)
low env_fs test-only #5bc00067a79aef34 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:9
				delete process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f20fca4501826f49 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:81
			process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'edge';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f6dfbe39b2c6d47c Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:89
			process.env.N8N_MCP_BROWSER_TRANSPORT = 'stdio';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #ff03c428f7b76d9d Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:90
			process.env.N8N_MCP_BROWSER_PORT = '4000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #eb7cf9d3559f58c7 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:99
			process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #5f91afaaebaf1bed Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:100
			process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #51aebafead0aa3ab Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:112
			process.env.N8N_MCP_BROWSER_DEFAULT_BROWSER = 'firefox';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f35566ee89cf8cb2 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:113
			process.env.N8N_MCP_BROWSER_PORT = '5000';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #fc5aa73b1e27545a Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:114
			process.env.N8N_MCP_BROWSER_HOST = '0.0.0.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #acf60a494cabe8c2 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/__tests__/server-config.test.ts:115
			process.env.N8N_MCP_BROWSER_AUTH_TOKEN = 'env-token';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b3a766032cc0a60 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/adapters/agent-browser.ts:200
			const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #231727e3d7c828d7 Filesystem access.
repo/packages/@n8n/mcp-browser/src/adapters/agent-browser.ts:471
			return readFileSync(path).toString('base64');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #321cb011899252cb Environment-variable access.
repo/packages/@n8n/mcp-browser/src/adapters/playwright.ts:135
		const autoConnect = process.env.N8N_EVAL_AUTO_BROWSER_CONNECT === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ada231e9260b6a89 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/browser-discovery.ts:160
		const programFiles = process.env.ProgramFiles ?? 'C:\\Program Files';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32d6ed54a801469f Environment-variable access.
repo/packages/@n8n/mcp-browser/src/browser-discovery.ts:161
		const programFilesX86 = process.env['ProgramFiles(x86)'] ?? 'C:\\Program Files (x86)';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ecaffb6fa2c600ed Environment-variable access.
repo/packages/@n8n/mcp-browser/src/browser-discovery.ts:162
		const localAppData = process.env.LOCALAPPDATA ?? path.join(os.homedir(), 'AppData\\Local');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec59fee1482d0fe2 Environment-variable access.
repo/packages/@n8n/mcp-browser/src/server-config.ts:20
	return process.env[`${ENV_PREFIX}${envKey}`];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/node-cli

npm first-party
expand_more 80 low-confidence finding(s)
low env_fs production #0b6fecac751447e7 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:21
			await fs.writeFile(`${tmpdir}/src/icons/icon.png`, 'fake-png-content');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0db88c027b02e74 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:22
			await fs.writeFile(`${tmpdir}/src/assets/logo.svg`, '<svg>fake-svg</svg>');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63dd11d5b718ca84 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:23
			await fs.writeFile(`${tmpdir}/src/__schema__/node.json`, '{"fake": "schema"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c592763f1936e4f6 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:66
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'regular-package',
				version: '1.0.0',
				// No n8n field - this makes it an invalid n8n package
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b43957f5c9dbc1a6 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:95
		await fs.writeFile(`${tmpdir}/src/nodes/icons/node1.png`, 'fake-node1-png');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #687641c7accaa9c2 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:96
		await fs.writeFile(`${tmpdir}/src/nodes/subdir/__schema__/schema.json`, '{"node": "schema"}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d56ec4f04800afbb Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:97
		await fs.writeFile(`${tmpdir}/src/assets/images/logo.svg`, '<svg>logo</svg>');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d993580c232c93cb Filesystem access.
repo/packages/@n8n/node-cli/src/commands/build.test.ts:120
		await fs.writeFile(`${tmpdir}/dist/old-file.js`, 'old content');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d93fcc38c69536a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/cloud-support.ts:106
		await fs.writeFile(eslintConfigPath, newConfig, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b035d88fb62e1cd9 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/cloud-support.ts:130
				const eslintConfig = await fs.readFile(eslintConfigPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba3d05b7fe60281e Filesystem access.
repo/packages/@n8n/node-cli/src/commands/dev/utils.ts:568
	return await fs
		.readFile('package.json', 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e007ec8d5677c0b Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.test.ts:98
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'regular-package',
				version: '1.0.0',
				// No n8n field - this makes it an invalid n8n package
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d100ee7d60ff1fd Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.test.ts:171
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23f3a1999c3c05ab Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.test.ts:187
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, 'lockfileVersion: 5.4\n');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa1d25f804007200 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.ts:85
		const expectedConfig = await fs.readFile(templatePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77b3d7dd0f991bce Filesystem access.
repo/packages/@n8n/node-cli/src/commands/lint.ts:88
			const currentConfig = await fs.readFile(eslintConfigPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e42d2f8d8a777287 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/prerelease.test.ts:10
		delete process.env.RELEASE_MODE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #deaae38edc9bed0d Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/prerelease.test.ts:28
		process.env.RELEASE_MODE = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #241dd94380d3bd16 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/prerelease.ts:17
		if (!process.env.RELEASE_MODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0b00dc9bb1b4580 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:31
		delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f8cb31d36ef427f Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:32
		delete process.env.GITHUB_ACTIONS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb569185bfd13369 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:40
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1743c480817740c Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:50
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #929bb3010a978db5 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:60
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d272dd88e043488a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:70
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a95826ae29f396c4 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:80
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #213d55c83929f426 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:100
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5bdb2872939b82e0 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:102
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #711b6e36027c1040 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:112
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9682e9dbe947cc24 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:126
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3203d67e5dea1380 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:140
			await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de68105827c5a586 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:145
			const content = await fs.readFile(workflowPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36075d35ab66bb8a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:160
		await fs.writeFile(workflowPath, originalContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b28248f7bd760c5a Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:164
		const content = await fs.readFile(workflowPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fded25812c76585 Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:172
		process.env.GITHUB_ACTIONS = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ad974c784b13ba9 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:174
		await fs.writeFile(
			`${tmpdir}/package.json`,
			JSON.stringify({
				name: 'test-node',
				version: '1.0.0',
				n8n: {
					nodes: ['dist/nodes/TestNode.node.js'],
				},
			}),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #148e832960346713 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.test.ts:184
		await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '# pnpm lock file');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5d2c5ea83a5ccbc Environment-variable access.
repo/packages/@n8n/node-cli/src/commands/release.ts:56
		const isCI = Boolean(process.env.GITHUB_ACTIONS);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30f8e3d28bcad5ad Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.ts:156
		const templateContent = await fs.readFile(templatePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e4b150f5c915db4 Filesystem access.
repo/packages/@n8n/node-cli/src/commands/release.ts:163
		await fs.writeFile(dest, rendered);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fb5f3504356d2f3 Filesystem access.
repo/packages/@n8n/node-cli/src/configs/eslint.test.ts:50
			await fs.writeFile(pkgPath, packageJsonWithOverrides);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd68e6ff861a95fd Filesystem access.
repo/packages/@n8n/node-cli/src/configs/eslint.test.ts:61
		await fs.writeFile(pkgPath, packageJsonWithLifecycleScript);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e398911108991e1 Filesystem access.
repo/packages/@n8n/node-cli/src/configs/eslint.test.ts:71
		await fs.writeFile(pkgPath, packageJsonWithOverrides);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8264e8b73ed94de9 Filesystem access.
repo/packages/@n8n/node-cli/src/template/core.ts:75
			const content = await fs.readFile(file, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c932714e1470d756 Filesystem access.
repo/packages/@n8n/node-cli/src/template/core.ts:79
				await fs.writeFile(file, newContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4665edcc3d8dadd1 Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/matchers.ts:53
			content = await fs.readFile(fullPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b420c33d5499190e Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/matchers.ts:90
			content = await fs.readFile(fullPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0363ba50697b725a Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/matchers.ts:114
			content = await fs.readFile(fullPath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39568f816e770aa8 Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/package-setup.ts:34
	await fs.writeFile(`${tmpdir}/package.json`, JSON.stringify(packageConfig, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0ee2ed186712bd4 Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/package-setup.ts:37
		await fs.writeFile(`${tmpdir}/eslint.config.mjs`, DEFAULT_ESLINT_CONFIG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d079614428d3d786 Filesystem access.
repo/packages/@n8n/node-cli/src/test-utils/package-setup.ts:39
		await fs.writeFile(`${tmpdir}/eslint.config.mjs`, options.eslintConfig);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57699fb042d90fba Filesystem access.
repo/packages/@n8n/node-cli/src/utils/filesystem.ts:58
	await fs.writeFile(filePath, contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9092aac72355856d Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:20
			process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0 darwin x64';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c0c9dbd30a8fdf0 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:28
			process.env.npm_config_user_agent = 'yarn/1.22.19 npm/? node/v18.16.0 darwin x64';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60e201025b0ffc43 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:36
			process.env.npm_config_user_agent = 'npm/9.5.1 node/v18.16.0 darwin x64 workspaces/false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6680d5ded89bb34 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:44
			process.env.npm_config_user_agent = 'pnpm/8.6.0 yarn/1.22.19 npm/9.5.1 node/v18.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68faa2e69ab7ded8 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:52
			process.env.npm_config_user_agent = 'yarn/1.22.19 npm/9.5.1 node/v18.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abdc341c727f1f1d Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:60
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4a787d821b50511 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:68
			process.env.npm_config_user_agent = 'node/v18.16.0 darwin x64';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #567a914aa2a10fc4 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:76
			process.env.npm_config_user_agent = '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bacc1d29a61aaa6 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:86
			process.env.npm_config_user_agent = 'pnpm/8.6.0 npm/? node/v18.16.0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9d1e6e97fc48df8 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:96
				delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5620b3b702b7317b Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:98
				await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90f6a64cb956536a Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:109
				delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b76636c7964880f1 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:111
				await fs.writeFile(`${tmpdir}/yarn.lock`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e216e5f18c47b781 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:122
				delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e4935219614cd61 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:124
				await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #189f10cdc838b4f1 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:133
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39fdc49dc20951e5 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:135
			await fs.writeFile(`${tmpdir}/package-lock.json`, '{}');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa59774ca1dae71b Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:136
			await fs.writeFile(`${tmpdir}/yarn.lock`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bfd3b0a135a0d95 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:137
			await fs.writeFile(`${tmpdir}/pnpm-lock.yaml`, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96c617ff615f6035 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:145
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #610ec73adda202ce Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.test.ts:153
			delete process.env.npm_config_user_agent;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c3a6cd311f7ab71 Environment-variable access.
repo/packages/@n8n/node-cli/src/utils/package-manager.ts:7
		const ua = process.env['npm_config_user_agent'] ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34fca473c44510e1 Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package.ts:23
	const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2191b2ba4e3b5b8f Filesystem access.
repo/packages/@n8n/node-cli/src/utils/package.ts:37
	const packageJson = jsonParse<N8nPackageJson>(await fs.readFile(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e258f7714f01ad3a Filesystem access.
repo/packages/@n8n/node-cli/src/utils/prompts.ts:42
		const content = await fs.readFile(packageJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35946325c4f74d27 Environment-variable access.
repo/packages/@n8n/node-cli/vite.config.ts:8
		reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1362ae274a5838f Environment-variable access.
repo/packages/@n8n/node-cli/vite.config.ts:10
		...(process.env.COVERAGE_ENABLED === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4923c773be5c789 Environment-variable access.
repo/packages/@n8n/node-cli/vite.config.ts:15
						reporter: process.env.CI === 'true' ? ['cobertura'] : ['text-summary'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/scan-community-package

npm first-party
expand_more 3 low-confidence finding(s)
low env_fs production #d6eba1352e1f70db Filesystem access.
repo/packages/@n8n/scan-community-package/scanner/scanner.mjs:3
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #637314c3e4b68068 Filesystem access.
repo/packages/@n8n/scan-community-package/scanner/scanner.test.mjs:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d8537a9e0a45330 Filesystem access.
repo/packages/@n8n/scan-community-package/scanner/scanner.test.mjs:18
		fs.writeFileSync(
			fullPath,
			typeof contents === 'string' ? contents : JSON.stringify(contents, null, 2),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/scheduler

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #0cab18c2e015f53e Environment-variable access.
repo/packages/@n8n/scheduler/stryker.config.mjs:29
	concurrency: Number(process.env.STRYKER_CONCURRENCY ?? 4),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/typeorm

npm first-party
expand_more 8 low-confidence finding(s)
low env_fs production #69d75fe35d3f0134 Environment-variable access.
repo/packages/@n8n/typeorm/src/driver/postgres/PostgresDriver.ts:320
			process.env.PGTZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2200858a0b7a2db7 Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:2
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1fa1f7d2ff3f8504 Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:6
export { ReadStream } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #324c16c2ecc5cc46 Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:43
		return fs.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec4dbc889ca5cd4a Filesystem access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:52
			fs.writeFile(path, data, (err) => {
				if (err) fail(err);
				ok();
			});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c571d83ab721f00 Environment-variable access.
repo/packages/@n8n/typeorm/src/platform/PlatformTools.ts:72
		return process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c8ccf15ed36f025 Filesystem access.
repo/packages/@n8n/typeorm/src/util/ImportUtils.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d84b0c5d772dc2 Filesystem access.
repo/packages/@n8n/typeorm/src/util/ImportUtils.ts:57
						fs.readFile(potentialPackageJson, 'utf8', (err, data) => {
							if (err != null) accept(null);
							else {
								try {
									accept(JSON.parse(data));
								} catch (err) {
									accept(null);
								}
							}
						});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/vitest-config

npm first-party
expand_more 7 low-confidence finding(s)
low env_fs production #69dd42e2edc36a9f Environment-variable access.
repo/packages/@n8n/vitest-config/frontend.ts:29
			reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac80cf1a56cddc79 Environment-variable access.
repo/packages/@n8n/vitest-config/frontend.ts:47
	if (process.env.COVERAGE_ENABLED === 'true' && vitestConfig.test?.coverage) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fd651523830989e Environment-variable access.
repo/packages/@n8n/vitest-config/frontend.ts:50
		if (process.env.CI === 'true' && coverage.provider === 'v8') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #230ecd71d16c598c Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:44
	if (process.env.CI !== 'true') return {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d5b267003555aba4 Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:61
	reporters: process.env.CI === 'true' ? ['default', 'junit'] : ['default'],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f50c87cd507016c Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:63
	...(process.env.COVERAGE_ENABLED === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a446d2159f79a0ce Environment-variable access.
repo/packages/@n8n/vitest-config/node.ts:68
					reporter: process.env.CI === 'true' ? 'lcov' : 'text-summary',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/@n8n/workflow-sdk

npm first-party
expand_more 54 low-confidence finding(s)
low env_fs production #20451fbb5d6fde08 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/create-workflows-zip.ts:11
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e834133eca2e6956 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/extract-workflows.ts:12
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b1f9c7c5a757f30 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/extract-workflows.ts:46
		fs.writeFileSync(outputPath, entry.getData());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c9aa2fd1797a3d6 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:18
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #281b6f5cb7263488 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:87
		const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d875d69854dd003d Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:146
			fs.writeFileSync(outputPath, JSON.stringify(workflow, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b78a7465580dc37 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:162
		const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c710301961469763 Filesystem access.
repo/packages/@n8n/workflow-sdk/scripts/fetch-test-workflows.ts:179
	fs.writeFileSync(manifestPath, JSON.stringify(manifest, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f941e25823cfdfbb Filesystem access.
repo/packages/@n8n/workflow-sdk/src/__tests__/fixtures-zip.ts:9
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #f7e6af50d552e79f Filesystem access.
repo/packages/@n8n/workflow-sdk/src/__tests__/fixtures-zip.ts:48
	const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #b6ad67f983ca6ba5 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/__tests__/fixtures-zip.ts:105
	const manifest = JSON.parse(fs.readFileSync(MANIFEST_PATH, 'utf-8')) as Manifest;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24034edd7e19db8d Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/code-to-json.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c012591cd25f6f98 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/code-to-json.ts:26
		code = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b41182de18c5f10 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/code-to-json.ts:60
	fs.writeFileSync(outputPath, JSON.stringify(json, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #415d5b67ca3cc4cc Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/json-to-code.ts:1
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b55e0cb7abcd4690 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/json-to-code.ts:27
		const content = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bce06ee23504bbd Filesystem access.
repo/packages/@n8n/workflow-sdk/src/cli/json-to-code.ts:75
	fs.writeFileSync(outputPath, code);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b5b22baf45a7d81 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/code-generator.test.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d420d8dd4bc4eb7c Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/code-generator.test.ts:2064
				const json = JSON.parse(fs.readFileSync(jsonPath, 'utf8')) as WorkflowJSON;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c1129f020add2a3 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/codegen-roundtrip.test.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb071df102873bd8 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/codegen-roundtrip.test.ts:51
	const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04ff92d211c8903d Filesystem access.
repo/packages/@n8n/workflow-sdk/src/codegen/codegen-roundtrip.test.ts:71
			const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #949d464d46158a67 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:7
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32a9f7d393adefca Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:34
	await fs.promises.writeFile(nodesJsonPath, JSON.stringify(nodes));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b4ef0967ede097f Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:129
			const hashBefore = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb280f0d8aabb2ef Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:137
			await fs.promises.writeFile(nodesJsonPath, JSON.stringify([modifiedNode]));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3b269a643dee7b5 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:141
			const hashAfter = await fs.promises.readFile(path.join(outputDir, '.nodes-hash'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ef0a9ebc394facc Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.test.ts:218
				const tsContent = await fs.promises.readFile(path.join(nodeDir, 'v1.ts'), 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6443a4de562442bf Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:17
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd1b09d90ff2424b Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:47
		const pkg = JSON.parse(fs.readFileSync(sdkPackageJsonPath, 'utf-8')) as { version: string };

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f2337b170a84836 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:68
	const content = await fs.promises.readFile(nodesJsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78eeca5a4a5e33f8 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:76
		const existingHash = await fs.promises.readFile(hashFilePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc65a2ecc2ee358e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:99
	await fs.promises.writeFile(hashFilePath, inputHash);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1f2b35cfcfcc943 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-node-defs-cli.ts:111
	const packageJson = jsonParse<{ name: string }>(fs.readFileSync(packageJsonPath, 'utf-8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc66ef6274a20cd1 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:8
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ac7e80e4dbc151f Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:4993
				fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80bf88f166eea1e5 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:5103
				fs.writeFileSync(fullPath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #da33a9eba4f7592f Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.test.ts:5269
		const content = fs.readFileSync(indexFile, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e35fd69b7801b94 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:21
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6f3719e992afab2 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:660
					const schemaContent = fs.readFileSync(filePath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0be2a540d8a589f2 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:686
					const schemaContent = fs.readFileSync(schemaPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac1c4dd35ef1e5d3 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4193
	const content = await fs.promises.readFile(jsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50521392475df661 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4323
		await Promise.all(batch.map((f) => fs.promises.writeFile(f.path, f.content)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b3fb1c1758df287 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4490
		await fs.promises.writeFile(path.join(outputDir, 'index.ts'), indexContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20a76869845dc26e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/generate-types/generate-types.ts:4544
		await fs.promises.writeFile(path.join(DEV_OUTPUT_PATH, 'index.ts'), placeholderContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #310ac4fd021032ec Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd3076585433970a Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:28
		fs.writeFileSync(generatedPath, code, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f8c7710ba385327 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:48
	const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8')) as {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efcaa865a4e519e9 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/real-workflow.test.ts:65
			const json = JSON.parse(fs.readFileSync(filePath, 'utf-8')) as WorkflowJSON;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #530ba08e46210099 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:10
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d64bacc728c71779 Environment-variable access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:23
const WORKER_ID = process.env.VITEST_POOL_ID ?? '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cdbd18ea4296028a Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:36
		const content = fs.readFileSync(generatorPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe6b356811c6183e Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:51
		const storedHash = fs.readFileSync(STAMP_FILE, 'utf-8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0753dcf833e83676 Filesystem access.
repo/packages/@n8n/workflow-sdk/src/validation/test-schema-setup.ts:103
			fs.writeFileSync(STAMP_FILE, hash);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/frontend/@n8n/design-system

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs production #3eaea6536fa44f54 Filesystem access.
repo/packages/frontend/@n8n/design-system/src/icons/lucide/vite.ts:36
			const raw = readFileSync(jsonPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/frontend/@n8n/i18n

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs test-only #77841acf9f1011b8 Environment-variable access.
repo/packages/frontend/@n8n/i18n/src/__tests__/setup.ts:2
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/frontend/@n8n/stores

npm first-party
expand_more 1 low-confidence finding(s)
low env_fs test-only #161317beea7d67da Environment-variable access.
repo/packages/frontend/@n8n/stores/src/__tests__/setup.ts:5
process.env.TZ = 'UTC';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/node-dev

npm first-party
expand_more 5 low-confidence finding(s)
low env_fs production #19d6852ba8a627f5 Filesystem access.
repo/packages/node-dev/commands/new.ts:7
import { access } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cddb30e2e628c976 Filesystem access.
repo/packages/node-dev/src/Build.ts:6
import { copyFile, mkdir, readFile, writeFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7f83d24e9b6055d Filesystem access.
repo/packages/node-dev/src/Build.ts:25
	const tsConfigString = await readFile(tsconfigPath, { encoding: 'utf8' });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95bfe22b5254d0c5 Filesystem access.
repo/packages/node-dev/src/Build.ts:39
	await writeFile(path, JSON.stringify(tsConfig, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bbb3de8667acd2e Filesystem access.
repo/packages/node-dev/src/Create.ts:1
import { copyFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • first-party (npm): packages/extensions/insights prod — scan budget exceeded
  • first-party (npm): packages/testing/rules-engine prod — scan budget exceeded
  • first-party (npm): packages/testing/janitor prod — scan budget exceeded
  • first-party (npm): packages/testing/test-impact prod — scan budget exceeded
  • first-party (npm): packages/testing/containers prod — scan budget exceeded
  • first-party (npm): packages/testing/playwright prod — scan budget exceeded
  • first-party (npm): packages/testing/performance prod — scan budget exceeded
  • first-party (npm): packages/testing/code-health prod — scan budget exceeded
  • @n8n/di prod — scan budget exceeded
  • @oclif/core prod — scan budget exceeded
  • change-case prod — scan budget exceeded
  • fast-glob prod — scan budget exceeded
  • inquirer prod — scan budget exceeded
  • n8n-core prod — scan budget exceeded
  • n8n-workflow prod — scan budget exceeded
  • replace-in-file prod — scan budget exceeded
  • tmp-promise prod — scan budget exceeded
  • @aws-sdk/client-s3 prod — scan budget exceeded
  • @azure/identity prod — scan budget exceeded
  • @azure/storage-blob prod — scan budget exceeded
  • @langchain/core prod — scan budget exceeded
  • @n8n/backend-common prod — scan budget exceeded
  • @n8n/backend-network prod — scan budget exceeded
  • @n8n/client-oauth2 prod — scan budget exceeded
  • @n8n/config prod — scan budget exceeded
  • @n8n/constants prod — scan budget exceeded
  • @n8n/decorators prod — scan budget exceeded
  • @n8n/errors prod — scan budget exceeded
  • @n8n/utils prod — scan budget exceeded
  • @sentry/core prod — scan budget exceeded
  • @sentry/node prod — scan budget exceeded
  • @sentry/node-native prod — scan budget exceeded
  • @sentry/profiling-node prod — scan budget exceeded
  • callsites prod — scan budget exceeded
  • chardet prod — scan budget exceeded
  • cron prod — scan budget exceeded
  • file-type prod — scan budget exceeded
  • form-data prod — scan budget exceeded
  • htmlparser2 prod — scan budget exceeded
  • jsonwebtoken prod — scan budget exceeded
  • lodash prod — scan budget exceeded
  • luxon prod — scan budget exceeded
  • mime-types prod — scan budget exceeded
  • ms prod — scan budget exceeded
  • @n8n/workflow-sdk prod — scan budget exceeded
  • nanoid prod — scan budget exceeded
  • oauth-1.0a prod — scan budget exceeded
  • p-cancelable prod — scan budget exceeded
  • picocolors prod — scan budget exceeded
  • pretty-bytes prod — scan budget exceeded
  • ssh2 prod — scan budget exceeded
  • uuid prod — scan budget exceeded
  • winston prod — scan budget exceeded
  • xml2js prod — scan budget exceeded
  • qs prod — scan budget exceeded
  • @codemirror/autocomplete prod — scan budget exceeded
  • @n8n/expression-runtime prod — scan budget exceeded
  • @n8n/tournament prod — scan budget exceeded
  • ast-types prod — scan budget exceeded
  • esprima-next prod — scan budget exceeded
  • jmespath prod — scan budget exceeded
  • js-base64 prod — scan budget exceeded
  • jssha prod — scan budget exceeded
  • json-schema prod — scan budget exceeded
  • md5 prod — scan budget exceeded
  • recast prod — scan budget exceeded
  • title-case prod — scan budget exceeded
  • transliteration prod — scan budget exceeded
  • jsonrepair prod — scan budget exceeded
  • @1password/connect prod — scan budget exceeded
  • @ai-sdk/anthropic prod — scan budget exceeded
  • @apidevtools/json-schema-ref-parser prod — scan budget exceeded
  • @aws-sdk/client-secrets-manager prod — scan budget exceeded
  • @azure/keyvault-secrets prod — scan budget exceeded
  • @chat-adapter/linear prod — scan budget exceeded
  • @chat-adapter/slack prod — scan budget exceeded
  • @chat-adapter/state-memory prod — scan budget exceeded
  • @chat-adapter/telegram prod — scan budget exceeded
  • @daytona/sdk prod — scan budget exceeded
  • @google-cloud/secret-manager prod — scan budget exceeded
  • @joplin/turndown-plugin-gfm prod — scan budget exceeded
  • @modelcontextprotocol/sdk prod — scan budget exceeded
  • @mozilla/readability prod — scan budget exceeded
  • @n8n/agents prod — scan budget exceeded
  • @n8n/ai-node-sdk prod — scan budget exceeded
  • @n8n/ai-utilities prod — scan budget exceeded
  • @n8n/ai-workflow-builder prod — scan budget exceeded
  • @n8n/api-types prod — scan budget exceeded
  • @n8n/chat-hub prod — scan budget exceeded
  • @n8n/db prod — scan budget exceeded
  • @n8n/instance-ai prod — scan budget exceeded
  • @n8n/mcp-apps prod — scan budget exceeded
  • @n8n/mcp-browser prod — scan budget exceeded
  • @n8n/n8n-nodes-langchain prod — scan budget exceeded
  • @n8n/permissions prod — scan budget exceeded
  • @n8n/scheduler prod — scan budget exceeded
  • @n8n/syslog-client prod — scan budget exceeded
  • @n8n/task-runner prod — scan budget exceeded
  • @n8n_io/ai-assistant-sdk prod — scan budget exceeded
  • @n8n_io/license-sdk prod — scan budget exceeded
  • @opentelemetry/api prod — scan budget exceeded
  • @opentelemetry/core prod — scan budget exceeded
  • @opentelemetry/exporter-trace-otlp-proto prod — scan budget exceeded
  • @opentelemetry/instrumentation prod — scan budget exceeded
  • @opentelemetry/resources prod — scan budget exceeded
  • @opentelemetry/sdk-node prod — scan budget exceeded
  • @opentelemetry/sdk-trace-base prod — scan budget exceeded
  • @opentelemetry/sdk-trace-node prod — scan budget exceeded
  • @opentelemetry/semantic-conventions prod — scan budget exceeded
  • @parcel/watcher prod — scan budget exceeded
  • @pinecone-database/pinecone prod — scan budget exceeded
  • @qdrant/js-client-rest prod — scan budget exceeded
  • @rudderstack/rudder-sdk-node prod — scan budget exceeded
  • @supabase/supabase-js prod — scan budget exceeded
  • ai prod — scan budget exceeded
  • aws4 prod — scan budget exceeded
  • bcryptjs prod — scan budget exceeded
  • bull prod — scan budget exceeded
  • cache-manager prod — scan budget exceeded
  • chat prod — scan budget exceeded
  • class-transformer prod — scan budget exceeded
  • class-validator prod — scan budget exceeded
  • compression prod — scan budget exceeded
  • convict prod — scan budget exceeded
  • cookie-parser prod — scan budget exceeded
  • csrf prod — scan budget exceeded
  • csv-parse prod — scan budget exceeded
  • dotenv prod — scan budget exceeded
  • express prod — scan budget exceeded
  • express-handlebars prod — scan budget exceeded
  • express-openapi-validator prod — scan budget exceeded
  • express-prom-bundle prod — scan budget exceeded
  • express-rate-limit prod — scan budget exceeded
  • fast-json-patch prod — scan budget exceeded
  • fastest-levenshtein prod — scan budget exceeded
  • fflate prod — scan budget exceeded
  • flat prod — scan budget exceeded
  • flatted prod — scan budget exceeded
  • formidable prod — scan budget exceeded
  • handlebars prod — scan budget exceeded
  • helmet prod — scan budget exceeded
  • http-proxy-middleware prod — scan budget exceeded
  • ioredis prod — scan budget exceeded
  • isbot prod — scan budget exceeded
  • isolated-vm prod — scan budget exceeded
  • jose prod — scan budget exceeded
  • json-diff prod — scan budget exceeded
  • jsonschema prod — scan budget exceeded
  • langsmith prod — scan budget exceeded
  • ldapts prod — scan budget exceeded
  • linkedom prod — scan budget exceeded
  • lru-cache prod — scan budget exceeded
  • moment-timezone prod — scan budget exceeded
  • multer prod — scan budget exceeded
  • n8n-editor-ui prod — scan budget exceeded
  • n8n-nodes-base prod — scan budget exceeded
  • nodemailer prod — scan budget exceeded
  • open prod — scan budget exceeded
  • openid-client prod — scan budget exceeded
  • otpauth prod — scan budget exceeded
  • p-lazy prod — scan budget exceeded
  • pdf-parse prod — scan budget exceeded
  • pg prod — scan budget exceeded
  • pkce-challenge prod — scan budget exceeded
  • posthog-node prod — scan budget exceeded
  • prom-client prod — scan budget exceeded
  • psl prod — scan budget exceeded
  • raw-body prod — scan budget exceeded
  • replacestream prod — scan budget exceeded
  • samlify prod — scan budget exceeded
  • semver prod — scan budget exceeded
  • shelljs prod — scan budget exceeded
  • simple-git prod — scan budget exceeded
  • source-map-support prod — scan budget exceeded
  • sqlite3 prod — scan budget exceeded
  • sshpk prod — scan budget exceeded
  • sucrase prod — scan budget exceeded
  • swagger-ui-express prod — scan budget exceeded
  • tar prod — scan budget exceeded
  • turndown prod — scan budget exceeded
  • validator prod — scan budget exceeded
  • ws prod — scan budget exceeded
  • xmllint-wasm prod — scan budget exceeded
  • xss prod — scan budget exceeded
  • yargs-parser prod — scan budget exceeded
  • zod-to-json-schema prod — scan budget exceeded
  • @aws-crypto/sha256-js prod — scan budget exceeded
  • @aws-sdk/credential-providers prod — scan budget exceeded
  • @smithy/node-http-handler prod — scan budget exceeded
  • @smithy/protocol-http prod — scan budget exceeded
  • @smithy/signature-v4 prod — scan budget exceeded
  • @smithy/types prod — scan budget exceeded
  • @kafkajs/confluent-schema-registry prod — scan budget exceeded
  • @n8n/imap prod — scan budget exceeded
  • @thednp/dommatrix prod — scan budget exceeded
  • alasql prod — scan budget exceeded
  • amqplib prod — scan budget exceeded
  • basic-auth prod — scan budget exceeded
  • cheerio prod — scan budget exceeded
  • chokidar prod — scan budget exceeded
  • currency-codes prod — scan budget exceeded
  • eventsource prod — scan budget exceeded
  • generate-schema prod — scan budget exceeded
  • get-system-fonts prod — scan budget exceeded
  • gm prod — scan budget exceeded
  • html-to-text prod — scan budget exceeded
  • iconv-lite prod — scan budget exceeded
  • ics prod — scan budget exceeded