Close Open Privacy Scan

bolt Snapshot: commit 816ef76
science engine v3
schedule 2026-07-08T08:06:37.227390+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

87 /100
Low privacy risk

Low risk · 39 finding(s)

Dependency score: 97 (Low risk)

bar_chart Score Breakdown

telemetry −10
env_fs −3

list Scan Summary

0 high 1 medium 38 low
First-party packages: 1
Dependency packages: 2
Ecosystem: npm

swap_horiz Application data flows

No high- or medium-confidence application data-flow findings in this scan.

</> First-Party Code

first-party (npm)

npm first-party
medium telemetry test-only #26fdd161f6078caa Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/tools/benchmarks/src/autocannon/run.ts:30
      autocannon.track(instance);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 36 low-confidence finding(s)
low env_fs production #0714ad8a8bfd2a6b Filesystem access.
repo/integration/inspector/e2e/graph-inspector.spec.ts:7
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cdecf4114efe8ae Filesystem access.
repo/integration/inspector/e2e/graph-inspector.spec.ts:34
    const snapshot = readFileSync(
      join(__dirname, 'fixtures', 'pre-init-graph.json'),
      'utf-8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e511e42db8abefd8 Filesystem access.
repo/integration/inspector/e2e/graph-inspector.spec.ts:62
    const snapshot = readFileSync(
      join(__dirname, 'fixtures', 'post-init-graph.json'),
      'utf-8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #282f5a49c5512efc Filesystem access.
repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:5
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #371ab2fd1ecd9932 Filesystem access.
repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:19
    key = fs
      .readFileSync(path.join(__dirname, '../src/tcp-tls/privkey.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b7a655e5dd443d6 Filesystem access.
repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:22
    cert = fs
      .readFileSync(path.join(__dirname, '../src/tcp-tls/ca.cert.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0e8eb0545ed2844 Filesystem access.
repo/integration/microservices/src/tcp-tls/app.controller.ts:19
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e24c4e20195810a1 Filesystem access.
repo/integration/microservices/src/tcp-tls/app.controller.ts:36
          fs
            .readFileSync(path.join(__dirname, 'ca.cert.pem'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60b72921afed48d9 Filesystem access.
repo/integration/microservices/src/tcp-tls/app.module.ts:12
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #448cb176804a274a Filesystem access.
repo/integration/microservices/src/tcp-tls/app.module.ts:15
const caCert = fs.readFileSync(path.join(__dirname, 'ca.cert.pem')).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b1c69910280a6d4 Filesystem access.
repo/integration/send-files/e2e/express.spec.ts:7
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8ab1758588aab0f Filesystem access.
repo/integration/send-files/e2e/express.spec.ts:17
const readme = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c5f6ddf59164658 Filesystem access.
repo/integration/send-files/e2e/fastify.spec.ts:7
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa06695f12f786b2 Filesystem access.
repo/integration/send-files/e2e/fastify.spec.ts:11
const readme = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e732816f82b6cd90 Filesystem access.
repo/integration/send-files/src/app.service.ts:3
import { createReadStream, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f505a03f4905c191 Filesystem access.
repo/integration/send-files/src/app.service.ts:21
    return new StreamableFile(readFileSync(join(process.cwd(), 'Readme.md')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe236c88648393c3 Filesystem access.
repo/integration/send-files/src/app.service.ts:33
    const file = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66954b122dd9d63e Environment-variable access.
repo/packages/common/utils/cli-colors.util.ts:3
export const isColorAllowed = () => !process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #391b7da536a424b2 Environment-variable access.
repo/packages/core/injector/injector.ts:1288
    return !!process.env.NEST_DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d8ad467c79775b90 Environment-variable access.
repo/packages/core/injector/instance-wrapper.ts:566
    return !!process.env.NEST_DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0c58b9a33c4d2a8 Filesystem access.
repo/packages/platform-fastify/interfaces/external/fastify-static-options.interface.ts:7
import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9beaa50f007d7273 Filesystem access.
repo/sample/25-dynamic-modules/src/config/config.service.ts:3
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8358d449ee21ce24 Environment-variable access.
repo/sample/25-dynamic-modules/src/config/config.service.ts:13
    const filePath = `${process.env.NODE_ENV || 'development'}.env`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1e49173171d3b7b Filesystem access.
repo/sample/25-dynamic-modules/src/config/config.service.ts:15
    this.envConfig = dotenv.parse(fs.readFileSync(envFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7d0e86c9213233a Environment-variable access.
repo/sample/26-queues/src/app.module.ts:10
        host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5020791f7e972b9a Environment-variable access.
repo/sample/26-queues/src/app.module.ts:11
        port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87882ba4b5fe65fd Filesystem access.
repo/sample/28-sse/src/app.controller.ts:3
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2515caee78850e37 Filesystem access.
repo/sample/28-sse/src/app.controller.ts:14
      .send(readFileSync(join(__dirname, 'index.html')).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62877dc9d09908b9 Filesystem access.
repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:3
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b82e9955c49ee81 Filesystem access.
repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:28
        file: readFileSync('./package.json').toString(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8235bc54c068c60c Filesystem access.
repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:42
        file: readFileSync('./resources/nestjs.jpg').toString(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8b2440119e4b873 Environment-variable access.
repo/sample/36-hmr-esm/src/main.ts:11
  await app.listen(process.env.PORT ?? 3000);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0dc3eb47f78afb26 Environment-variable access.
repo/scripts/wait-for-rabbitmq.js:5
const url = process.env.RABBITMQ_URL || 'amqp://localhost:5672';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eeca001b2967cc61 Environment-variable access.
repo/scripts/wait-for-rabbitmq.js:12
  process.env.RABBITMQ_WAIT_TIMEOUT_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80fc92735da0cc56 Environment-variable access.
repo/scripts/wait-for-rabbitmq.js:16
  process.env.RABBITMQ_WAIT_INTERVAL_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93d1fcab022c030f Filesystem access.
repo/tools/gulp/util/task-helpers.ts:1
import { readdirSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #d70c0638aa356646 Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

socket.io

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #c49335bc16380eee Environment-variable access.
pkgs/npm/[email protected]/client-dist/socket.io.js:2955
        r = process.env.DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • path-to-regexp prod — dist-only: no readable source