Close Open Privacy Scan

link https://github.com/nestjs/nest

bolt Snapshot: commit 619bb1b

science engine v1

schedule 2026-06-25T11:01:32.168038+00:00

App Privacy Score

42 /100

High privacy risk — possible application leak

High risk · 489 finding(s)

Dependency score: 12 (High risk)

bar_chart Score Breakdown

pii_flow −45

telemetry −10

env_fs −3

list Scan Summary

2 high 13 medium 474 low

First-party packages: 1

Dependency packages: 37

Ecosystem: npm

swap_horiz Potential data exfiltration in application code

External domains: studio.apollographql.com

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:5 → repo/scripts/wait-for-rabbitmq.js:30

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:5 → repo/scripts/wait-for-rabbitmq.js:34

medium first-party (npm) PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:5 → repo/scripts/wait-for-rabbitmq.js:39

hub Dependency data flows (7)

high nats tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/examples/nats-req.js:40 → pkgs/npm/[email protected]/examples/nats-req.js:79

high coveralls dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:9 → pkgs/npm/[email protected]/lib/sendToCoveralls.js:19

medium @apollo/server dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:132 → pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:184

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:33

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:36

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:37

medium @fastify/static dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:8 → pkgs/npm/@[email protected]/example/server-benchmark.js:38

</> First-Party Code

first-party (npm)

npm first-party

medium pii_flow production #a158440e801860cb — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:30 · flow /tmp/closeopen-pb9mt26s/repo/scripts/wait-for-rabbitmq.js:5 → /tmp/closeopen-pb9mt26s/repo/scripts/wait-for-rabbitmq.js:30

      console.log(`[rabbitmq] Ready at ${url}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #d6695eccbc46955f — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:34 · flow /tmp/closeopen-pb9mt26s/repo/scripts/wait-for-rabbitmq.js:5 → /tmp/closeopen-pb9mt26s/repo/scripts/wait-for-rabbitmq.js:34

      console.log(`[rabbitmq] Waiting for ${url}...`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow production #3aaa2723ae9a50cd — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

repo/scripts/wait-for-rabbitmq.js:39 · flow /tmp/closeopen-pb9mt26s/repo/scripts/wait-for-rabbitmq.js:5 → /tmp/closeopen-pb9mt26s/repo/scripts/wait-for-rabbitmq.js:39

  console.error(
    `[rabbitmq] Timed out waiting for ${url} after ${timeoutMs}ms.`,
  );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #6223160157838312 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

repo/tools/benchmarks/src/autocannon/run.ts:30

      autocannon.track(instance);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 36 low-confidence finding(s)

low env_fs production #4e9cd8b2a3fbac09 — Filesystem access.

repo/integration/inspector/e2e/graph-inspector.spec.ts:7

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4435fd74042aae62 — Filesystem access.

repo/integration/inspector/e2e/graph-inspector.spec.ts:34

    const snapshot = readFileSync(
      join(__dirname, 'fixtures', 'pre-init-graph.json'),
      'utf-8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58a07c5b1d272ace — Filesystem access.

repo/integration/inspector/e2e/graph-inspector.spec.ts:62

    const snapshot = readFileSync(
      join(__dirname, 'fixtures', 'post-init-graph.json'),
      'utf-8',
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df1063f7c9ba536f — Filesystem access.

repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:5

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2e32d7ed0d8101d — Filesystem access.

repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:19

    key = fs
      .readFileSync(path.join(__dirname, '../src/tcp-tls/privkey.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84129e57dab36243 — Filesystem access.

repo/integration/microservices/e2e/sum-rpc-tls.spec.ts:22

    cert = fs
      .readFileSync(path.join(__dirname, '../src/tcp-tls/ca.cert.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11fcd1c5a9f1a679 — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.controller.ts:19

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e68b28183c7bdc7 — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.controller.ts:36

          fs
            .readFileSync(path.join(__dirname, 'ca.cert.pem'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9baa1cdb2fcaff91 — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.module.ts:12

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbd33892504b53e9 — Filesystem access.

repo/integration/microservices/src/tcp-tls/app.module.ts:15

const caCert = fs.readFileSync(path.join(__dirname, 'ca.cert.pem')).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5566c01495f6315 — Filesystem access.

repo/integration/send-files/e2e/express.spec.ts:7

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8298d90eb744f83c — Filesystem access.

repo/integration/send-files/e2e/express.spec.ts:17

const readme = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3ba3582be98882b — Filesystem access.

repo/integration/send-files/e2e/fastify.spec.ts:7

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a0e82ca31180aaf — Filesystem access.

repo/integration/send-files/e2e/fastify.spec.ts:11

const readme = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #992c4ad551e1c975 — Filesystem access.

repo/integration/send-files/src/app.service.ts:3

import { createReadStream, readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f654b0fa16042dce — Filesystem access.

repo/integration/send-files/src/app.service.ts:21

    return new StreamableFile(readFileSync(join(process.cwd(), 'Readme.md')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ccd2960da0a5e74 — Filesystem access.

repo/integration/send-files/src/app.service.ts:33

    const file = readFileSync(join(process.cwd(), 'Readme.md'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #927bd7b8a42d4728 — Environment-variable access.

repo/packages/common/utils/cli-colors.util.ts:3

export const isColorAllowed = () => !process.env.NO_COLOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ba07c82370f1255 — Environment-variable access.

repo/packages/core/injector/injector.ts:1288

    return !!process.env.NEST_DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84cde68ff4e379df — Environment-variable access.

repo/packages/core/injector/instance-wrapper.ts:566

    return !!process.env.NEST_DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3cfe98e439497bc7 — Filesystem access.

repo/packages/platform-fastify/interfaces/external/fastify-static-options.interface.ts:7

import { Stats } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aee56aaa3629fbfb — Filesystem access.

repo/sample/25-dynamic-modules/src/config/config.service.ts:3

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bcc8ac387d07bc8 — Environment-variable access.

repo/sample/25-dynamic-modules/src/config/config.service.ts:13

    const filePath = `${process.env.NODE_ENV || 'development'}.env`;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4832b386a6d5553f — Filesystem access.

repo/sample/25-dynamic-modules/src/config/config.service.ts:15

    this.envConfig = dotenv.parse(fs.readFileSync(envFile));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8ebf1b6f506c8ebe — Environment-variable access.

repo/sample/26-queues/src/app.module.ts:10

        host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a5e2f67dcec2c06 — Environment-variable access.

repo/sample/26-queues/src/app.module.ts:11

        port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1617343ae084847a — Filesystem access.

repo/sample/28-sse/src/app.controller.ts:3

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #583a09cad6855e5d — Filesystem access.

repo/sample/28-sse/src/app.controller.ts:14

      .send(readFileSync(join(__dirname, 'index.html')).toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db0811ed11d2a582 — Filesystem access.

repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:3

import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #380e81efee3acb97 — Filesystem access.

repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:28

        file: readFileSync('./package.json').toString(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #308e6d0a414efce6 — Filesystem access.

repo/sample/29-file-upload/e2e/app/app.e2e-spec.ts:42

        file: readFileSync('./resources/nestjs.jpg').toString(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07061beb76c4e742 — Environment-variable access.

repo/sample/36-hmr-esm/src/main.ts:11

  await app.listen(process.env.PORT ?? 3000);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c1fa3d1eb370b52 — Environment-variable access.

repo/scripts/wait-for-rabbitmq.js:5

const url = process.env.RABBITMQ_URL || 'amqp://localhost:5672';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22138ff94c121097 — Environment-variable access.

repo/scripts/wait-for-rabbitmq.js:12

  process.env.RABBITMQ_WAIT_TIMEOUT_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fda940591c0fb5c — Environment-variable access.

repo/scripts/wait-for-rabbitmq.js:16

  process.env.RABBITMQ_WAIT_INTERVAL_MS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21ba88dde9757dbc — Filesystem access.

repo/tools/gulp/util/task-helpers.ts:1

import { readdirSync, statSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

coveralls

npm dependency

high pii_flow dependency Excluded from app score #bb508f492a34ab8f — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:19 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/[email protected]/lib/sendToCoveralls.js:9 → /tmp/closeopen-pb9mt26s/pkgs/npm/[email protected]/lib/sendToCoveralls.js:19

    request.post({
      url,
      form: {
        json: str
      }
    }, (err, response, body) => {
      cb(err, response, body);
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 114 low-confidence finding(s)

low env_fs dependency Excluded from app score #395c549a2ffc07fd — Filesystem access.

pkgs/npm/[email protected]/lib/convertLcovToCoveralls.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #395c549a2ffc07fd — Filesystem access.

pkgs/npm/[email protected]/lib/convertLcovToCoveralls.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #989b7e871e679e6c — Filesystem access.

pkgs/npm/[email protected]/lib/convertLcovToCoveralls.js:33

  const source = fs.readFileSync(filepath, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #240dedf7c48410b4 — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #240dedf7c48410b4 — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0df074d6ef1bb6c6 — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:26

  const head = fs.readFileSync(path.join(dir, '.git', 'HEAD'), 'utf-8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #554f363c4212d28f — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:43

    return fs.readFileSync(ref, 'utf-8').trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99f78100c9384286 — Filesystem access.

pkgs/npm/[email protected]/lib/detectLocalGit.js:49

  const packedRefsText = fs.readFileSync(packedRefs, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #286b24afa14bdf15 — Filesystem access.

pkgs/npm/[email protected]/lib/getOptions.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #286b24afa14bdf15 — Filesystem access.

pkgs/npm/[email protected]/lib/getOptions.js:3

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1c14032502d7b6f — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:13

  let git_commit = process.env.COVERALLS_GIT_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b88b23ff78921724 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:14

  let git_branch = process.env.COVERALLS_GIT_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fd4ab4f268776b5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:19

  const match = (process.env.CI_PULL_REQUEST || '').match(/(\d+)$/);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac964e7ebb6b8a63 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:25

  if (process.env.TRAVIS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a831f58f81bbe1b9 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:27

    options.service_number = process.env.TRAVIS_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c0e5b166076f4b5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:28

    options.service_job_id = process.env.TRAVIS_JOB_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4fc9af2abc1fcd3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:29

    options.service_pull_request = process.env.TRAVIS_PULL_REQUEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f53261fe748bdc9a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:31

    git_branch = process.env.TRAVIS_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1dcd02adb72f9f4 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:34

  if (process.env.DRONE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b69fce38e95529b — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:36

    options.service_job_id = process.env.DRONE_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d71e49ba19db723d — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:37

    options.service_pull_request = process.env.DRONE_PULL_REQUEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c389e33974b6cc5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:38

    git_committer_name = process.env.DRONE_COMMIT_AUTHOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56318cff77a82616 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:39

    git_committer_email = process.env.DRONE_COMMIT_AUTHOR_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d098787e23e891e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:40

    git_commit = process.env.DRONE_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c37ec82d82248b38 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:41

    git_branch = process.env.DRONE_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e70764093560721 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:42

    git_message = process.env.DRONE_COMMIT_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b6a55e3a6ce31c8 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:45

  if (process.env.JENKINS_URL || process.env.JENKINS_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b6a55e3a6ce31c8 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:45

  if (process.env.JENKINS_URL || process.env.JENKINS_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d26ec52aae05d7fc — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:47

    options.service_job_id = process.env.BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4b2d7450a81ce0c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:48

    options.service_pull_request = process.env.CHANGE_ID || process.env.ghprbPullId;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4b2d7450a81ce0c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:48

    options.service_pull_request = process.env.CHANGE_ID || process.env.ghprbPullId;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b43232519135a17c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:49

    git_committer_name = process.env.CHANGE_AUTHOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d9f56d96c640b03 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:50

    git_committer_email = process.env.CHANGE_AUTHOR_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6a83b9f2995ce89 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:51

    git_commit = process.env.GIT_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7d4b59358fce39 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:52

    git_branch = process.env.CHANGE_BRANCH || process.env.GIT_BRANCH || process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7d4b59358fce39 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:52

    git_branch = process.env.CHANGE_BRANCH || process.env.GIT_BRANCH || process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7d4b59358fce39 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:52

    git_branch = process.env.CHANGE_BRANCH || process.env.GIT_BRANCH || process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52106114db835190 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:55

  if (process.env.CIRCLECI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3f704f9225bb469 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:57

    options.service_number = process.env.CIRCLE_WORKFLOW_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a5b7d8b59e9fde8 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:58

    options.service_job_number = process.env.CIRCLE_BUILD_NUM;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec57ad56e4f6bccd — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:60

    if (process.env.CI_PULL_REQUEST) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef6a9f219caf3ff4 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:61

      const pr = process.env.CI_PULL_REQUEST.split('/pull/');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34d1d1038e34557c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:65

    git_commit = process.env.CIRCLE_SHA1;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #700c08d2d9a7de24 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:66

    git_branch = process.env.CIRCLE_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88e6661ce16783d2 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:69

  if (process.env.CI_NAME && process.env.CI_NAME === 'codeship') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88e6661ce16783d2 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:69

  if (process.env.CI_NAME && process.env.CI_NAME === 'codeship') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55f7601da369cb59 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:71

    options.service_job_id = process.env.CI_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #615f1dba8e9de017 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:72

    git_commit = process.env.CI_COMMIT_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ceaf6453bbc0a1e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:73

    git_branch = process.env.CI_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75bfae11e83bbb1c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:74

    git_committer_name = process.env.CI_COMMITTER_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72314bf3d710a217 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:75

    git_committer_email = process.env.CI_COMMITTER_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e02a97784cde79a1 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:76

    git_message = process.env.CI_COMMIT_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48dd703d125a2337 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:79

  if (process.env.WERCKER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0855b702fc2a0893 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:81

    options.service_job_id = process.env.WERCKER_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #194af27fa408bdf0 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:82

    git_commit = process.env.WERCKER_GIT_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4bfbe79138ebaae — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:83

    git_branch = process.env.WERCKER_GIT_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d337023d5aa39eb1 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:86

  if (process.env.GITLAB_CI) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #983b9c9588df1480 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:88

    options.service_job_number = process.env.CI_BUILD_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad9990087f0a8fe3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:89

    options.service_job_id = process.env.CI_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df05dd99665c3692 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:90

    options.service_pull_request = process.env.CI_MERGE_REQUEST_IID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #644a9839c720b963 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:91

    git_commit = process.env.CI_BUILD_REF;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abb7e5ed9a0f1b34 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:92

    git_branch = process.env.CI_BUILD_REF_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05d023a6c19c7080 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:95

  if (process.env.APPVEYOR) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #547748276afff62a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:97

    options.service_job_number = process.env.APPVEYOR_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #847f86833570b006 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:98

    options.service_job_id = process.env.APPVEYOR_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4549a6d0376e5444 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:99

    git_commit = process.env.APPVEYOR_REPO_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7e08cfcf258f071 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:100

    git_branch = process.env.APPVEYOR_REPO_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99e5332106b79a9e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:103

  if (process.env.SURF_SHA1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56afd88bd5dd3f00 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:105

    git_commit = process.env.SURF_SHA1;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8d47a2bd67cae72 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:106

    git_branch = process.env.SURF_REF;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2a998b1e4b51ae0 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:109

  if (process.env.BUILDKITE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d48b55d72362fa6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:111

    options.service_job_number = process.env.BUILDKITE_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea47ff2f7c9ac5a6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:112

    options.service_job_id = process.env.BUILDKITE_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ceb403841fb80e5 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:113

    options.service_pull_request = process.env.BUILDKITE_PULL_REQUEST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #229fda78107317c9 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:114

    git_commit = process.env.BUILDKITE_COMMIT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5390b30807ad82d — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:115

    git_branch = process.env.BUILDKITE_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5231675d52f3526b — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:116

    git_committer_name = process.env.BUILDKITE_BUILD_CREATOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9992abd57f7af5c — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:117

    git_committer_email = process.env.BUILDKITE_BUILD_CREATOR_EMAIL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95cda9d0332187e1 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:118

    git_message = process.env.BUILDKITE_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ca8504f10f783bb — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:121

  if (process.env.SEMAPHORE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f4d321a40bd46bc — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:123

    options.service_job_id = process.env.SEMAPHORE_BUILD_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b132afaa3b6c4c67 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:124

    git_commit = process.env.REVISION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #251b0731239e5af6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:125

    git_branch = process.env.BRANCH_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6e12d89cc3fcc62 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:128

  if (process.env.TF_BUILD) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78ea2b9f005042b1 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:130

    options.service_job_id = process.env.BUILD_BUILDID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6de2c68efdfbc9a6 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:131

    options.service_pull_request = process.env.SYSTEM_PULLREQUEST_PULLREQUESTNUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e762a55a326c5eda — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:132

    git_commit = process.env.BUILD_SOURCEVERSION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1653d2f97396684 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:133

    git_branch = process.env.BUILD_SOURCEBRANCHNAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #763ef7e5e09e9a19 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:136

  if (process.env.CF_BRANCH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5b006cca2c3f328 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:138

    options.service_job_id = process.env.CF_BUILD_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07554937d6001bcb — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:139

    options.service_pull_request = process.env.CF_PULL_REQUEST_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #847df22154e8673e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:140

    git_commit = process.env.CF_REVISION;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8effaaefb8d6e93 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:141

    git_branch = process.env.CF_BRANCH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8db42ed4908e5395 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:142

    git_committer_name = process.env.CF_COMMIT_AUTHOR;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdc3750f07b66903 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:143

    git_message = process.env.CF_COMMIT_MESSAGE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6efd06e67bc599e — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:146

  options.run_at = process.env.COVERALLS_RUN_AT || JSON.stringify(new Date()).slice(1, -1);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1b516063a08488f — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:148

  if (process.env.COVERALLS_SERVICE_NUMBER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #032df58ed4c783fb — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:149

    options.service_number = process.env.COVERALLS_SERVICE_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fb20157c8858ad3 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:152

  if (process.env.COVERALLS_SERVICE_JOB_NUMBER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eed48269f58cb406 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:153

    options.service_job_number = process.env.COVERALLS_SERVICE_JOB_NUMBER;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1239582946fc561 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:156

  if (process.env.COVERALLS_SERVICE_JOB_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ffb475299ab580d — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:157

    options.service_job_id = process.env.COVERALLS_SERVICE_JOB_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc3e16d878873316 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:168

  if (process.env.COVERALLS_PARALLEL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f76d1dcf8d48e3ea — Filesystem access.

pkgs/npm/[email protected]/lib/getOptions.js:177

        return yaml.safeLoad(fs.readFileSync(yml, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b112516c6e7ac670 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:196

  if (process.env.COVERALLS_REPO_TOKEN) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7343377db09e3c3a — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:197

    options.repo_token = process.env.COVERALLS_REPO_TOKEN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ff3796620ba5ef9 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:206

  if (process.env.COVERALLS_SERVICE_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9542e5f640ce998 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:207

    options.service_name = process.env.COVERALLS_SERVICE_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #293e23405ca82098 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:210

  if (process.env.COVERALLS_FLAG_NAME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #363edba63bbd7c51 — Environment-variable access.

pkgs/npm/[email protected]/lib/getOptions.js:211

    options.flag_name = process.env.COVERALLS_FLAG_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c66a853d1ebad3ed — Environment-variable access.

pkgs/npm/[email protected]/lib/logger.js:9

  if (index.options.verbose || process.env.NODE_COVERALLS_DEBUG === 1 || process.env.NODE_COVERALLS_DEBUG === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c66a853d1ebad3ed — Environment-variable access.

pkgs/npm/[email protected]/lib/logger.js:9

  if (index.options.verbose || process.env.NODE_COVERALLS_DEBUG === 1 || process.env.NODE_COVERALLS_DEBUG === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1953c10704941476 — Environment-variable access.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:8

  if (process.env.COVERALLS_ENDPOINT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41e25110f4a4dce0 — Environment-variable access.

pkgs/npm/[email protected]/lib/sendToCoveralls.js:9

    urlBase = process.env.COVERALLS_ENDPOINT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nats

npm dependency

high pii_flow tooling Excluded from app score unknown #92fec4adbcc74b9c — User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.

pkgs/npm/[email protected]/examples/nats-req.js:79 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/[email protected]/examples/nats-req.js:40 → /tmp/closeopen-pb9mt26s/pkgs/npm/[email protected]/examples/nats-req.js:79

    await nc.request(
      subject,
      sc.encode(payload),
      { timeout: argv.t, headers: hdrs },
    )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 15 low-confidence finding(s)

low env_fs tooling Excluded from app score unknown #d6ffb1c9f15aec70 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-pub.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d6ffb1c9f15aec70 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-pub.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c88d3bfe8d6fcef8 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-pub.js:38

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b13324ff369fae71 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-rep.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b13324ff369fae71 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-rep.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #153e839fb9ce36b5 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-rep.js:34

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #245544ab1d3b4187 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-req.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #245544ab1d3b4187 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-req.js:6

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #6d70063fe32fb645 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-req.js:40

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e2ee5d1f79f739f5 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-sub.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e2ee5d1f79f739f5 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-sub.js:5

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c72d8363c02a1254 — Filesystem access.

pkgs/npm/[email protected]/examples/nats-sub.js:32

  const data = fs.readFileSync(argv.creds);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81c0e5545e5b31a3 — Filesystem access.

pkgs/npm/[email protected]/lib/src/node_transport.js:46

const { readFile, existsSync } = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81c0e5545e5b31a3 — Filesystem access.

pkgs/npm/[email protected]/lib/src/node_transport.js:46

const { readFile, existsSync } = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cf97758a86e001d — Filesystem access.

pkgs/npm/[email protected]/lib/src/node_transport.js:174

            readFile(fn, (err, data) => {
                if (err) {
                    return d.reject(err);
                }
                d.resolve(data);
            });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@fastify/static

npm dependency

medium pii_flow dependency Excluded from app score #b735ccd846d525ec — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:33 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:33

  console.log(`benchmark server listening on http://127.0.0.1:${port}`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #61ab46f9401effcb — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:36 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:36

  console.log(`  npx autocannon -c 100 -d 10 http://127.0.0.1:${port}/static/index.css`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #a1363e50b6ecf8d9 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:37 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:37

  console.log(`  npx autocannon -c 100 -d 10 http://127.0.0.1:${port}/app/1.2.3/index.css`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #3ab5b2488875013d — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/example/server-benchmark.js:38 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:8 → /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/example/server-benchmark.js:38

  console.log(`  npx autocannon -c 100 -d 10 http://127.0.0.1:${port}/nested/public/index.css`)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #ab8d0dcacdb8ebcf — Environment-variable access.

pkgs/npm/@[email protected]/example/server-benchmark.js:5

const fastifyStatic = require(process.env.PLUGIN_PATH || '../')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3aaa9a8b20d50363 — Environment-variable access.

pkgs/npm/@[email protected]/example/server-benchmark.js:8

const port = Number(process.env.PORT || 3000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

graphql

npm dependency

medium telemetry dependency Excluded from app score #5eb75248e7f4c474 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.js:284

                        info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ff9d2bbbe439eba0 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.js:293

            info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #5d4025da3b786da6 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.mjs:268

                        info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #797b6ff31d4b8b07 — Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.

pkgs/npm/[email protected]/execution/execute.mjs:277

            info.getAsyncHelpers().track(promisedIsTypeOfResults);

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

@apollo/server

npm dependency

medium pii_flow dependency Excluded from app score #827b9855fc8ef012 — PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:184 · flow /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:132 → /tmp/closeopen-pb9mt26s/pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:184

          logger.info(
            'Apollo schema reporting: reporting a new schema to Studio! See your graph at ' +
              `https://studio.apollographql.com/graph/${encodeURI(
                graphRef,
              )}/ with server info ${JSON.stringify(schemaReport)}`,
          );

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 7 low-confidence finding(s)

low env_fs dependency Excluded from app score #48a72ec047fcf5ab — Environment-variable access.

pkgs/npm/@[email protected]/src/ApolloServer.ts:218

    const nodeEnv = config.nodeEnv ?? process.env.NODE_ENV ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #930effef1499203e — Environment-variable access.

pkgs/npm/@[email protected]/src/ApolloServer.ts:974

      const enabledViaEnvVar = process.env.APOLLO_SCHEMA_REPORTING === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e28c348d5b7a548e — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:132

        platform: process.env.APOLLO_SERVER_PLATFORM || 'local',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c9f8b68efe26031 — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:136

        userVersion: process.env.APOLLO_SERVER_USER_VERSION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bea8470deca1f1f8 — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:139

          process.env.APOLLO_SERVER_ID || process.env.HOSTNAME || os.hostname(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bea8470deca1f1f8 — Environment-variable access.

pkgs/npm/@[email protected]/src/plugin/schemaReporting/index.ts:139

          process.env.APOLLO_SERVER_ID || process.env.HOSTNAME || os.hostname(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e879de3d0e3a16a7 — Environment-variable access.

pkgs/npm/@[email protected]/src/standalone/index.ts:76

        if (process.env.NODE_ENV !== 'test') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@commitlint/cli

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs dependency Excluded from app score #b200cd33d5188aa7 — Environment-variable access.

pkgs/npm/@[email protected]/lib/cli.js:357

        return process.env[flags.env];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #284daf1ee31dfac8 — Environment-variable access.

pkgs/npm/@[email protected]/lib/cli.js:379

            return process.env.GIT_PARAMS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28d0a631246b4209 — Environment-variable access.

pkgs/npm/@[email protected]/lib/cli.js:382

            return process.env.HUSKY_GIT_PARAMS;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@eslint/eslintrc

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #a3f48b3a3d88a3be — Filesystem access.

pkgs/npm/@[email protected]/lib/config-array-factory.js:154

    return fs.readFileSync(filePath, "utf8").replace(/^\ufeff/u, "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@fastify/view

npm dependency

expand_more 4 low-confidence finding(s)

low env_fs dependency Excluded from app score #cc2b15a718b9cd7a — Environment-variable access.

pkgs/npm/@[email protected]/benchmark/express.js:3

process.env.NODE_ENV = 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5e2009109a0652b — Environment-variable access.

pkgs/npm/@[email protected]/benchmark/setup.js:3

process.env.NODE_ENV = 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fceadc47e5ebede3 — Environment-variable access.

pkgs/npm/@[email protected]/index.js:41

  const prod = typeof opts.production === 'boolean' ? opts.production : process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56243778068877a7 — Filesystem access.

pkgs/npm/@[email protected]/index.js:52

      const promise = readFile(filePath, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@grpc/grpc-js

npm dependency

expand_more 19 low-confidence finding(s)

low env_fs dependency Excluded from app score #2bd9b3b4c8820b73 — Filesystem access.

pkgs/npm/@[email protected]/src/certificate-provider.ts:18

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c45a162d3001b5b8 — Environment-variable access.

pkgs/npm/@[email protected]/src/environment.ts:19

  (process.env.GRPC_NODE_USE_ALTERNATIVE_RESOLVER ?? 'false') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9840cb18f2b812f4 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:51

  if (process.env.grpc_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fdf559306e6f668 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:53

    proxyEnv = process.env.grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #007b2a86b3f5f8c5 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:54

  } else if (process.env.https_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de1d535230196c84 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:56

    proxyEnv = process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b2d0c525ae95d7d — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:57

  } else if (process.env.http_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea40d0190d72ee13 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:59

    proxyEnv = process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ab75162f40c9730 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:108

  let noProxyStr: string | undefined = process.env.no_grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8896c9238b806b9 — Environment-variable access.

pkgs/npm/@[email protected]/src/http_proxy.ts:111

    noProxyStr = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40ed9de678d3bc50 — Environment-variable access.

pkgs/npm/@[email protected]/src/load-balancer-outlier-detection.ts:57

  (process.env.GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION ?? 'true') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44f962a60fa9158d — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:39

  process.env.GRPC_NODE_VERBOSITY ?? process.env.GRPC_VERBOSITY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44f962a60fa9158d — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:39

  process.env.GRPC_NODE_VERBOSITY ?? process.env.GRPC_VERBOSITY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12e2c221586b5b8b — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:97

  process.env.GRPC_NODE_TRACE ?? process.env.GRPC_TRACE ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12e2c221586b5b8b — Environment-variable access.

pkgs/npm/@[email protected]/src/logging.ts:97

  process.env.GRPC_NODE_TRACE ?? process.env.GRPC_TRACE ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4f96b15a323dcec — Filesystem access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:18

import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66dc5d4ce0a83c57 — Environment-variable access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:21

  process.env.GRPC_SSL_CIPHER_SUITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6706a5a07dd044e8 — Environment-variable access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:23

const DEFAULT_ROOTS_FILE_PATH = process.env.GRPC_DEFAULT_SSL_ROOTS_FILE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0be5ae1d4d5431bf — Filesystem access.

pkgs/npm/@[email protected]/src/tls-helpers.ts:30

      defaultRootsData = fs.readFileSync(DEFAULT_ROOTS_FILE_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/gulp

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #22125f8ba08cafe3 — Filesystem access.

pkgs/npm/@[email protected]/index.d.ts:2

import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

amqplib

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs tooling Excluded from app score unknown #8098f57cf5f23ea8 — Filesystem access.

pkgs/npm/[email protected]/examples/ssl.js:38

  cert: fs.readFileSync('../etc/client/cert.pem'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #69e56ae531de0786 — Filesystem access.

pkgs/npm/[email protected]/examples/ssl.js:39

  key: fs.readFileSync('../etc/client/key.pem'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c875c88b1312a467 — Filesystem access.

pkgs/npm/[email protected]/examples/ssl.js:43

  ca: [fs.readFileSync('../etc/testca/cacert.pem')],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chai

npm dependency

expand_more 8 low-confidence finding(s)

low env_fs dependency Excluded from app score #1169c3db11b4e386 — Environment-variable access.

pkgs/npm/[email protected]/karma.conf.js:26

  switch (process.env.CHAI_TEST_ENV) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4f9405277323398 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:11

    auth.SAUCE_USERNAME = process.env.SAUCE_USERNAME || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce37ea63d898b924 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:12

    auth.SAUCE_ACCESS_KEY = process.env.SAUCE_ACCESS_KEY || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02cb0145e66f458b — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:16

  if (process.env.SKIP_SAUCE) return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbe49bf040efa8b7 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:18

  var branch = process.env.TRAVIS_BRANCH || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51b183c8a5fedde6 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:22

  var tunnel = process.env.TRAVIS_JOB_NUMBER || ts;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #852f6ab7635a1f35 — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:24

  if (process.env.TRAVIS_JOB_NUMBER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bda3620e2fa266f — Environment-variable access.

pkgs/npm/[email protected]/karma.sauce.js:25

    tags.push('travis@' + process.env.TRAVIS_JOB_NUMBER);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

delete-empty

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #d203e0c88274811b — Filesystem access.

pkgs/npm/[email protected]/index.js:9

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d203e0c88274811b — Filesystem access.

pkgs/npm/[email protected]/index.js:9

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency

expand_more 13 low-confidence finding(s)

low env_fs dependency Excluded from app score #54281e8e3fa75870 — Filesystem access.

pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129

			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9acde9f101838fc2 — Filesystem access.

pkgs/npm/[email protected]/lib/cli.js:133

			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #407ceef8d9f11111 — Filesystem access.

pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281

		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa258b1f6322d347 — Environment-variable access.

pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326

	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a81c1e07d3710962 — Environment-variable access.

pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330

	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8a2b2e7d3f3cc0a — Filesystem access.

pkgs/npm/[email protected]/lib/eslint/eslint.js:802

					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bb57335c7781a84 — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:44

const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a26f2c8edd93c02 — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:56

	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4287b1dff9b53e3a — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:60

	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #977c80b677698d26 — Environment-variable access.

pkgs/npm/[email protected]/lib/linter/timing.js:64

	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f79f928a8a694b7 — Filesystem access.

pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697

				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96d20e4f471867a9 — Filesystem access.

pkgs/npm/[email protected]/lib/services/suppressions-service.js:217

			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9040a0459e93601f — Filesystem access.

pkgs/npm/[email protected]/lib/services/suppressions-service.js:240

		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint-config-prettier

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #880134d7c0eb1769 — Environment-variable access.

pkgs/npm/[email protected]/bin/cli.js:45

      switch (process.env.ESLINT_USE_FLAT_CONFIG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74ea64a75b75293f — Environment-variable access.

pkgs/npm/[email protected]/index.js:3

const includeDeprecated = !process.env.ESLINT_CONFIG_PRETTIER_NO_DEPRECATED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #a9d330d51c0f6c91 — Environment-variable access.

pkgs/npm/[email protected]/lib/application.js:91

  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fastify

npm dependency

expand_more 6 low-confidence finding(s)

low env_fs tooling Excluded from app score unknown #30680fbd929b30c4 — Filesystem access.

pkgs/npm/[email protected]/examples/http2.js:8

    key: fs.readFileSync(path.join(__dirname, '../test/https/fastify.key')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ecae76fdbf8735d3 — Filesystem access.

pkgs/npm/[email protected]/examples/http2.js:9

    cert: fs.readFileSync(path.join(__dirname, '../test/https/fastify.cert'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #12ba71623a30c323 — Filesystem access.

pkgs/npm/[email protected]/examples/https.js:7

    key: fs.readFileSync(path.join(__dirname, '../test/https/fastify.key')),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #798c43a3b6eb2804 — Filesystem access.

pkgs/npm/[email protected]/examples/https.js:8

    cert: fs.readFileSync(path.join(__dirname, '../test/https/fastify.cert'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #2ed6971531b4a1fb — Environment-variable access.

pkgs/npm/[email protected]/scripts/validate-ecosystem-links.js:23

  return process.env.GITHUB_TOKEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5121209a9159b839 — Filesystem access.

pkgs/npm/[email protected]/scripts/validate-ecosystem-links.js:99

  const content = fs.readFileSync(ECOSYSTEM_FILE, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gulp-clean

npm dependency

expand_more 5 low-confidence finding(s)

low env_fs dependency Excluded from app score #7a75dc4b9997ed9b — Filesystem access.

pkgs/npm/[email protected]/test.js:3

var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a75dc4b9997ed9b — Filesystem access.

pkgs/npm/[email protected]/test.js:3

var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d959312154857d5 — Filesystem access.

pkgs/npm/[email protected]/test.js:24

          fs.writeFile('tmp/tree/leaf/node/leaf.js', 'console.log("leaf")', function () {
            fs.mkdir('tmp/tree/leftleaf', function () {
              fs.writeFile('tmp/tree/leftleaf/leaf1.js', 'console.log("leaf")', function () {
                callback();
              });
            });
          });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44553199f048c771 — Filesystem access.

pkgs/npm/[email protected]/test.js:26

              fs.writeFile('tmp/tree/leftleaf/leaf1.js', 'console.log("leaf")', function () {
                callback();
              });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b8ee4ac894fd4d2 — Filesystem access.

pkgs/npm/[email protected]/test.js:39

    fs.writeFile('tmp/test.js', content, function () {
      stream.on('data', noop);
      stream.on('end', function () {
        fs.exists('tmp/test.js', function (exists) {
          expect(exists).to.be.false;
          done();
        });
      });

      stream.write(new utils.File({
        cwd: cwd,
        base: cwd + '/tmp/',
        path: cwd + '/tmp/test.js',
        contents: new Buffer(content)
      }));

      stream.end();
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gulp-sourcemaps

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs dependency Excluded from app score #ab473b8a9658170a — Filesystem access.

pkgs/npm/[email protected]/src/init/index.internals.js:65

              sourceContent = stripBom(fs.readFileSync(absPath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8411560cbde5b693 — Filesystem access.

pkgs/npm/[email protected]/src/init/index.internals.js:120

      sources.map = JSON.parse(stripBom(fs.readFileSync(mapFile, 'utf8')));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8ae4df5780f49ac — Filesystem access.

pkgs/npm/[email protected]/src/write/index.internals.js:82

            sourceMap.sourcesContent[i] = stripBom(fs.readFileSync(sourcePath, 'utf8'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gulp-typescript

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #d484b3f40df09d28 — Filesystem access.

pkgs/npm/[email protected]/release/host.js:20

            return this.fallback.readFile(fileName);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

husky

npm dependency

expand_more 9 low-confidence finding(s)

low env_fs dependency Excluded from app score #880823c417e4f62a — Filesystem access.

pkgs/npm/[email protected]/bin.js:2

import f, { writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7ec7e32d62f15c0 — Filesystem access.

pkgs/npm/[email protected]/bin.js:12

	s = f.readFileSync(n)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7a89c0c5bde5e56 — Filesystem access.

pkgs/npm/[email protected]/bin.js:15

	w(n, JSON.stringify(o, 0, /\t/.test(s) ? '\t' : 2) + '\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a15d2001f825796 — Filesystem access.

pkgs/npm/[email protected]/bin.js:18

	w('.husky/pre-commit', (p.env.npm_config_user_agent?.split('/')[0] ?? 'npm') + ' test\n')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #928244d7cc8e0894 — Filesystem access.

pkgs/npm/[email protected]/index.js:2

import f, { readdir, writeFileSync as w } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #809b336ffd63e8b9 — Environment-variable access.

pkgs/npm/[email protected]/index.js:9

	if (process.env.HUSKY === '0') return 'HUSKY=0 skip install'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77635b5c684ddc63 — Filesystem access.

pkgs/npm/[email protected]/index.js:20

	w(_('.gitignore'), '*')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f603d2deb3fc98c2 — Filesystem access.

pkgs/npm/[email protected]/index.js:22

	l.forEach(h => w(_(h), `#!/usr/bin/env sh\n. "\$(dirname "\$0")/h"`, { mode: 0o755 }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6406f5ee3981b102 — Filesystem access.

pkgs/npm/[email protected]/index.js:23

	w(_('husky.sh'), msg)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ioredis

npm dependency

expand_more 3 low-confidence finding(s)

low env_fs dependency Excluded from app score #1fbf313eca9a8af4 — Filesystem access.

pkgs/npm/[email protected]/built/utils/index.js:4

const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fbf313eca9a8af4 — Filesystem access.

pkgs/npm/[email protected]/built/utils/index.js:4

const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef00ded2be2642d2 — Filesystem access.

pkgs/npm/[email protected]/built/utils/index.js:362

        const data = await fs_1.promises.readFile(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

kafkajs

npm dependency

expand_more 5 low-confidence finding(s)

low env_fs dependency Excluded from app score #aad1d3565fc2fd27 — Environment-variable access.

pkgs/npm/[email protected]/src/env.js:2

  KAFKAJS_DEBUG_PROTOCOL_BUFFERS: process.env.KAFKAJS_DEBUG_PROTOCOL_BUFFERS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78fe41996b8fa08d — Environment-variable access.

pkgs/npm/[email protected]/src/env.js:3

  KAFKAJS_DEBUG_EXTENDED_PROTOCOL_BUFFERS: process.env.KAFKAJS_DEBUG_EXTENDED_PROTOCOL_BUFFERS,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f98a43a5a8ee6b91 — Environment-variable access.

pkgs/npm/[email protected]/src/index.js:26

  if (process.env.KAFKAJS_NO_PARTITIONER_WARNING == null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8483f3bc4b80b9e7 — Environment-variable access.

pkgs/npm/[email protected]/src/loggers/index.js:32

  const envLogLevel = (process.env.KAFKAJS_LOG_LEVEL || '').toUpperCase()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fd3f72c085f9f27 — Environment-variable access.

pkgs/npm/[email protected]/src/retry/index.js:3

const isTestMode = process.env.NODE_ENV === 'test'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lerna-changelog

npm dependency

expand_more 8 low-confidence finding(s)

low env_fs dependency Excluded from app score #aa240d026646897c — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:4

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa240d026646897c — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:4

const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89a26a08f503cfba — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:66

        return JSON.parse(fs.readFileSync(lernaPath)).changelog;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6269d2e1bda000d — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:72

        return JSON.parse(fs.readFileSync(pkgPath)).changelog;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #878cb733deee0121 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:80

    const pkg = JSON.parse(fs.readFileSync(pkgPath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79a5c0c22e41953d — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:89

    const pkg = fs.existsSync(pkgPath) ? JSON.parse(fs.readFileSync(pkgPath)) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30e30ef833624896 — Filesystem access.

pkgs/npm/[email protected]/lib/configuration.js:90

    const lerna = fs.existsSync(lernaPath) ? JSON.parse(fs.readFileSync(lernaPath)) : {};

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e051341d73dcb7a — Environment-variable access.

pkgs/npm/[email protected]/lib/github-api.js:52

        return process.env.GITHUB_AUTH || "";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

lint-staged

npm dependency

expand_more 20 low-confidence finding(s)

low env_fs dependency Excluded from app score #9133c53a25fa0e15 — Filesystem access.

pkgs/npm/[email protected]/lib/cli.js:205

  const packageJsonFile = await readFile(path.join(dirname, '../package.json'), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b340ee5d9f1164a — Filesystem access.

pkgs/npm/[email protected]/lib/file.js:16

    return await fs.readFile(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d74147379e21593c — Filesystem access.

pkgs/npm/[email protected]/lib/file.js:52

  await fs.writeFile(filename, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a394688d81b73a60 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:145

      readFile(this.mergeHeadFilename).then((buffer) => (this.mergeHeadBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cbbd601db3a07ce — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:146

      readFile(this.mergeModeFilename).then((buffer) => (this.mergeModeBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03492f64e6cd8079 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:147

      readFile(this.mergeMsgFilename).then((buffer) => (this.mergeMsgBuffer = buffer)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7eae95da70d52ea4 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:159

        this.mergeHeadBuffer && writeFile(this.mergeHeadFilename, this.mergeHeadBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12a841e3336b5469 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:160

        this.mergeModeBuffer && writeFile(this.mergeModeFilename, this.mergeModeBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e84e697743089fc3 — Filesystem access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:161

        this.mergeMsgBuffer && writeFile(this.mergeMsgFilename, this.mergeMsgBuffer),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f9e4d92d6256702 — Environment-variable access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:311

    const activeIndexFile = process.env.GIT_INDEX_FILE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57477212bd20a676 — Environment-variable access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:312

      ? normalizePath(process.env.GIT_INDEX_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10e456e8f1b90d92 — Environment-variable access.

pkgs/npm/[email protected]/lib/gitWorkflow.js:313

      : process.env.GIT_INDEX_FILE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #def8d871d43c6aa5 — Environment-variable access.

pkgs/npm/[email protected]/lib/index.js:150

  debugLog('Unset GIT_LITERAL_PATHSPECS (was `%s`)', process.env.GIT_LITERAL_PATHSPECS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f565e9be022c472 — Environment-variable access.

pkgs/npm/[email protected]/lib/index.js:151

  delete process.env.GIT_LITERAL_PATHSPECS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #781de3550e1e7957 — Filesystem access.

pkgs/npm/[email protected]/lib/loadConfig.js:14

const readFile = async (filename) => fs.readFile(path.resolve(filename), 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a98b2a7c0c7b6e4e — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:42

    debugLog('Unset GIT_DIR (was `%s`)', process.env.GIT_DIR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83ae5868fccacc7c — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:43

    delete process.env.GIT_DIR

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b447197f0bc62b98 — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:44

    debugLog('Unset GIT_WORK_TREE (was `%s`)', process.env.GIT_WORK_TREE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d24cef3d1504346f — Environment-variable access.

pkgs/npm/[email protected]/lib/resolveGitRepo.js:45

    delete process.env.GIT_WORK_TREE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #205a58b4af51fc04 — Filesystem access.

pkgs/npm/[email protected]/lib/version.js:4

  const packageJson = JSON.parse(await fs.readFile(new URL('../package.json', import.meta.url)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mocha

npm dependency

expand_more 13 low-confidence finding(s)

low env_fs dependency Excluded from app score #192e9decae9d8883 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/config.js:39

    require("js-yaml").load(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcf1d75af9499f9f — Filesystem access.

pkgs/npm/[email protected]/lib/cli/config.js:55

      require("strip-json-comments")(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9659df5cddceab70 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:27

  const css = fs.readFileSync(path.join(srcdir, "mocha.css"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d23e9c2a59920beb — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:28

  const js = fs.readFileSync(path.join(srcdir, "mocha.js"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55c82995b834b036 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:29

  const tmpl = fs.readFileSync(
    path.join(srcdir, "lib", "browser", "template.html"),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1bc26654b13b48b — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:32

  fs.writeFileSync(path.join(destdir, "mocha.css"), css);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab5e274d243f3305 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:33

  fs.writeFileSync(path.join(destdir, "mocha.js"), js);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9323c211c0d4ebe — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:34

  fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10c2e59002c287d9 — Filesystem access.

pkgs/npm/[email protected]/lib/cli/init.js:35

  fs.writeFileSync(path.join(destdir, "index.html"), tmpl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b077517c6dbdec4a — Filesystem access.

pkgs/npm/[email protected]/lib/cli/options.js:240

      configData = fs.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a18c5c143a3275f9 — Environment-variable access.

pkgs/npm/[email protected]/lib/cli/options.js:302

  const envConfig = parse(process.env.MOCHA_OPTIONS || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31abe8d34b450da5 — Environment-variable access.

pkgs/npm/[email protected]/lib/reporters/base.js:58

  (supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be2253c2a690214f — Filesystem access.

pkgs/npm/[email protected]/lib/reporters/json.js:90

        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mongoose

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #be08ef4870499c76 — Environment-variable access.

pkgs/npm/[email protected]/lib/helpers/printJestWarning.js:5

if (typeof jest !== 'undefined' && !process.env.SUPPRESS_JEST_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #6f74874bb3ef45e2 — Filesystem access.

pkgs/npm/[email protected]/storage/disk.js:1

var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f74874bb3ef45e2 — Filesystem access.

pkgs/npm/[email protected]/storage/disk.js:1

var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mysql2

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #df8424f1e86fc008 — Environment-variable access.

pkgs/npm/[email protected]/lib/packets/index.js:60

  if (process.env.NODE_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nyc

npm dependency

expand_more 31 low-confidence finding(s)

low env_fs dependency Excluded from app score #1e28fea8faadc6a8 — Filesystem access.

pkgs/npm/[email protected]/bin/nyc.js:10

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e28fea8faadc6a8 — Filesystem access.

pkgs/npm/[email protected]/bin/nyc.js:10

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6af43ef7740c0a2 — Environment-variable access.

pkgs/npm/[email protected]/bin/nyc.js:53

    env.BABEL_DISABLE_CACHE = process.env.BABEL_DISABLE_CACHE = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3412299e8b187465 — Environment-variable access.

pkgs/npm/[email protected]/bin/nyc.js:81

    env.SPAWN_WRAP_SHIM_ROOT = process.env.SPAWN_WRAP_SHIM_ROOT || process.env.XDG_CACHE_HOME || require('os').homedir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3412299e8b187465 — Environment-variable access.

pkgs/npm/[email protected]/bin/nyc.js:81

    env.SPAWN_WRAP_SHIM_ROOT = process.env.SPAWN_WRAP_SHIM_ROOT || process.env.XDG_CACHE_HOME || require('os').homedir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eac2673547608a21 — Filesystem access.

pkgs/npm/[email protected]/index.js:190

        const source = await fs.readFile(filename, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1108c6b5e500119f — Filesystem access.

pkgs/npm/[email protected]/index.js:218

      const inCode = await fs.readFile(inFile, 'utf-8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c323177126bb322 — Filesystem access.

pkgs/npm/[email protected]/index.js:226

        await fs.writeFile(outFile, outCode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd6b850309ad882b — Environment-variable access.

pkgs/npm/[email protected]/index.js:353

    if (!process.env.NYC_CWD) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #529e2ffbd68bd44b — Environment-variable access.

pkgs/npm/[email protected]/index.js:375

    process.env.NYC_PROCESS_ID = this.processInfo.uuid

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63961c4e34c60c9e — Filesystem access.

pkgs/npm/[email protected]/index.js:409

    fs.writeFileSync(
      coverageFilename,
      JSON.stringify(coverage),
      'utf-8'
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18b7bbac8c1dedac — Filesystem access.

pkgs/npm/[email protected]/index.js:514

      const report = JSON.parse(await fs.readFile(path.resolve(baseDirectory, filename)), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a19d17f81780b53 — Environment-variable access.

pkgs/npm/[email protected]/lib/commands/check-coverage.js:19

  process.env.NYC_CWD = process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ee7baf3312dd881 — Environment-variable access.

pkgs/npm/[email protected]/lib/commands/merge.js:33

  process.env.NYC_CWD = process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2b1a3533d660090 — Filesystem access.

pkgs/npm/[email protected]/lib/commands/merge.js:44

  await fs.writeFile(argv.outputFile, JSON.stringify(map), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48d4538c9f45e9ce — Environment-variable access.

pkgs/npm/[email protected]/lib/commands/report.js:19

  process.env.NYC_CWD = process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a200463671c5dcb — Environment-variable access.

pkgs/npm/[email protected]/lib/config-util.js:12

  cwd = cwd || process.env.NYC_CWD || process.cwd()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38898237139d0ce7 — Filesystem access.

pkgs/npm/[email protected]/lib/fs-promises.js:3

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38898237139d0ce7 — Filesystem access.

pkgs/npm/[email protected]/lib/fs-promises.js:3

const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e682a013290d8412 — Environment-variable access.

pkgs/npm/[email protected]/lib/register-env.js:21

    envToCopy[env] = process.env[env]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a38aec61f93db6bb — Environment-variable access.

pkgs/npm/[email protected]/lib/register-env.js:26

  envToCopy[envName] = process.env[envName]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4a31e2336548113 — Filesystem access.

pkgs/npm/[email protected]/lib/source-maps.js:43

      fs.writeFileSync(mapPath, JSON.stringify(sourceMap))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57017f7798bb575f — Filesystem access.

pkgs/npm/[email protected]/lib/source-maps.js:68

            this.loadedMaps[hash] = JSON.parse(await fs.readFile(mapPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92a898f39f1eb10d — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:6

  process.env.NYC_CONFIG ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #506c492fa03d1990 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:15

  parent: process.env.NYC_PROCESS_ID || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c618ebdae977727 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:18

if (process.env.NYC_PROCESSINFO_EXTERNAL_ID) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80fd59856e2ed83d — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:19

  config._processInfo.externalId = process.env.NYC_PROCESSINFO_EXTERNAL_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7957aced6c9ef2b — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:20

  delete process.env.NYC_PROCESSINFO_EXTERNAL_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a9f38e943cb1703 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:23

if (process.env.NYC_CONFIG_OVERRIDE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f1e0321f0563683 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:24

  Object.assign(config, JSON.parse(process.env.NYC_CONFIG_OVERRIDE))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f567c8099f6b29f3 — Environment-variable access.

pkgs/npm/[email protected]/lib/wrap.js:25

  process.env.NYC_CONFIG = JSON.stringify(config)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prettier

npm dependency

expand_more 57 low-confidence finding(s)

low env_fs dependency Excluded from app score #a6df8e96db5c0d52 — Environment-variable access.

pkgs/npm/[email protected]/bin/prettier.cjs:66

if (process.env.PRETTIER_EXPERIMENTAL_CLI || index !== -1) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2764e431c8da39ab — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:10

import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28d5d2c906684881 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:15

import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f56028fdb8060974 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:371

  return dist_default.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44a0bf21ca7fd184 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:516

import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb1c64523f2e1161 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:526

import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93d467363f959f34 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:878

    string2 = fs2.readFileSync(path3.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #939bcebf2afaa636 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1878

import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcecc1d34f879374 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1955

          const content = fs3.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19210f493daef7f4 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli-worker.mjs:1961

          return fs3.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b695cb0053e2f5d — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:54

import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3031fe068873adf — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:96

import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0626f9eb7b32a8d0 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:107

      const buffer2 = attempt(() => fs2.readFileSync(path18), Buffer2.alloc(0));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f674b71444357d06 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:116

import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #585c134f5d622cfa — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:612

import fs4 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7150eb10ab71f47a — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:627

              const content = fs4.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d8864bc9a5a13dc — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:633

              return fs4.writeFileSync(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be5dea2ca69b2053 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:2515

import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9193c380578f076 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:2525

    string2 = fs5.readFileSync(path4.toNamespacedPath(jsonPath), "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4f1250cd7f5fa56 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:2743

import { statSync, realpathSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7a6232f87196a6e — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:3607

import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aba4cf4a22fc8a0c — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:4855

import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ed231589d685f70 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5794

import fs8 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8134c9b5f43733a — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5820

          const store = JSON.parse(fs8.readFileSync(this.storePath, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c04034ec1ea202d — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5835

          fs8.writeFileSync(this.storePath, store);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b93d17a082ca9e6 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:5850

          const content = fs8.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61177f547a5b3323 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6238

import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #313416452d184e9d — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6252

        return fs9.readFile(filePath, "utf8").then(parse_default2).catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0577062d6e392bad — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6582

import fs10 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8eda362e82584f12 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:6594

      return fs10.readFile(filePath, "utf8").catch(noop2);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0eb63e6066d84954 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10466

import fs11 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4d59dbf8a4edc3e — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10488

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f28f48d7b5c19854 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10493

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c6c6da4ebef1511 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10499

        const fileBuffer = fs11.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6d347177f2396c8 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10515

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa0a02bceac5de96 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:10521

        const fileContent = fs11.readFileSync(filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4829ab90f6eb8ab — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:11366

import fs12 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62f407c0ec852eb7 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:11559

import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbd117a7a7af380b — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:11567

  return dist_default36.retry.readFile(retryOptions)(filePath, options);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db3eabff4e9dc6b7 — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:12330

import fs13 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7eef0e69186ae7bc — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:12395

  const ignoreManualFilesContents = await Promise.all(ignoreManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8").catch(() => "")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3597c71be18288a — Filesystem access.

pkgs/npm/[email protected]/internal/experimental-cli.mjs:12400

  const prettierManualFilesContents = await Promise.all(prettierManualFilesPaths.map((filePath) => fs13.readFile(filePath, "utf8")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e59076484f4c7a7 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1233

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #caed16502dab9baf — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1554

import fs9 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f589b1833266ef8 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1778

import fs4 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c17c9accc960c706 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1786

import fs3 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff17862828d28bb0 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1794

import fs2 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f19a2f4300173b3 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1888

    const data = await fs4.readFile(cacheFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8626eb378476d1b4 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1906

import fs7 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f56f766e68c74fdc — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1910

import fs6 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49d3d47e0fecfe37 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:1914

import fs5 from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fa4ab4050c6e0f6 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:4302

      const data = fs5.readFileSync(pathToFile, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fc6a7aee5e54264 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:4506

        fs5.writeFileSync(filePath, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c9fd1ca02744c76 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:4894

        const buffer = fs6.readFileSync(absolutePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd3578f763422a33 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:5188

import fs8 from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aec9fdc092e3383 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:5449

  writeFormattedFile: (file, data) => fs8.writeFile(file, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0403b5b664e7684 — Filesystem access.

pkgs/npm/[email protected]/internal/legacy-cli.mjs:5805

      input = await fs9.readFile(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

socket.io

npm dependency

expand_more 1 low-confidence finding(s)

low env_fs dependency Excluded from app score #a56a4cf6bb7fbe1e — Environment-variable access.

pkgs/npm/[email protected]/client-dist/socket.io.js:2955

        r = process.env.DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ts-node

npm dependency

expand_more 9 low-confidence finding(s)

low env_fs dependency Excluded from app score #ee978e2caae76e56 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee978e2caae76e56 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-cjs-loader.js:27

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a9561595a49fc05 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:39

const {
  realpathSync,
  statSync,
  Stats,
} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb2f738ef28de842 — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internal-modules-esm-resolve.js:43

} = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546dcaf21f1c893e — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546dcaf21f1c893e — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:1

const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6054d44f5fbe64a — Filesystem access.

pkgs/npm/[email protected]/dist-raw/node-internalBinding-fs.js:13

    string = fs.readFileSync(path, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58b46b960e8bdc36 — Environment-variable access.

pkgs/npm/[email protected]/dist-raw/node-options.js:48

  const envArgv = ParseNodeOptionsEnvVar(process.env.NODE_OPTIONS || '', errors);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31e19da1a3dc1253 — Environment-variable access.

pkgs/npm/[email protected]/dist-raw/node-options.js:99

  if(process.env.NODE_PENDING_DEPRECATION === '1') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tsconfig-paths

npm dependency

expand_more 12 low-confidence finding(s)

low env_fs dependency Excluded from app score #dc6ab1df2246ba8e — Environment-variable access.

pkgs/npm/[email protected]/lib/config-loader.js:30

        getEnv: function (key) { return process.env[key]; },

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2575ec8eef71c243 — Filesystem access.

pkgs/npm/[email protected]/lib/filesystem.js:4

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2575ec8eef71c243 — Filesystem access.

pkgs/npm/[email protected]/lib/filesystem.js:4

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96d306dde5cec300 — Filesystem access.

pkgs/npm/[email protected]/lib/filesystem.js:37

    fs.readFile(path, "utf8", function (err, result) {
        // If error, assume file did not exist
        if (err || !result) {
            return callback();
        }
        var json = JSON.parse(result);
        return callback(undefined, json);
    });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e2ae9238c967a87 — Filesystem access.

pkgs/npm/[email protected]/lib/tsconfig-loader.js:16

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e2ae9238c967a87 — Filesystem access.

pkgs/npm/[email protected]/lib/tsconfig-loader.js:16

var fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b27c9af9cb2ba70a — Filesystem access.

pkgs/npm/[email protected]/lib/tsconfig-loader.js:85

        return fs.readFileSync(filename, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #948b1bd2ebb483fc — Environment-variable access.

pkgs/npm/[email protected]/src/config-loader.ts:68

    getEnv: (key: string) => process.env[key],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cb3c0616f792bf5 — Filesystem access.

pkgs/npm/[email protected]/src/filesystem.ts:1

import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50c38cb5b06d03e5 — Filesystem access.

pkgs/npm/[email protected]/src/filesystem.ts:68

  fs.readFile(path, "utf8", (err, result) => {
    // If error, assume file did not exist
    if (err || !result) {
      return callback();
    }
    const json = JSON.parse(result);
    return callback(undefined, json);
  });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc73ef2d46ca1491 — Filesystem access.

pkgs/npm/[email protected]/src/tsconfig-loader.ts:2

import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f742216beae2d852 — Filesystem access.

pkgs/npm/[email protected]/src/tsconfig-loader.ts:120

    fs.readFileSync(filename, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typeorm

npm dependency

expand_more 34 low-confidence finding(s)

low env_fs dependency Excluded from app score #c20afa5ac493c6d2 — Environment-variable access.

pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:3

if ((process.env["NODE_OPTIONS"] || "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a1d195b46c5ddcb — Environment-variable access.

pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:11

                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39bb236ac6962436 — Filesystem access.

pkgs/npm/[email protected]/browser/driver/better-sqlite3/BetterSqlite3Driver.js:1

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3adce4c8c28bc68 — Environment-variable access.

pkgs/npm/[email protected]/browser/driver/oracle/OracleDriver.js:193

            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a67884d11229371c — Environment-variable access.

pkgs/npm/[email protected]/browser/driver/postgres/PostgresDriver.js:227

            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33cbdfa83aa7bfb1 — Filesystem access.

pkgs/npm/[email protected]/browser/driver/sqlite/SqliteDriver.js:1

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa7d2a82ffc43d87 — Filesystem access.

pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:59

                    const database = PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4c6d853ec715220 — Filesystem access.

pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:126

                await PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fd9e7ad784dcc19 — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.d.ts:3

export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cc7b876c93756f1 — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:3

import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09122725f516d03a — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:8

export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #376c880df92fc93a — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:154

        return fs.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7f6523cf5f178db — Filesystem access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:160

        return fs.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e507fd321d17465b — Environment-variable access.

pkgs/npm/[email protected]/browser/platform/PlatformTools.js:174

        return process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3510682897882f94 — Filesystem access.

pkgs/npm/[email protected]/browser/util/ImportUtils.js:1

import fs from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0f350623d568fee — Filesystem access.

pkgs/npm/[email protected]/browser/util/ImportUtils.js:71

                const parsedPackage = JSON.parse(await fs.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9128dfc3a13d3ad5 — Environment-variable access.

pkgs/npm/[email protected]/cli-ts-node-esm.js:5

if ((process.env["NODE_OPTIONS"] || "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #393d03fecbe49e92 — Environment-variable access.

pkgs/npm/[email protected]/cli-ts-node-esm.js:13

                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27c4cfc07cd1e3bc — Filesystem access.

pkgs/npm/[email protected]/commands/CommandUtils.js:64

        await promises_1.default.writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #271ec1ed53c414fa — Filesystem access.

pkgs/npm/[email protected]/commands/CommandUtils.js:70

        const file = await promises_1.default.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0430f177f07d63e2 — Filesystem access.

pkgs/npm/[email protected]/commands/InitCommand.js:76

            const packageJsonContents = await CommandUtils_1.CommandUtils.readFile(basePath + "/package.json");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f8a587467f178a8 — Filesystem access.

pkgs/npm/[email protected]/commands/InitCommand.js:579

        const ourPackageJson = JSON.parse(await CommandUtils_1.CommandUtils.readFile(`${__dirname}/../package.json`));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6e17d293f4f7fec — Environment-variable access.

pkgs/npm/[email protected]/driver/oracle/OracleDriver.js:196

            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5066c0e8c9d41346 — Environment-variable access.

pkgs/npm/[email protected]/driver/postgres/PostgresDriver.js:230

            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd708e4c949f552b — Filesystem access.

pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:62

                    const database = PlatformTools_1.PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44933101f6012510 — Filesystem access.

pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:129

                await PlatformTools_1.PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64fef8b638ae183d — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.d.ts:3

export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8277e5c5597d8ba4 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:7

const fs_1 = tslib_1.__importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e4abb9c00537721 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:13

var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e4abb9c00537721 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:13

var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3143c3012d142088 — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:162

        return fs_1.default.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c236b6097454364f — Filesystem access.

pkgs/npm/[email protected]/platform/PlatformTools.js:168

        return fs_1.default.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5247f6a358d9c8d7 — Environment-variable access.

pkgs/npm/[email protected]/platform/PlatformTools.js:182

        return process.env[name];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75f18afdf8eeb502 — Filesystem access.

pkgs/npm/[email protected]/util/ImportUtils.js:75

                const parsedPackage = JSON.parse(await promises_1.default.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency

expand_more 20 low-confidence finding(s)

low env_fs dependency Excluded from app score #155ad76ab66eee21 — Filesystem access.

pkgs/npm/[email protected]/lib/_tsserver.js:51

var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c26d5382d0eef610 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:309

    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79354c41578aa92f — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:535

  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cb30f26eda0c131 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:548

        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddc693b6c2eb0578 — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:565

    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ceafcdac73f578e — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:566

      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff8364615c0d44e — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff8364615c0d44e — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff8364615c0d44e — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff8364615c0d44e — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ff8364615c0d44e — Environment-variable access.

pkgs/npm/[email protected]/lib/_tsserver.js:569

    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd242758d43ab01f — Filesystem access.

pkgs/npm/[email protected]/lib/_typingsInstaller.js:44

var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42702034dc9a92ff — Filesystem access.

pkgs/npm/[email protected]/lib/_typingsInstaller.js:88

    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66775662412145e2 — Filesystem access.

pkgs/npm/[email protected]/lib/watchGuard.js:42

var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ws

npm dependency

expand_more 2 low-confidence finding(s)

low env_fs dependency Excluded from app score #f25efa7286a1aa96 — Environment-variable access.

pkgs/npm/[email protected]/lib/buffer-util.js:115

if (!process.env.WS_NO_BUFFER_UTIL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30cfd64ec06842a5 — Environment-variable access.

pkgs/npm/[email protected]/lib/validation.js:142

} /* istanbul ignore else  */ else if (!process.env.WS_NO_UTF_8_VALIDATE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

path-to-regexp prod — dist-only: no readable source

Development

@nestjs/apollo dev — dist-only: no readable source
@typescript-eslint/parser dev — dist-only: no readable source
amqp-connection-manager dev — dist-only: no readable source
cache-manager dev — dist-only: no readable source
concurrently dev — dist-only: no readable source
conventional-changelog dev — dist-only: no readable source
graphql-subscriptions dev — dist-only: no readable source
lerna dev — dist-only: no readable source
redis dev — dist-only: no readable source
typescript-eslint dev — dist-only: no readable source

verified_user Possible application data leak

App Privacy Score

bar_chart Score Breakdown

list Scan Summary

swap_horiz Potential data exfiltration in application code

</> First-Party Code

first-party (npm)

</> Dependencies

coveralls

nats

@fastify/static

graphql

@apollo/server

@commitlint/cli

@eslint/eslintrc

@fastify/view

@grpc/grpc-js

@types/gulp

amqplib

chai

delete-empty

eslint

eslint-config-prettier

express

fastify

gulp-clean

gulp-sourcemaps

gulp-typescript

husky

ioredis

kafkajs

lerna-changelog

lint-staged

mocha

mongoose

multer

mysql2

nyc

prettier

socket.io

ts-node

tsconfig-paths

typeorm

typescript

ws

Skipped dependencies