Close Open Privacy Scan

bolt Snapshot: commit bb773ff
science engine v1.5
schedule 2026-07-14T05:15:50.974367+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

smart_toy MCP server detected: @anthropic-ai/sdk, @google/generative-ai, @langchain/anthropic, @langchain/core +14 more — detected in dependencies, not a safety judgment.
Incomplete scan — only 115/200 dependencies were analyzed. Treat the score as provisional.

App Privacy Score

2 /100
High privacy risk — application leak confirmed

High risk · 1780 finding(s)

Dependency score: 0 (High risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −20
egress −15
env_fs −3

list Scan Summary

34 high 69 medium 1677 low
First-party packages: 5
Dependency packages: 45
Ecosystem: npm

swap_horiz Confirmed data exfiltration in application code

External domains: 169.254.169.254192.168.1.1aaa.nonexistanturl.comaccount-iam.awsg.usge1.private.platform.ibmforusgov.comaccount-iam.awsg.usge1.private.platform.prep.ibmforusgov.comaccount-iam.platform.saas.ibm.comaccount-iam.platform.test.saas.ibm.comaccounts.google.comaccounts.zoom.usadmin.comai.google.devairtable.comanything.localap-south-1.aws.wxai.ibm.comapi.airtable.comapi.anthropic.comapi.astra.datastax.comapi.ca-tor.dai.cloud.ibm.comapi.cerebras.aiapi.cloudflare.comapi.cohere.aiapi.cohere.comapi.cometapi.comapi.dai.dev.cloud.ibm.comapi.dai.test.cloud.ibm.comapi.dataplatform.cloud.ibm.comapi.dataplatform.test.cloud.ibm.comapi.deepinfra.comapi.dev.cloud.datastax.comapi.dicebear.comapi.elevenlabs.ioapi.eu-de.dataplatform.cloud.ibm.comapi.eu-gb.dataplatform.cloud.ibm.comapi.eu.residency.elevenlabs.ioapi.featherless.aiapi.firecrawl.devapi.fireworks.aiapi.getzep.comapi.github.comapi.githubcopilot.comapi.groq.comapi.hub.langchain.comapi.in.residency.elevenlabs.ioapi.ipify.orgapi.jina.aiapi.jp-tok.dataplatform.cloud.ibm.comapi.lunary.aiapi.nodemailer.comapi.novita.aiapi.open-meteo.comapi.openai.comapi.pipedream.comapi.publicai.coapi.replicate.comapi.sambanova.aiapi.scaleway.aiapi.search.brave.comapi.sg.residency.elevenlabs.ioapi.smith.langchain.comapi.speak.comapi.spider.cloudapi.test.cloud.datastax.comapi.together.xyzapi.unstructuredapp.ioapi.us.elevenlabs.ioapi.vectara.ioapi.voyageai.comapi.wavespeed.aiapi.z.aiapify.comapp.comapp.langwatch.aiapp.mem0.aiapp.phoenix.arize.comarize.comarxiv.orgau-syd.dataplatform.cloud.ibm.comau-syd.ml.cloud.ibm.comauth.myidp.localazure.microsoft.combar.foo.combedrockbedrock-fipsbedrock-runtimebedrock-runtime-fipsbedrock-runtime.us-east-1.amazonaws.combit.lybr-sao.dataplatform.cloud.ibm.combr-sao.ml.cloud.ibm.combrave.comca-tor.dataplatform.cloud.ibm.comca-tor.ml.cloud.ibm.comcatalog.ngc.nvidia.comcdn.jsdelivr.netcloud.cerebras.aicloud.langfuse.comcommunity.atlassian.comconfluence.atlassian.comconsole.apify.comconsole.cloud.google.comconsole.groq.comconsole.mistral.aidev.aws.wxai.ibm.comdeveloper.wolframalpha.comdevelopers.notion.comdisk.compute.azure.comdocs.anthropic.comdocs.arize.comdocs.aws.amazon.comdocs.browserless.iodocs.bullmq.iodocs.cohere.comdocs.exa.aidocs.expo.devdocs.flowiseai.comdocs.getzep.comdocs.gitbook.comdocs.github.comdocs.google.comdocs.googleapis.comdocs.langwatch.aidocs.microsoft.comdocs.momentohq.comdocs.perplexity.aidocs.sambanova.aidocs.searxng.orgdocs.slack.devdocs.smith.langchain.comdocs.stripe.comdocs.teradata.comdocs.together.aidocs.unstructured.iodocs.vectara.comdocs.voyageai.comdomain1.comdomain2.comdomain3.comdrive.google.comdynamodbdynamodb-fipsdynamodb.amazonaws.comelevenlabs.ioesm.runethereal.emaileu-de.dataplatform.cloud.ibm.comeu-de.ml.cloud.ibm.comeu-es.dataplatform.cloud.ibm.comeu-es.ml.cloud.ibm.comeu-fr2.dataplatform.cloud.ibm.comeu-fr2.ml.cloud.ibm.comeu-gb.dataplatform.cloud.ibm.comeu-gb.ml.cloud.ibm.comevil.comexample.atlassian.netexport.arxiv.orgexpress-rate-limit.github.iofal.runfireworks.aiflowiseai.comfoo.comgenerativelanguage.googleapis.comgithub.comgmail.googleapis.comgraph.microsoft.comhandlebarsjs.comhelp.openai.comhf.cohuggingface.coid.atlassian.comin-che.dataplatform.cloud.ibm.comin-che.ml.cloud.ibm.cominference.api.nscale.cominference.baseten.cointegrate.api.nvidia.comip.nfriedly.comjina.aijp-osa.dataplatform.cloud.ibm.comjp-osa.ml.cloud.ibm.comjp-tok.dataplatform.cloud.ibm.comjp-tok.ml.cloud.ibm.comjs.langchain.comjson-schema.orgkendrakendra-fipslangfuse.comlangwatch.ailearn.microsoft.comlocal.devlocalai.iologin.microsoftonline.comlunary.aimail.google.commakersuite.google.commalicious.commcp-server-ab71a6b2-cd55-49d0-adba-562bc85956e3.supermachine.appmcp.browserless.iomcp.pipedream.commcp.slack.commeilisearch.commilvus.iomomentjs.commy-phoenix.commy.staging.websitemyapp.commysite.comneo4j.comnew-url.comnodejs.orgnodemailer.comnotgithub.comnpm.imnpms.ionts.ngc.nvidia.comoai.endpoints.kepler.ai.cloud.ovh.netoauth2.googleapis.comoctocorp.ghe.comopenai.comopenidconnect.googleapis.comopenrouter.aiother.comother.devotlp.arize.comphoenix.arize.compipedream.complatform.claude.complatform.openai.composthog.comprivate.ap-south-1.aws.wxai.ibm.comprivate.api.au-syd.dai.cloud.ibm.comprivate.api.ca-tor.dai.cloud.ibm.comprivate.api.dai.dev.cloud.ibm.comprivate.api.dataplatform.cloud.ibm.comprivate.api.dataplatform.test.cloud.ibm.comprivate.api.eu-de.dataplatform.cloud.ibm.comprivate.api.eu-gb.dataplatform.cloud.ibm.comprivate.api.jp-tok.dataplatform.cloud.ibm.comprivate.au-syd.ml.cloud.ibm.comprivate.ca-tor.ml.cloud.ibm.comprivate.dev.aws.wxai.ibm.comprivate.eu-de.ml.cloud.ibm.comprivate.eu-gb.ml.cloud.ibm.comprivate.jp-tok.ml.cloud.ibm.comprivate.test.aws.wxai.ibm.comprivate.us-south.ml.cloud.ibm.comprivate.wml-mcsp-dev.ml.test.cloud.ibm.comprivate.wxai.ibmforusgov.comprivate.wxai.prep.ibmforusgov.comprivate.yp-qa.ml.cloud.ibm.comprogrammablesearchengine.google.compython.langchain.comqdrant.techqueue.fal.runraw.githubusercontent.comrealtime.oxylabs.ioremote.mcp.pipedream.netreplicate.comrouter.huggingface.cos3s3-fipss3-fips.dualstacks3-fips.dualstack.us-east-1s3-fips.us-east-1s3-object-lambdas3-object-lambda-fipss3.amazonaws.coms3.dualstacks3.dualstack.us-east-1s3express-controlsecretsmanagersecretsmanager-fipssecure.comsentry.iosetuptools.pypa.iosheets.googleapis.comsidorares.github.ioslack.comsmith.langchain.comsnssns-fipssns.amazonaws.comsns.us-gov-east-1.amazonaws.comsns.us-gov-west-1.amazonaws.comspider.cloudstorage.azure.comstripe.comstssts-fipssts.amazonaws.comsub.login.microsoftonline.comsupport.airtable.comsupport.atlassian.comteradata-mcp-servertest-malicious-download.comtest.aws.wxai.ibm.comtest.comtrusted.comts.llamaindex.aitypo-host.comunstructured-io.github.iounstructured.ioupstash.comus-south.dataplatform.cloud.ibm.comus-south.ml.cloud.ibm.comus.i.posthog.comvectara.comwml-mcsp-dev.ml.test.cloud.ibm.comwww.assemblyai.comwww.comet.comwww.elastic.cowww.figma.comwww.firecrawl.devwww.google.comwww.googleapis.comwww.notion.sowww.npmjs.comwww.searchapi.iowww.w3.orgwww.yahoo.comwxai-qa.ml.cloud.ibm.comwxai.ibmforusgov.comwxai.prep.ibmforusgov.comx.comxyz.eu-west-1.aws.endpoints.huggingface.cloudyour-foundry-instance.services.ai.azure.comyourfile.hereyp-qa.ml.cloud.ibm.com

high first-party (npm): packages/ui User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211
high first-party (npm): packages/ui User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/views/canvas/CanvasHeader.jsx:127 repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274
high first-party (npm): packages/server User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/server/src/IdentityManager.ts:103 repo/packages/server/src/IdentityManager.ts:140
high first-party (npm): packages/components User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:129 repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132
hub Dependency data flows (93)
high axios dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:610 pkgs/npm/[email protected]/lib/adapters/http.js:708
high nodemailer dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/fetch/index.js:55 pkgs/npm/[email protected]/lib/fetch/index.js:148
high @gomomento/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:24
high @gomomento/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:35
high @gomomento/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:50
high @gomomento/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45 pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45
high flowise-components dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:129 pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:132
high @gomomento/sdk-core tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:24
high @gomomento/sdk-core tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:35
high @gomomento/sdk-core tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:50
high @gomomento/sdk-core tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45 pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45
high @datastax/astra-db-ts dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:83 pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:252
high @datastax/astra-db-ts dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:83 pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:305
high @datastax/astra-db-ts dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/devops/astra-db-admin.ts:97 pkgs/npm/@[email protected]__reposrc/src/devops/astra-db-admin.ts:171
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:935 pkgs/npm/@[email protected]/esm/api/api/security.js:952
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1562 pkgs/npm/@[email protected]/esm/api/api/security.js:1574
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1600 pkgs/npm/@[email protected]/esm/api/api/security.js:1612
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1676 pkgs/npm/@[email protected]/esm/api/api/security.js:1688
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2257 pkgs/npm/@[email protected]/esm/api/api/security.js:2274
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2437 pkgs/npm/@[email protected]/esm/api/api/security.js:2454
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2915 pkgs/npm/@[email protected]/esm/api/api/security.js:2927
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:937 pkgs/npm/@[email protected]/lib/api/api/security.js:954
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1564 pkgs/npm/@[email protected]/lib/api/api/security.js:1576
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1602 pkgs/npm/@[email protected]/lib/api/api/security.js:1614
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1678 pkgs/npm/@[email protected]/lib/api/api/security.js:1690
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2259 pkgs/npm/@[email protected]/lib/api/api/security.js:2276
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2439 pkgs/npm/@[email protected]/lib/api/api/security.js:2456
high @elastic/elasticsearch dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2917 pkgs/npm/@[email protected]/lib/api/api/security.js:2929
high @modelcontextprotocol/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215 pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:245
high @modelcontextprotocol/sdk tooling User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621 pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:643
medium axios dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:616 pkgs/npm/[email protected]/lib/adapters/http.js:708
medium winston dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/winston/transports/http.js:249 pkgs/npm/[email protected]/lib/winston/transports/http.js:242
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/api_version.js:26 pkgs/npm/@[email protected]__reposrc/samples/api_version.js:33
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:34 pkgs/npm/@[email protected]__reposrc/samples/cache.js:58
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:34 pkgs/npm/@[email protected]__reposrc/samples/cache.js:65
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 pkgs/npm/@[email protected]__reposrc/samples/cache.js:134
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 pkgs/npm/@[email protected]__reposrc/samples/cache.js:138
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 pkgs/npm/@[email protected]__reposrc/samples/cache.js:151
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:192 pkgs/npm/@[email protected]__reposrc/samples/cache.js:216
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:225 pkgs/npm/@[email protected]__reposrc/samples/cache.js:251
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:261 pkgs/npm/@[email protected]__reposrc/samples/cache.js:284
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:261 pkgs/npm/@[email protected]__reposrc/samples/cache.js:291
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:30 pkgs/npm/@[email protected]__reposrc/samples/chat.js:45
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:30 pkgs/npm/@[email protected]__reposrc/samples/chat.js:47
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:24 pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:36
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:44 pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:66
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:74 pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:87
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:27 pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:56
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:64 pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:76
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:45
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:55
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:86
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:96
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:132
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:140
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:178
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:186
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:242
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:250
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:302
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:311
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:335
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:349
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:368
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358 pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:388
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/embed.js:24 pkgs/npm/@[email protected]__reposrc/samples/embed.js:31
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/embed.js:39 pkgs/npm/@[email protected]__reposrc/samples/embed.js:56
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:31 pkgs/npm/@[email protected]__reposrc/samples/files.js:41
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:31 pkgs/npm/@[email protected]__reposrc/samples/files.js:69
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:78 pkgs/npm/@[email protected]__reposrc/samples/files.js:102
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:78 pkgs/npm/@[email protected]__reposrc/samples/files.js:117
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:126 pkgs/npm/@[email protected]__reposrc/samples/files.js:133
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:126 pkgs/npm/@[email protected]__reposrc/samples/files.js:161
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:170 pkgs/npm/@[email protected]__reposrc/samples/files.js:194
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:170 pkgs/npm/@[email protected]__reposrc/samples/files.js:209
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:222 pkgs/npm/@[email protected]__reposrc/samples/files.js:239
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:220 pkgs/npm/@[email protected]__reposrc/samples/files.js:267
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:275 pkgs/npm/@[email protected]__reposrc/samples/files.js:281
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:290 pkgs/npm/@[email protected]__reposrc/samples/files.js:304
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:314 pkgs/npm/@[email protected]__reposrc/samples/files.js:327
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:61 pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:93
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:24 pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:37
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:24 pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:38
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:28 pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:50
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:59 pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:85
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:31 pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:50
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:61 pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:75
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:24 pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:35
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:31 pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:37
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:64 pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:84
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:125 pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:149
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:194 pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:214
medium @google/generative-ai dependency PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:223 pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:255

</> First-Party Code

first-party (npm): packages/server

npm first-party
high pii_flow production #794c31bb312ae46c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/server/src/IdentityManager.ts:140 · flow /tmp/closeopen-q876yqrd/repo/packages/server/src/IdentityManager.ts:103 → /tmp/closeopen-q876yqrd/repo/packages/server/src/IdentityManager.ts:140
                    const response = await axios.post(`${LICENSE_URL}/enterprise/verify`, { license: FLOWISE_EE_LICENSE_KEY })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #109db5517011c403 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/server/src/utils/telemetry.test.ts:36
const posthogNode = require('posthog-node')

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #35b191184bc06c55 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/packages/server/src/utils/telemetry.ts:2
import { PostHog } from 'posthog-node'

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 460 low-confidence finding(s)
low env_fs production #0584da1019b0b930 Environment-variable access.
repo/packages/server/bin/dev:9
process.env.NODE_ENV = 'development'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1e5e898a7094f17 Environment-variable access.
repo/packages/server/src/AppConfig.ts:2
    showCommunityNodes: process.env.SHOW_COMMUNITY_NODES ? process.env.SHOW_COMMUNITY_NODES.toLowerCase() === 'true' : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6824c3f200a95a35 Environment-variable access.
repo/packages/server/src/CachePool.ts:15
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f840ba604c3cb999 Environment-variable access.
repo/packages/server/src/CachePool.ts:16
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22265ca39fcd8f94 Environment-variable access.
repo/packages/server/src/CachePool.ts:17
                this.redisClient = new Redis(process.env.REDIS_URL, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4261f756f207a7a Environment-variable access.
repo/packages/server/src/CachePool.ts:19
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81eaa2b7fadc8a53 Environment-variable access.
repo/packages/server/src/CachePool.ts:20
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e1d9bacc4d0cbe6 Environment-variable access.
repo/packages/server/src/CachePool.ts:25
                    host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a03d4110ff27104a Environment-variable access.
repo/packages/server/src/CachePool.ts:26
                    port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f0fbec4cd57e5e8 Environment-variable access.
repo/packages/server/src/CachePool.ts:27
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3842e966ab8520da Environment-variable access.
repo/packages/server/src/CachePool.ts:28
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5aefe2cbc1771057 Environment-variable access.
repo/packages/server/src/CachePool.ts:30
                        process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c653b8a8ef5d389d Environment-variable access.
repo/packages/server/src/CachePool.ts:32
                                  cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61c87deba2f2d3e4 Environment-variable access.
repo/packages/server/src/CachePool.ts:33
                                  key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e7b06e7989e5cfc Environment-variable access.
repo/packages/server/src/CachePool.ts:34
                                  ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f547071c853b21a6 Environment-variable access.
repo/packages/server/src/CachePool.ts:38
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0aff5b6b9485fd84 Environment-variable access.
repo/packages/server/src/CachePool.ts:39
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ffda133c3f51b6b Environment-variable access.
repo/packages/server/src/CachePool.ts:52
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e83286530b7de52 Environment-variable access.
repo/packages/server/src/CachePool.ts:63
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a05bf06dd83cd4f Environment-variable access.
repo/packages/server/src/CachePool.ts:77
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eac0832f6997bdbe Environment-variable access.
repo/packages/server/src/CachePool.ts:92
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61bdc3eda5794799 Environment-variable access.
repo/packages/server/src/CachePool.ts:108
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b70b7108aa84e419 Environment-variable access.
repo/packages/server/src/CachePool.ts:125
        if (process.env.MODE !== MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4ff092b5fd319d8 Environment-variable access.
repo/packages/server/src/CachePool.ts:135
        if (process.env.MODE !== MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a1f96eda42ef68a Environment-variable access.
repo/packages/server/src/CachePool.ts:146
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #417a82358a0dc9f9 Environment-variable access.
repo/packages/server/src/CachePool.ts:164
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d257f02d75dfdd4c Filesystem access.
repo/packages/server/src/DataSource.ts:3
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f1c5476bdeb634e Environment-variable access.
repo/packages/server/src/DataSource.ts:21
    switch (process.env.DATABASE_TYPE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b1ad9bc8c9e98e4 Environment-variable access.
repo/packages/server/src/DataSource.ts:23
            homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17a369028390d174 Environment-variable access.
repo/packages/server/src/DataSource.ts:36
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46731cb454dcb231 Environment-variable access.
repo/packages/server/src/DataSource.ts:37
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d3f7c2254ff73c1 Environment-variable access.
repo/packages/server/src/DataSource.ts:38
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #702208bee03466f1 Environment-variable access.
repo/packages/server/src/DataSource.ts:39
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e314f9ba4d1938c Environment-variable access.
repo/packages/server/src/DataSource.ts:40
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4c75da73c4ae7ae Environment-variable access.
repo/packages/server/src/DataSource.ts:52
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #518baf1444fbb15e Environment-variable access.
repo/packages/server/src/DataSource.ts:53
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0becba4f9912a22 Environment-variable access.
repo/packages/server/src/DataSource.ts:54
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0fcd36a76e68873 Environment-variable access.
repo/packages/server/src/DataSource.ts:55
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97f095cfe83bedf9 Environment-variable access.
repo/packages/server/src/DataSource.ts:56
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c86addd7ec9fce2 Environment-variable access.
repo/packages/server/src/DataSource.ts:68
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1656efafe21fd313 Environment-variable access.
repo/packages/server/src/DataSource.ts:69
                port: parseInt(process.env.DATABASE_PORT || '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f3075a8b5c723aa Environment-variable access.
repo/packages/server/src/DataSource.ts:70
                username: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0795bcbfca4bd39a Environment-variable access.
repo/packages/server/src/DataSource.ts:71
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #beab0629f2f799d5 Environment-variable access.
repo/packages/server/src/DataSource.ts:72
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42fdadc35d3d8b68 Environment-variable access.
repo/packages/server/src/DataSource.ts:91
            homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46e61b4179f885a6 Environment-variable access.
repo/packages/server/src/DataSource.ts:112
    if (process.env.DATABASE_SSL_KEY_BASE64) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bbaa807327ecdc8 Environment-variable access.
repo/packages/server/src/DataSource.ts:114
            rejectUnauthorized: process.env.DATABASE_REJECT_UNAUTHORIZED === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a968efa69a755a4 Environment-variable access.
repo/packages/server/src/DataSource.ts:115
            ca: Buffer.from(process.env.DATABASE_SSL_KEY_BASE64, 'base64')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e6b170938f1a0bf Environment-variable access.
repo/packages/server/src/DataSource.ts:117
    } else if (process.env.DATABASE_SSL === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c89a9e29d4015383 Filesystem access.
repo/packages/server/src/IdentityManager.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1785873ef30a462 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:60
        if (process.env.STRIPE_SECRET_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace603e2ae42d7e3 Filesystem access.
repo/packages/server/src/IdentityManager.ts:91
            const publicKey = fs.readFileSync(path.join(__dirname, '../', 'src/enterprise/license/public.pem'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d4651c0738bdf8b Environment-variable access.
repo/packages/server/src/IdentityManager.ts:103
        const LICENSE_URL = process.env.LICENSE_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #20776f96b1b11cc3 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:104
        const FLOWISE_EE_LICENSE_KEY = process.env.FLOWISE_EE_LICENSE_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b871dceb6801f302 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:114
            if (process.env.OFFLINE === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b81a2c7cce460f06 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:402
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e0c1e7834956252 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:419
                newPlanId === process.env.CLOUD_FREE_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93f6b683cd57f3fd Environment-variable access.
repo/packages/server/src/IdentityManager.ts:420
                newPlanId === process.env.CLOUD_STARTER_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b60da93c1c73fb57 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:421
                newPlanId === process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5647187cdda67331 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:435
                newPlanId === process.env.CLOUD_FREE_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d696f12192d8af59 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:436
                newPlanId === process.env.CLOUD_STARTER_ID ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #940f1ad9c18a6163 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:437
                newPlanId === process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c11bfc12684d8a02 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:493
                    productId = process.env.CLOUD_STARTER_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4b8a9e6885b721d Environment-variable access.
repo/packages/server/src/IdentityManager.ts:496
                    productId = process.env.CLOUD_PRO_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c4b3b824e7df860 Environment-variable access.
repo/packages/server/src/IdentityManager.ts:499
                    productId = process.env.CLOUD_FREE_ID as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77f44bd01328e157 Filesystem access.
repo/packages/server/src/NodesPool.ts:3
import { Dirent } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #792845782a5afe62 Filesystem access.
repo/packages/server/src/NodesPool.ts:5
import { promises } from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e21add034fe2f112 Environment-variable access.
repo/packages/server/src/NodesPool.ts:37
        const disabled_nodes = process.env.DISABLED_NODES ? process.env.DISABLED_NODES.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b93b93e757ea376f Environment-variable access.
repo/packages/server/src/StripeManager.ts:21
        if (!this.stripe && process.env.STRIPE_SECRET_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #387757a991e92bc4 Environment-variable access.
repo/packages/server/src/StripeManager.ts:22
            this.stripe = new Stripe(process.env.STRIPE_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6310692f8867200a Environment-variable access.
repo/packages/server/src/StripeManager.ts:140
                return_url: `${process.env.APP_URL}/account`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #323b5658c6c021c8 Environment-variable access.
repo/packages/server/src/StripeManager.ts:166
                product: process.env.CLOUD_STARTER_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e305be4a5704ef3 Environment-variable access.
repo/packages/server/src/StripeManager.ts:170
                product: process.env.CLOUD_PRO_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b341e3bb2badbb67 Environment-variable access.
repo/packages/server/src/StripeManager.ts:174
                product: process.env.CLOUD_FREE_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa97af031821ca44 Environment-variable access.
repo/packages/server/src/StripeManager.ts:178
                product: process.env.ADDITIONAL_SEAT_ID as string,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f9f5e1bdc4cf73e Environment-variable access.
repo/packages/server/src/StripeManager.ts:201
                privacy_policy_url: `${process.env.APP_URL}/privacy-policy`,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba607076f49acd1f Environment-variable access.
repo/packages/server/src/StripeManager.ts:202
                terms_of_service_url: `${process.env.APP_URL}/terms-of-service`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76509f712dedccde Environment-variable access.
repo/packages/server/src/StripeManager.ts:245
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3207f69a619c0097 Environment-variable access.
repo/packages/server/src/StripeManager.ts:291
            const basePlanItem = subscription.items.data.find((item) => (item.price.product as string) !== process.env.ADDITIONAL_SEAT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86127ef2b51a6cbd Environment-variable access.
repo/packages/server/src/StripeManager.ts:303
                product: process.env.ADDITIONAL_SEAT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22aac25221602ce1 Environment-variable access.
repo/packages/server/src/StripeManager.ts:319
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e005de5655814bbb Environment-variable access.
repo/packages/server/src/StripeManager.ts:378
                (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a52d1e86f83bca53 Environment-variable access.
repo/packages/server/src/StripeManager.ts:383
                product: process.env.ADDITIONAL_SEAT_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d078e9c1f2803b1 Environment-variable access.
repo/packages/server/src/StripeManager.ts:463
            const isStarterPlan = newPlanId === process.env.CLOUD_STARTER_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f557f63d97f438e3 Environment-variable access.
repo/packages/server/src/StripeManager.ts:534
            const isStarterPlan = newPlanId === process.env.CLOUD_STARTER_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9bc9a5feead2384 Environment-variable access.
repo/packages/server/src/StripeManager.ts:546
                        plan_id: process.env.CLOUD_STARTER_ID || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b8f2a829acd129c1 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:37
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b6b70c4ee09b6f1 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:39
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a82b3387299b8fc0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:41
                    url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf62a1d3b2ad26b1 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:44
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f20fca922a30cb2 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:45
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb86bf1a236cf960 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:49
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a39f8929655b674 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:50
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f518dd17642564f9 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:55
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2bd0846bff0bc0f Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:56
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f69d0f3c682abeb4 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:58
                        host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a999be72aa62bbf Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:59
                        port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #842bf6962d023cd0 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:60
                        tls: process.env.REDIS_TLS === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7050d72f90e3bf70 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:61
                        cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec4f2ca04855d02f Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:62
                        key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4d5869a52e6bff1 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:63
                        ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27d0cce0ad30b096 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:65
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7227737c1b309098 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:66
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc2b65c88ed107bf Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:70
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de268d530ec9aa48 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:71
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #367dc70b736d2197 Environment-variable access.
repo/packages/server/src/UsageCacheManager.ts:147
            (item) => (item.price.product as string) === process.env.ADDITIONAL_SEAT_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #747079c5fb922cb6 Environment-variable access.
repo/packages/server/src/commands/base.ts:217
                process.env[key] = flags[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1e98caafd2f794f Environment-variable access.
repo/packages/server/src/controllers/evaluations/index.ts:32
        const baseURL = `${process.env.APP_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2ebe8259466c39b Environment-variable access.
repo/packages/server/src/controllers/evaluations/index.ts:56
        const baseURL = `${process.env.APP_URL}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #524f16004f50e4dc Filesystem access.
repo/packages/server/src/controllers/get-upload-file/index.ts:2
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be0af9f013226c26 Environment-variable access.
repo/packages/server/src/controllers/internal-predictions/index.ts:36
    const isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #acefba79c6d639c8 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/controllers/nvidia-nim/index.ts:17
        const response = await axios.post('https://nts.ngc.nvidia.com/v1/token', data, { headers })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #537c1d9eaf1ed940 Filesystem access.
repo/packages/server/src/controllers/openai-assistants/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ca78db1788fb7a9 Environment-variable access.
repo/packages/server/src/controllers/predictions/index.ts:67
                const isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5dab5ec5d429a10 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:6
            FREE: process.env.CLOUD_FREE_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d47d4e0b6b688a40 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:7
            STARTER: process.env.CLOUD_STARTER_ID,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcacc0c3a93da370 Environment-variable access.
repo/packages/server/src/controllers/pricing/index.ts:8
            PRO: process.env.CLOUD_PRO_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61dabc6a12e11728 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:16
        if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fdeeb27a2091bc5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:17
            redisClient = new Redis(process.env.REDIS_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6bfbca62e8f4a97 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:20
                host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b70146c6bd840705 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:21
                port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a17b59ab820c1e6 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:22
                username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be3a2a4d7350f070 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:23
                password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #155cc6c1454bce16 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:25
                    process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adb5bd37dddde72b Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:27
                              cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1ff64ca75cd7611 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:28
                              key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc61a8a37c2c1f78 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:29
                              ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40f655d1cd552889 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:44
    const databaseType = process.env.DATABASE_TYPE || 'sqlite'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #115b0f391b47acaa Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:50
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bbda79b40861c5e Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:51
                port: parseInt(process.env.DATABASE_PORT || '3306'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e13946b2c71f78e5 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:52
                user: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0059e61c3c0a08ab Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:53
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d92b9703cd36920f Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:54
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #851d0d0179b3a306 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:73
                host: process.env.DATABASE_HOST,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec90d84fc46e7243 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:74
                port: parseInt(process.env.DATABASE_PORT || '5432'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae81c130d2074904 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:75
                user: process.env.DATABASE_USER,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c7c280a93d3433c Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:76
                password: process.env.DATABASE_PASSWORD,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25def4f80051eb32 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:77
                database: process.env.DATABASE_NAME,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8ccd9f2f39e2218 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:93
            const homePath = process.env.DATABASE_PATH ?? flowisePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4fd151c053abea4 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/SessionPersistance.ts:153
            const databaseType = process.env.DATABASE_TYPE || 'sqlite'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfe0c6640e097ced Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:36
const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bb6e5745161b5c2 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:42
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ab8a7a923839a85 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:44
        : process.env.SECURE_COOKIES === 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #999ff26515a8aade Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:46
        : process.env.SECURE_COOKIES === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3744ca1c61ecd55 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:48
        : process.env.APP_URL?.startsWith('https')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37cdb20a33027515 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:68
        if (process.env.MODE === 'queue') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #095612cc47200c55 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:371
        expiryInMinutes = process.env.JWT_TOKEN_EXPIRY_IN_MINUTES ? parseInt(process.env.JWT_TOKEN_EXPIRY_IN_MINUTES) : 60

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1afe940d78e0a8ad Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:391
        expiryInMinutes = process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1fcd7449dbe7396 Environment-variable access.
repo/packages/server/src/enterprise/middleware/passport/index.ts:392
            ? parseInt(process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adb2f0a184ddfb6a Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:155
            const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc38fcd44aba0664 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:218
                    const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec4f089b6ed25776 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:373
                const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7802c8c11ab57236 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:446
                    const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22971eb8b5f97abb Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:637
            const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71dd489b6b57e97b Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:638
                ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d11639af500151c0 Environment-variable access.
repo/packages/server/src/enterprise/services/account.service.ts:878
            const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #804a283b1333302c Environment-variable access.
repo/packages/server/src/enterprise/sso/Auth0SSO.ts:49
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #802ea28e8574e03e Environment-variable access.
repo/packages/server/src/enterprise/sso/AzureSSO.ts:21
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fd9bc6708ab39ad Environment-variable access.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:17
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #8bf07dc70cdf9cb3 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:38
                        const emailResponse = await fetch('https://api.github.com/user/emails', {
                            headers: {
                                Authorization: `token ${accessToken}`,
                                'User-Agent': 'Node.js'
                            }
                        })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #bcff16f3c41b96a9 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:106
            const response = await fetch('https://github.com/login/oauth/access_token', {
                method: 'POST',
                headers: {
                    Accept: 'application/json',
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    client_id: clientID,
                    client_secret: clientSecret,
                    code: 'dummy_code_for_testing'
                })
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #244aeb3927fb0192 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GithubSSO.ts:133
            const response = await fetch('https://github.com/login/oauth/access_token', {
                method: 'POST',
                headers: {
                    Accept: 'application/json',
                    'Content-Type': 'application/json'
                },
                body: JSON.stringify({
                    client_id: clientID,
                    client_secret: clientSecret,
                    grant_type: 'refresh_token',
                    refresh_token: currentRefreshToken
                })
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #700aacb9fcb2cf3c Environment-variable access.
repo/packages/server/src/enterprise/sso/GoogleSSO.ts:20
        const APP_URL = process.env.APP_URL || 'http://127.0.0.1:' + process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #14cb4775b7dc9ffd Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/server/src/enterprise/sso/GoogleSSO.ts:141
            const response = await axios.post(
                `https://oauth2.googleapis.com/token`,
                new URLSearchParams({
                    client_id: clientID || '',
                    client_secret: clientSecret || '',
                    grant_type: 'refresh_token',
                    refresh_token: ssoRefreshToken,
                    scope: 'refresh_token'
                }).toString(),
                {
                    headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
                }
            )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #0be48d097bb777d8 Environment-variable access.
repo/packages/server/src/enterprise/utils/encryption.util.ts:6
    return parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '10', 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d73a84e157a4965e Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:7
const SMTP_HOST = process.env.SMTP_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dc1129846870f2e Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:8
const SMTP_PORT = parseInt(process.env.SMTP_PORT as string, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09cf85df64e7bffe Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:9
const SMTP_USER = process.env.SMTP_USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #852b959395d0e613 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:10
const SMTP_PASSWORD = process.env.SMTP_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3347b8737f2c13f1 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:13
    const port = parseInt(process.env.SMTP_PORT as string, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb78f0090962c427 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:15
        process.env.SMTP_HOST?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56e4bacb9dbba800 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:16
            process.env.SMTP_USER?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14d4c025b47d8004 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:17
            process.env.SMTP_PASSWORD?.trim() &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e5f89d80b5570363 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:18
            process.env.SMTP_PORT &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34d50448f48d6e35 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:22
const SENDER_EMAIL = process.env.SENDER_EMAIL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #576f050415140392 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:23
const SMTP_SECURE = process.env.SMTP_SECURE ? process.env.SMTP_SECURE === 'true' : true

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b5c98448c794508 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:24
const TLS = process.env.ALLOW_UNAUTHORIZED_CERTS ? { rejectUnauthorized: false } : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #513ac5b8fe1885de Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:40
            return fs.readFileSync(userTemplatePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea2a930180702fea Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:45
    return fs.readFileSync(path.join(__dirname, '../', 'emails', defaultTemplateName), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5da22545f81870e Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:52
    const template = getEmailTemplate('workspace_add_cloud.hbs', process.env.WORKSPACE_INVITE_TEMPLATE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62f3f29d33ea662b Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:80
                  process.env.WORKSPACE_INVITE_TEMPLATE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2377b8c53dda3871 Environment-variable access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:84
                  process.env.WORKSPACE_INVITE_TEMPLATE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc6eb730cf67c902 Filesystem access.
repo/packages/server/src/enterprise/utils/sendEmail.ts:100
    const passwordResetTemplateSource = fs.readFileSync(path.join(__dirname, '../', 'emails', 'workspace_user_reset_password.hbs'), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #072c9f89aa3f2fca Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:80
        const expiryInHours = process.env.INVITE_TOKEN_EXPIRY_IN_HOURS ? parseInt(process.env.INVITE_TOKEN_EXPIRY_IN_HOURS) : 24

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41312d54ba31c82b Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:85
        const expiryInMins = process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5017435907fa0888 Environment-variable access.
repo/packages/server/src/enterprise/utils/tempTokenUtils.ts:86
            ? parseInt(process.env.PASSWORD_RESET_TOKEN_EXPIRY_IN_MINUTES)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea930df5f9315581 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:11
    const originalEnv = process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cc6e268ede95717 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:15
            process.env.APP_URL = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaf4272e3429d542 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:17
            delete process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #862e60685acacf93 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:23
            delete process.env.APP_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #839ef3b54f3c7429 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:28
            process.env.APP_URL = 'example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9d57e3faed92750 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:33
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1429d6d4bcc8dce1 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:38
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f8c6b1657ce89b3 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:44
            process.env.APP_URL = 'http://localhost:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93a556339437d3ee Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:49
            process.env.APP_URL = 'http://127.0.0.1:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c64b12e4d550f496 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:54
            process.env.APP_URL = 'http://[::1]:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f3e8e08d4bfe705 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:59
            process.env.APP_URL = 'http://0.0.0.0:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eeb9bfb9e4dc37d6 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:64
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebf4b2a0349efae7 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:69
            process.env.APP_URL = 'https://example.com/'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a01061a27a9082e Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:74
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bfc1230bef1b215 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:79
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ada2760fa36c4068 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:86
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d047043f0152cf6c Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:92
            process.env.APP_URL = 'http://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f54130870bfda10e Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:98
            process.env.APP_URL = 'http://localhost:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99de3d868abaa3a4 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:104
            process.env.APP_URL = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca6ae91c998c2ed6 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:113
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55ee534768f30ba0 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:120
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65b89f01909178d8 Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.test.ts:126
            process.env.APP_URL = 'http://myapp.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbef3871fba60a4c Environment-variable access.
repo/packages/server/src/enterprise/utils/url.util.ts:11
    const appUrl = process.env.APP_URL || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #646236cb5817cf6f Environment-variable access.
repo/packages/server/src/index.ts:137
            if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92d33dea81329a19 Environment-variable access.
repo/packages/server/src/index.ts:174
        const flowise_file_size_limit = process.env.FLOWISE_FILE_SIZE_LIMIT || '50mb'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb76c57a91f87eb6 Environment-variable access.
repo/packages/server/src/index.ts:184
        let trustProxy: string | boolean | number | undefined = process.env.TRUST_PROXY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d163fdd831c4fc6e Environment-variable access.
repo/packages/server/src/index.ts:223
        const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #120a5675ce9e8e70 Environment-variable access.
repo/packages/server/src/index.ts:305
        if (process.env.ENABLE_METRICS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb0a716fcfc15a85 Environment-variable access.
repo/packages/server/src/index.ts:306
            switch (process.env.METRICS_PROVIDER) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53767ee8fd70215b Environment-variable access.
repo/packages/server/src/index.ts:339
        if (process.env.MODE === MODE.QUEUE && process.env.ENABLE_BULLMQ_DASHBOARD === 'true' && !this.identityManager.isCloud()) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bf5978cea5b1fe1 Environment-variable access.
repo/packages/server/src/index.ts:346
                process.env.ADMIN_RATE_LIMIT_MESSAGE || 'Too many requests to admin dashboard, please try again later.'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d529c71fc1e30b6 Environment-variable access.
repo/packages/server/src/index.ts:392
    const host = process.env.HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a0c9d3b598b2f63 Environment-variable access.
repo/packages/server/src/index.ts:393
    const port = parseInt(process.env.PORT || '', 10) || 3000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81662c4ee1bc735b Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:29
        if (!process.env.METRICS_OPEN_TELEMETRY_METRIC_ENDPOINT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed8748ccecc41282 Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:33
        if (process.env.METRICS_OPEN_TELEMETRY_DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4fd36e1cad9a1b3 Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:51
                [ATTR_SERVICE_NAME]: process.env.METRICS_SERVICE_NAME || 'FlowiseAI',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5de9a0088cbaba0 Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:55
            const metricProtocol = process.env.METRICS_OPEN_TELEMETRY_PROTOCOL || 'http' // Default to 'http'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d671ba3fd99f9b36 Environment-variable access.
repo/packages/server/src/metrics/OpenTelemetry.ts:79
                url: process.env.METRICS_OPEN_TELEMETRY_METRIC_ENDPOINT // OTLP endpoint for metrics

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91ae8b6f4bb66252 Environment-variable access.
repo/packages/server/src/metrics/Prometheus.ts:26
        const serviceName: string = process.env.METRICS_SERVICE_NAME || 'FlowiseAI'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53fd6eceb931cbd9 Environment-variable access.
repo/packages/server/src/metrics/Prometheus.ts:155
        if (process.env.METRICS_INCLUDE_NODE_METRICS !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b456bfa4830466f Environment-variable access.
repo/packages/server/src/middlewares/errors/index.ts:16
        stack: process.env.NODE_ENV === 'development' ? err.stack : {}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39f862c662f8019f Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:5
const QUEUE_REDIS_EVENT_STREAM_MAX_LEN = process.env.QUEUE_REDIS_EVENT_STREAM_MAX_LEN

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96c46cedaa714d17 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:6
    ? parseInt(process.env.QUEUE_REDIS_EVENT_STREAM_MAX_LEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f88ce43815a2ce1 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:8
const WORKER_CONCURRENCY = process.env.WORKER_CONCURRENCY ? parseInt(process.env.WORKER_CONCURRENCY) : 100000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8a2914241706aaa Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:9
const REMOVE_ON_AGE = process.env.REMOVE_ON_AGE ? parseInt(process.env.REMOVE_ON_AGE) : -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7ef6ebc0a9ea2b9 Environment-variable access.
repo/packages/server/src/queue/BaseQueue.ts:10
const REMOVE_ON_COUNT = process.env.REMOVE_ON_COUNT ? parseInt(process.env.REMOVE_ON_COUNT) : -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a56293b4987335d Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:18
const QUEUE_NAME = process.env.QUEUE_NAME || 'flowise-queue'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f9aa41925a74242 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:30
        if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9420f1abea7e3199 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:32
            if (process.env.REDIS_URL.startsWith('rediss://')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a6114ae184e3271 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:36
            } else if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed5604c2fda9a61a Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:38
                    cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8024b90dadb994a9 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:39
                    key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0db3c1670f65a99 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:40
                    ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ad33bee0c76cc46 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:44
                url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #199fa0062a4fb4d1 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:48
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fd67b4e47dd61de Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:49
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b86012a176ecdb2 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:54
            if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21644d84fbf7c424 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:56
                    cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80a0eede036d8a16 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:57
                    key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f11ac49a8821198 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:58
                    ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b4d3670114bad73 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:62
                host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e11b06f222c04856 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:63
                port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfde6c2ff8764d31 Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:64
                username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc187bf4c0687f8e Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:65
                password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf0ba38ab6858deb Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:69
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07f37160dcb6eeff Environment-variable access.
repo/packages/server/src/queue/QueueManager.ts:70
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fd7076e350601bb Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:60
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d383b3975bfb1b4f Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:98
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c70e6126b5d191f1 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:142
        process.env.MCP_CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0af7dfe75eae36db Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:147
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3655e101505386b3 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:180
        process.env.MCP_CORS_ORIGINS = 'https://allowed.example.com, https://also-allowed.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7168fbc19fcf59d9 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.test.ts:185
        delete process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcabd18153328878 Environment-variable access.
repo/packages/server/src/routes/mcp-endpoint/index.ts:13
const mcpCorsOrigins = process.env.MCP_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca3813c2eca03d1c Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:90
    delete process.env.MODE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5a69dd82c7be561 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:91
    if (mode) process.env.MODE = mode

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5915b4842ab2949 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.test.ts:115
    delete process.env.MODE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a86cb2a63e1946e3 Environment-variable access.
repo/packages/server/src/schedule/ScheduleBeat.ts:33
        this.isQueueMode = process.env.MODE === MODE.QUEUE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42b96de7af347c32 Environment-variable access.
repo/packages/server/src/schedule/ScheduleExecutor.ts:206
            baseURL: process.env.APP_URL ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92bbbfefb523ccf5 Filesystem access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:6
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f52095f145f5d330 Environment-variable access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:85
    const disabled_nodes = process.env.DISABLED_NODES ? process.env.DISABLED_NODES.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fafdc07cc8befc6 Filesystem access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:109
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a385a06902c0f94 Environment-variable access.
repo/packages/server/src/services/agentflowv2-generator/index.ts:202
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fae30474eca2b970 Environment-variable access.
repo/packages/server/src/services/chat-messages/index.ts:195
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0caa1360185dbc4b Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:691
        const ORIGINAL_ENV = process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8885090caf7058ee Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:693
            if (ORIGINAL_ENV === undefined) delete process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d4d63bf0a7d33ce Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:694
            else process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = ORIGINAL_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf2f4eb064634f3d Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:698
            process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = '50'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #68549b1f643845a0 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:720
            process.env.CUSTOM_MCP_TOOLS_MAX_BYTES = '0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45d5681db440fb1c Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:749
        const ORIGINAL_ENV = process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ecf712565b23a4b Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:751
            if (ORIGINAL_ENV === undefined) delete process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb85b8ff2f8c97b9 Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:752
            else process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS = ORIGINAL_ENV

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #191711ac5635d2da Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.test.ts:758
            process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS = '1000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98fabdc2e1bc0cee Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.ts:19
    const raw = process.env.CUSTOM_MCP_TOOLS_MAX_BYTES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc105b25eb22b8be Environment-variable access.
repo/packages/server/src/services/custom-mcp-servers/index.ts:27
    const raw = process.env.CUSTOM_MCP_AUTHORIZE_TIMEOUT_MS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3fe79a9e353cb79 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:699
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b9f36d06f9e88dd Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:907
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27c7074a287afae6 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:1326
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99e5ceea15dcf8b2 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:2057
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fa4a61449586831 Environment-variable access.
repo/packages/server/src/services/documentstore/index.ts:2132
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be2f2954ad677789 Environment-variable access.
repo/packages/server/src/services/export-import/index.ts:891
                            const baseURL = process.env.BASE_URL || `http://localhost:${process.env.PORT || 3000}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27d9251916f51c09 Environment-variable access.
repo/packages/server/src/services/fetch-links/index.ts:18
        if (process.env.DEBUG === 'true') console.info(`Start ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5529d551c69bd523 Environment-variable access.
repo/packages/server/src/services/fetch-links/index.ts:20
        if (process.env.DEBUG === 'true') console.info(`Finish ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c8b4bdfbc45c77c Filesystem access.
repo/packages/server/src/services/log/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f18cf3a3bb4344ec Environment-variable access.
repo/packages/server/src/services/log/index.ts:73
            const filePath = process.env.LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca4e8be18ecc9dc8 Environment-variable access.
repo/packages/server/src/services/log/index.ts:74
                ? path.resolve(process.env.LOG_PATH, `server.log.${date}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #451803db892ef4ed Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #766134d9c60fd20b Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:37
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b1fe43295339087 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:58
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ac5f5798744b976 Filesystem access.
repo/packages/server/src/services/marketplaces/index.ts:99
            const fileData = fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a3ac42f90e9e598 Environment-variable access.
repo/packages/server/src/services/nodes/index.ts:149
    if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ca79c6a0af847c7 Environment-variable access.
repo/packages/server/src/services/schedule/utils.ts:10
const MIN_SCHEDULE_INTERVAL_SECONDS = Math.max(1, parseInt(process.env.MIN_SCHEDULE_INTERVAL_SECONDS || '60', 10) || 60)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18d93ee7b67d4606 Filesystem access.
repo/packages/server/src/services/versions/index.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b968af9315fcb83f Filesystem access.
repo/packages/server/src/services/versions/index.ts:29
            const content = await fs.promises.readFile(packagejsonPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26909b31bd82eff1 Environment-variable access.
repo/packages/server/src/services/webhook-listener/registry.ts:217
    if (process.env.MODE === MODE.QUEUE && redisEventSubscriber) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b020a436ad4701b Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:22
    const SAVED_CORS_ORIGINS = process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19b1435a09038d9e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:23
    const SAVED_CORS_ALLOW_CREDENTIALS = process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #211808b2f1fbfd22 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:26
        if (SAVED_CORS_ORIGINS !== undefined) process.env.CORS_ORIGINS = SAVED_CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10eb539744ffe710 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:27
        else delete process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4e34033e1cd6713 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:28
        if (SAVED_CORS_ALLOW_CREDENTIALS !== undefined) process.env.CORS_ALLOW_CREDENTIALS = SAVED_CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b181f3c09af16c94 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:29
        else delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d928b6b8a17d29d Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:33
        if (corsOrigins === undefined) delete process.env.CORS_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e07631ea8a64f063 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:34
        else process.env.CORS_ORIGINS = corsOrigins

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #034ec11e15583d53 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:35
        if (corsAllowCredentials === undefined) delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #072f5478f790b8ac Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:36
        else process.env.CORS_ALLOW_CREDENTIALS = corsAllowCredentials

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #931cbb08eb9f491d Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:71
            process.env.CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0aebfe9f036b056 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:72
            process.env.CORS_ALLOW_CREDENTIALS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #782d55681c8991e8 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:78
            process.env.CORS_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc8417c0d8c7c164 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:79
            delete process.env.CORS_ALLOW_CREDENTIALS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f2469d3d25ae4a8 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:85
            process.env.CORS_ORIGINS = 'https://trusted.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07e9bb7eeae192d7 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:86
            process.env.CORS_ALLOW_CREDENTIALS = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0660a9f9302ccd50 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:94
    const originalEnv = process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e02a8aace8058e5d Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:99
            process.env.IFRAME_ORIGINS = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55c26bef56c78252 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:101
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ad3f9f01b5a7dc7 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:107
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c9f41f908ce7543 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:112
            process.env.IFRAME_ORIGINS = ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fd1ce7fa7f5d8a5 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:117
            process.env.IFRAME_ORIGINS = '   '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab1715eaedfd6439 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:124
            process.env.IFRAME_ORIGINS = "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #886cd3e0a877ab44 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:129
            process.env.IFRAME_ORIGINS = "'none'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99ca2ce18596b11e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:134
            process.env.IFRAME_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7145bb06f9bf4b69 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:141
            process.env.IFRAME_ORIGINS = 'https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #47daa7686d3152d8 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:146
            process.env.IFRAME_ORIGINS = '  https://example.com  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00a415e8aaad7c78 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:153
            process.env.IFRAME_ORIGINS = 'https://domain1.com,https://domain2.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d290ce70e4b3b64 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:158
            process.env.IFRAME_ORIGINS = 'https://domain1.com, https://domain2.com, https://domain3.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a58a24dbdabba463 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:163
            process.env.IFRAME_ORIGINS = '  https://app.com  ,  https://admin.com  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd7e4a96a542e481 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:170
            process.env.IFRAME_ORIGINS = 'https://localhost:3000,https://localhost:4000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3552dec926f8ca78 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:175
            process.env.IFRAME_ORIGINS = 'https://example.com/path1,https://example.com/path2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13423eceb39d9550 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:180
            process.env.IFRAME_ORIGINS = 'http://example.com,https://secure.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #578126caf1b60400 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:185
            process.env.IFRAME_ORIGINS = 'https://example.com,'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fad93202a531dbc Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:190
            process.env.IFRAME_ORIGINS = ',https://example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fc2cfb8db472f4a Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:195
            process.env.IFRAME_ORIGINS = 'https://domain1.com,,https://domain2.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b85755878cc8bad Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:202
            process.env.IFRAME_ORIGINS = 'https://app.example.com,https://admin.example.com,https://dashboard.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #421e935c018ea25e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:207
            process.env.IFRAME_ORIGINS = 'http://localhost:3000,http://localhost:3001,http://127.0.0.1:3000'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04f3649cec964f84 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:212
            process.env.IFRAME_ORIGINS = "'self',https://trusted.com"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1db19cca90e2c774 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:219
    const originalEnv = process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03ac8bfedff93913 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:223
            process.env.IFRAME_ORIGINS = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7614fd32852a507f Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:225
            delete process.env.IFRAME_ORIGINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ab045648820e3586 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:230
        process.env.IFRAME_ORIGINS = '*'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #834902fa9d3c041c Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:237
        process.env.IFRAME_ORIGINS = "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #120292a847027d3e Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:245
        process.env.IFRAME_ORIGINS = "'none'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd1c18f3b9930a94 Environment-variable access.
repo/packages/server/src/utils/XSS.test.ts:253
        process.env.IFRAME_ORIGINS = 'https://embed.example.com,https://admin.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24ff2f70faab88f6 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:26
    return process.env.CORS_ORIGINS ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa2a05550c527e15 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:30
    return process.env.CORS_ALLOW_CREDENTIALS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f34910b40843ce2 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:34
    const appUrl = process.env.APP_URL?.trim()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95f6d97f453f0c17 Environment-variable access.
repo/packages/server/src/utils/XSS.ts:161
    const origins = (process.env.IFRAME_ORIGINS?.trim() || undefined) ?? "'self'"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2670f64a826a2c4 Environment-variable access.
repo/packages/server/src/utils/buildAgentflow.ts:174
const MAX_LOOP_COUNT = process.env.MAX_LOOP_COUNT ? parseInt(process.env.MAX_LOOP_COUNT) : 10

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39a466f263c2570d Environment-variable access.
repo/packages/server/src/utils/buildAgentflow.ts:1912
    const maxIterations = process.env.MAX_ITERATIONS ? parseInt(process.env.MAX_ITERATIONS) : 1000

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #028e2145582624d4 Environment-variable access.
repo/packages/server/src/utils/buildChatflow.ts:1084
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31c37c163fde5273 Environment-variable access.
repo/packages/server/src/utils/config.ts:10
    dir: process.env.LOG_PATH ?? path.join(__dirname, '..', '..', 'logs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71334dcbe2044333 Environment-variable access.
repo/packages/server/src/utils/config.ts:12
        level: process.env.LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #33010dded48db67e Environment-variable access.
repo/packages/server/src/utils/config.ts:17
        level: process.env.LOG_LEVEL ?? 'info',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b18f18b0b6c530f Filesystem access.
repo/packages/server/src/utils/index.ts:6
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #192eb1fe996ad317 Environment-variable access.
repo/packages/server/src/utils/index.ts:76
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d539f6b187399db0 Environment-variable access.
repo/packages/server/src/utils/index.ts:78
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11a465af74227326 Environment-variable access.
repo/packages/server/src/utils/index.ts:79
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc02e5914e91b6f8 Environment-variable access.
repo/packages/server/src/utils/index.ts:80
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bc9f3e92afc086b3 Environment-variable access.
repo/packages/server/src/utils/index.ts:120
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62e85d02c1da456f Environment-variable access.
repo/packages/server/src/utils/index.ts:125
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6c604178cad6148 Environment-variable access.
repo/packages/server/src/utils/index.ts:852
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28a843920f3193d3 Environment-variable access.
repo/packages/server/src/utils/index.ts:1554
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66e9fb00b6a1cb64 Environment-variable access.
repo/packages/server/src/utils/index.ts:1555
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0269a7f6cbb9eac7 Environment-variable access.
repo/packages/server/src/utils/index.ts:1558
        const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a271ae35ea39392 Filesystem access.
repo/packages/server/src/utils/index.ts:1581
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d93f277eb6d0323 Environment-variable access.
repo/packages/server/src/utils/index.ts:1584
        const defaultLocation = process.env.SECRETKEY_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84382037040f058 Environment-variable access.
repo/packages/server/src/utils/index.ts:1585
            ? path.join(process.env.SECRETKEY_PATH, 'encryption.key')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18a7a43a935d315c Filesystem access.
repo/packages/server/src/utils/index.ts:1587
        await fs.promises.writeFile(defaultLocation, encryptKey)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe8dac7bfa0ac2b4 Environment-variable access.
repo/packages/server/src/utils/index.ts:1670
    return process.env.SECRETKEY_PATH ? process.env.SECRETKEY_PATH : path.join(getUserHome(), '.flowise')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #211697bfa855f09e Environment-variable access.
repo/packages/server/src/utils/index.ts:1697
    const envVal = process.env[envKey]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5122d26c7feb37bd Environment-variable access.
repo/packages/server/src/utils/index.ts:1704
        const prefix = process.env.SECRETKEY_AWS_AUTH_PREFIX || 'Flowise'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6db318e639fe367 Filesystem access.
repo/packages/server/src/utils/index.ts:1729
        return await fs.promises.readFile(filePath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9f5a13e07d2fa14 Filesystem access.
repo/packages/server/src/utils/index.ts:1735
        await fs.promises.writeFile(filePath, value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94344c8effeee3ef Filesystem access.
repo/packages/server/src/utils/index.ts:1981
        const content = await fs.promises.readFile(packagejsonPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #41016092af8a9375 Environment-variable access.
repo/packages/server/src/utils/index.ts:2019
    return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8f4be7ff5ae7f85 Environment-variable access.
repo/packages/server/src/utils/index.ts:2020
        ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ce5bfa0ef5e44b9 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:127
            process.env.DEBUG = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc6f5ccb7d387ab5 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:128
            process.env.LOG_SANITIZE_BODY_FIELDS = 'password,secret'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfcbd4c72f1c9057 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:129
            process.env.LOG_SANITIZE_HEADER_FIELDS = 'authorization'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #582b71251a444549 Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:146
            process.env.DEBUG = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62597dec83b1582f Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:147
            delete process.env.LOG_SANITIZE_BODY_FIELDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #006e74f7123e19ef Environment-variable access.
repo/packages/server/src/utils/logger.test.ts:148
            delete process.env.LOG_SANITIZE_HEADER_FIELDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3b54b2de6e05212 Filesystem access.
repo/packages/server/src/utils/logger.ts:3
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bab53f3d9856646 Environment-variable access.
repo/packages/server/src/utils/logger.ts:40
    exceptionHandlers: [...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...errorTransports],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #519f625e917427ba Environment-variable access.
repo/packages/server/src/utils/logger.ts:42
        ...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a8897436c5766f4 Environment-variable access.
repo/packages/server/src/utils/logger.ts:45
        ...((!process.env.DEBUG || process.env.DEBUG !== 'true') && errorTransports.length === 0 ? [new transports.Console()] : [])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2faaef547c3f7c16 Environment-variable access.
repo/packages/server/src/utils/logger.ts:54
    transports: [...(process.env.DEBUG && process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...requestTransports]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9cf1db01fd7b1a73 Environment-variable access.
repo/packages/server/src/utils/logger.ts:58
    if (!process.env.LOG_SANITIZE_BODY_FIELDS) return []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8a0bdc84152c0343 Environment-variable access.
repo/packages/server/src/utils/logger.ts:59
    return (process.env.LOG_SANITIZE_BODY_FIELDS as string)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e9dfb73f11e932d Environment-variable access.
repo/packages/server/src/utils/logger.ts:66
    if (!process.env.LOG_SANITIZE_HEADER_FIELDS) return []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca4f37c4bdf317a1 Environment-variable access.
repo/packages/server/src/utils/logger.ts:67
    return (process.env.LOG_SANITIZE_HEADER_FIELDS as string)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5f7e8eb9dbcb1af Environment-variable access.
repo/packages/server/src/utils/logger.ts:96
        const isDebugLevel = logger.level === 'debug' || process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3db6ce5e6f0edf9e Environment-variable access.
repo/packages/server/src/utils/logger.ts:151
    transports: [...(process.env.DEBUG === 'true' ? [new transports.Console()] : []), ...auditTransports]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3fbb08bb53906c1 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:44
    delete process.env.OAUTH2_SECURITY_CHECK

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66f346e4f4cc4a87 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:45
    delete process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae7194bd3cbd8605 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:63
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'custom.example.com, another.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5876021df717b3e Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:73
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'github.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3917f384dcc32b28 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:80
        process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0484bf82fa87573a Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:81
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'my.corp.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6427acca30b6f0e2 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:87
        process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a88a2855e560ad4c Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:93
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = '  MyDomain.COM , UPPER.IO  '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c891821226005686 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:100
        process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = ',,,valid.com,,,'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ead0451cc2575f02 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:137
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'custom-idp.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1399600bd16b0121 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:148
            process.env.OAUTH2_SECURITY_CHECK = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37f480c646e98ff8 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:156
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'local.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #312e8323b15ce294 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:161
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'local.dev'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90c52517d15dcf26 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.test.ts:166
            process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS = 'myidp.local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f3a2c6b54b062b4 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:4
    return (process.env.OAUTH2_ALLOWED_TOKEN_DOMAINS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a053b320b3f6ebcc Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:21
    const securityCheckEnabled = process.env.OAUTH2_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b249704b634ce04 Environment-variable access.
repo/packages/server/src/utils/oauth2Security.ts:49
    const securityCheckEnabled = process.env.OAUTH2_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0569e0341f06dd4 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:25
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #130d0e217f40c6f7 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:26
            if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7ca027e8acf900c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:27
                this.redisClient = new Redis(process.env.REDIS_URL, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8124e4ca60ed40e9 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:29
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f057bccb389a884b Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:30
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d24d5a4c905ae5e Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:35
                    host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be177d0f7320e2ac Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:36
                    port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #756c5753084639a3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:37
                    username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ebab3ed52dd3d2c0 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:38
                    password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fee389f0cb05b917 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:40
                        process.env.REDIS_TLS === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed355f7a23653ff8 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:42
                                  cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b72b003f58b694c Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:43
                                  key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f136b1c6263cc40 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:44
                                  ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #250ca76151480142 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:48
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2e1dd50d66ee524 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:49
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cb4456e79806c19 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:60
        if (process.env.REDIS_URL && process.env.REDIS_URL.startsWith('rediss://')) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f15752ae00c42287 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:64
        } else if (process.env.REDIS_TLS === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3372c95b03036dda Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:66
                cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99c6037f64a3d71b Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:67
                key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90b2a5259253e052 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:68
                ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d923faa8ffdaeeb2 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:72
            url: process.env.REDIS_URL || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cf97cf092701587 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:73
            host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7402769ddc58fed3 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:74
            port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #447c2619e1bf58d2 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:75
            username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7f57f7a23182db7 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:76
            password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b8b3e2047488a71 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:81
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c89f12fb486b439 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:82
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76d3dabea35216f1 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:97
            if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec6ee106ef6b2ab5 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:160
        if (!isInitialized && process.env.MODE === MODE.QUEUE && this.queueEventsProducer) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5a4293e9ff6adc2 Environment-variable access.
repo/packages/server/src/utils/rateLimit.ts:184
        if (process.env.MODE === MODE.QUEUE && this.queueEvents) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25780698108279b2 Environment-variable access.
repo/packages/server/src/utils/redis.ts:4
    const keepAliveRaw = process.env.REDIS_KEEP_ALIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #413f1b45dd9e5a6d Environment-variable access.
repo/packages/server/src/utils/redis.ts:7
    if (process.env.REDIS_URL) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d58b782ebb8cfa9 Environment-variable access.
repo/packages/server/src/utils/redis.ts:9
            url: process.env.REDIS_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a95415b50642224b Environment-variable access.
repo/packages/server/src/utils/redis.ts:16
        username: process.env.REDIS_USERNAME || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03c0b1b7ea4fa5ad Environment-variable access.
repo/packages/server/src/utils/redis.ts:17
        password: process.env.REDIS_PASSWORD || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #754eed2f467709a5 Environment-variable access.
repo/packages/server/src/utils/redis.ts:19
            host: process.env.REDIS_HOST || 'localhost',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42780d7d9dcbec68 Environment-variable access.
repo/packages/server/src/utils/redis.ts:20
            port: parseInt(process.env.REDIS_PORT || '6379'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cefce9bec87b3d8d Environment-variable access.
repo/packages/server/src/utils/redis.ts:21
            tls: process.env.REDIS_TLS === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f4a7a14318d413bb Environment-variable access.
repo/packages/server/src/utils/redis.ts:22
            cert: process.env.REDIS_CERT ? Buffer.from(process.env.REDIS_CERT, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af1ee0b5f6e811a5 Environment-variable access.
repo/packages/server/src/utils/redis.ts:23
            key: process.env.REDIS_KEY ? Buffer.from(process.env.REDIS_KEY, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d12641bdc80bec3 Environment-variable access.
repo/packages/server/src/utils/redis.ts:24
            ca: process.env.REDIS_CA ? Buffer.from(process.env.REDIS_CA, 'base64') : undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #13e8261ace970767 Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:67
            delete process.env.POSTHOG_PUBLIC_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c2976af5058d790 Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:74
            process.env.POSTHOG_PUBLIC_API_KEY = 'ph-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63f416d3988070cf Environment-variable access.
repo/packages/server/src/utils/telemetry.test.ts:97
            process.env.POSTHOG_PUBLIC_API_KEY = 'ph-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abf5c41a5a8fa8bc Environment-variable access.
repo/packages/server/src/utils/telemetry.ts:18
        if (process.env.POSTHOG_PUBLIC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b472f7c89bf37224 Environment-variable access.
repo/packages/server/src/utils/telemetry.ts:19
            this.postHog = new PostHog(process.env.POSTHOG_PUBLIC_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb5db1f0f0afda7f Environment-variable access.
repo/packages/server/src/utils/upsertVector.ts:307
        if (process.env.MODE === MODE.QUEUE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/ui

npm first-party
high pii_flow production #1c782024543b5924 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 · flow /tmp/closeopen-q876yqrd/repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211 → /tmp/closeopen-q876yqrd/repo/packages/ui/src/ui-component/dialog/InviteUsersDialog.jsx:211
            getWorkspacesByUserIdApi.request(dialogProps.data.userId)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #20f00edc5b41a0db User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274 · flow /tmp/closeopen-q876yqrd/repo/packages/ui/src/views/canvas/CanvasHeader.jsx:127 → /tmp/closeopen-q876yqrd/repo/packages/ui/src/views/canvas/CanvasHeader.jsx:274
            updateChatflowApi.request(chatflow.id, updateBody)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 7 low-confidence finding(s)
low egress production #f3962e0247d8ca3c Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/ui/src/layout/MainLayout/Header/index.jsx:202
                    const response = await fetch('https://api.github.com/repos/FlowiseAI/Flowise')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #3f05cca7956c6ace Environment-variable access.
repo/packages/ui/src/serviceWorker.js:90
    if (process.env.NODE_ENV === 'production' && 'serviceWorker' in navigator) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1fe19382276347a Environment-variable access.
repo/packages/ui/src/serviceWorker.js:92
        const publicUrl = new URL(process.env.PUBLIC_URL, window.location.href)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #94088b3fad8d57c1 Environment-variable access.
repo/packages/ui/src/serviceWorker.js:101
            const swUrl = `${process.env.PUBLIC_URL}/service-worker.js`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #998ee296278becf5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/ui/src/ui-component/dialog/AboutDialog.jsx:16
            const latestReleaseReq = axios.get('https://api.github.com/repos/FlowiseAI/Flowise/releases/latest')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #ff8f0db7c8641179 Environment-variable access.
repo/packages/ui/vite.config.js:47
            port: process.env.VITE_PORT ?? 8080,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51e0779ad2ec30d9 Environment-variable access.
repo/packages/ui/vite.config.js:48
            host: process.env.VITE_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/components

npm first-party
high pii_flow production #c083f5c0cf0757ef User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132 · flow /tmp/closeopen-q876yqrd/repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:129 → /tmp/closeopen-q876yqrd/repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:132
        const response = await fetch(this.apiUrl, {
            method: 'POST',
            body: formData,
            headers
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 324 low-confidence finding(s)
low env_fs production #8b2e15315225d3c1 Environment-variable access.
repo/packages/components/nodes/agents/ConversationalAgent/ConversationalAgent.ts:283
        verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6fae0b755db0d4a Environment-variable access.
repo/packages/components/nodes/agents/ConversationalRetrievalToolAgent/ConversationalRetrievalToolAgent.ts:360
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2055cbbe34f3469f Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:104
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14c746ccefc9c385 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:113
        const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77533c9650656761 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:115
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e82a4f9ec5fda1e9 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:130
                verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb79986fa6e3bcc9 Environment-variable access.
repo/packages/components/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:157
            const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed7667603895203d Environment-variable access.
repo/packages/components/nodes/agents/ReActAgentChat/ReActAgentChat.ts:132
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #802dfcb314889e1c Environment-variable access.
repo/packages/components/nodes/agents/ReActAgentLLM/ReActAgentLLM.ts:105
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30ffebfc3e7c93ae Environment-variable access.
repo/packages/components/nodes/agents/ToolAgent/ToolAgent.ts:359
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd9ef1fa00310889 Environment-variable access.
repo/packages/components/nodes/agents/XMLAgent/XMLAgent.ts:284
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2c488a67255859d2 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:130
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf5bc62ed238a2b6 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:131
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42d395be5ed7d64b Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:138
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f0a69b77e2f909a Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisCache.ts:139
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17fcb03ea0d91131 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:87
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92c1c9e665844406 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:88
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7c7f3dd61f441b4 Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:95
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38eaa455532b647c Environment-variable access.
repo/packages/components/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:96
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae970496445733fc Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/GETApiChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1270e1e9420516a0 Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/OpenAPIChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #edcda382ec920bb1 Environment-variable access.
repo/packages/components/nodes/chains/ApiChain/POSTApiChain.ts:124
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e3a572e24915ed3 Environment-variable access.
repo/packages/components/nodes/chains/ConversationChain/ConversationChain.ts:139
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e05818ea7e2272c7 Environment-variable access.
repo/packages/components/nodes/chains/ConversationalRetrievalQAChain/ConversationalRetrievalQAChain.ts:229
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9da0f16c585a4cf8 Environment-variable access.
repo/packages/components/nodes/chains/GraphCypherQAChain/GraphCypherQAChain.ts:423
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71cdac1b14330e5c Environment-variable access.
repo/packages/components/nodes/chains/LLMChain/LLMChain.ts:109
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7a6c6f2174edc95 Environment-variable access.
repo/packages/components/nodes/chains/LLMChain/LLMChain.ts:117
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b2d35e47627092e Environment-variable access.
repo/packages/components/nodes/chains/MultiPromptChain/MultiPromptChain.ts:71
            llmChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c48d1e9f6e1a4f2 Environment-variable access.
repo/packages/components/nodes/chains/MultiRetrievalQAChain/MultiRetrievalQAChain.ts:79
            retrievalQAChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false, returnSourceDocuments }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #baa8ec103deef796 Environment-variable access.
repo/packages/components/nodes/chains/RetrievalQAChain/RetrievalQAChain.ts:58
        const chain = RetrievalQAChain.fromLLM(model, vectorStoreRetriever, { verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #358cd2126b4c2084 Environment-variable access.
repo/packages/components/nodes/chains/SqlDatabaseChain/SqlDatabaseChain.ts:245
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #0341bdb563d1874a Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/chains/VectaraChain/VectaraChain.ts:312
            const response = await fetch(`https://api.vectara.io/v1/query`, {
                method: 'POST',
                headers: headers?.headers,
                body: JSON.stringify(data)
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #4b9d5335245f1d65 Environment-variable access.
repo/packages/components/nodes/chains/VectorDBQAChain/VectorDBQAChain.ts:60
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a29026d573cc3936 Filesystem access.
repo/packages/components/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #74031530f8b30169 Filesystem access.
repo/packages/components/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:9
        const raw = JSON.parse(fs.readFileSync(modelsPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd007343b4ca53b6 Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43c3e512a46f91b2 Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3064cd3452c4a9c9 Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ff7bbc06bfa89dd Environment-variable access.
repo/packages/components/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:13
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #189d74d7a8f5a2f6 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:153
                    if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #043bb1cc7965d2d2 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:166
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fee853d220ae1387 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:175
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb790e68bc77ffbf Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:186
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #753f67762c2de76a Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:192
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e65ed174ed4ccf3 Environment-variable access.
repo/packages/components/nodes/documentloaders/Cheerio/Cheerio.ts:194
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19cb72a21166fcb6 Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:7
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d48b5066d5b2012 Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:127
                    fs.writeFileSync(tempFilePath, fileData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #584b521fc6e9c05c Filesystem access.
repo/packages/components/nodes/documentloaders/Epub/Epub.ts:139
                    fs.writeFileSync(tempFilePath, fileBuffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06bd158440fbfb55 Filesystem access.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #ae3f5be0b824a1ff Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:227
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #b09706d7f33f7738 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:454
            const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #59a6c71ba021e89a Filesystem access.
repo/packages/components/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:702
        fs.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #d599b16ca654e6bc Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/documentloaders/GoogleSheets/GoogleSheets.ts:155
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #eedadaa997fed326 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:194
                const executablePath = process.env.PLAYWRIGHT_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #431f1befde186660 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:235
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44dc87f4d446f5e4 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:242
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1c5b3fb13f2388a Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:253
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25152cc1733dc6fb Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:262
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8eca6bdb1b25f1f3 Environment-variable access.
repo/packages/components/nodes/documentloaders/Playwright/Playwright.ts:264
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2e5cfc61dd68b54 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:185
                const executablePath = process.env.PUPPETEER_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76e83cd6bd04e257 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:226
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a92c4bfe55887ebf Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:233
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd0d56cb2e971c33 Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:244
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #171031d3b70e772f Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:253
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0f085f08b262c9d Environment-variable access.
repo/packages/components/nodes/documentloaders/Puppeteer/Puppeteer.ts:255
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64668be07b1cd74e Filesystem access.
repo/packages/components/nodes/documentloaders/S3Directory/S3Directory.ts:217
                        fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a3ebc6daa09d083 Environment-variable access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:130
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a84c930074b10790 Environment-variable access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:131
                optional: !!process.env.UNSTRUCTURED_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ac4cf045d0de824 Filesystem access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:784
                    fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0774ba22be1d526 Filesystem access.
repo/packages/components/nodes/documentloaders/S3File/S3File.ts:1020
        fsDefault.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6163701509136969 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:30
    private apiUrl = process.env.UNSTRUCTURED_API_URL || 'https://api.unstructuredapp.io/general/v0/general'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d35c6826e278cc77 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/Unstructured.ts:32
    private apiKey: string | undefined = process.env.UNSTRUCTURED_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30f2eee697753647 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/UnstructuredFile.ts:57
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e82668366139dd63 Environment-variable access.
repo/packages/components/nodes/documentloaders/Unstructured/UnstructuredFile.ts:58
                optional: !!process.env.UNSTRUCTURED_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c36e03f2907a87fc Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:6
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91215474973332b2 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:7
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #237c12191b971db2 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:8
    (!!process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME || !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb9cc485deb1ba15 Environment-variable access.
repo/packages/components/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:9
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a67f2bf71a651de3 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:9
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d6e8ed8514f563b Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #227c14ce1e312619 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8c52b7dac2228e0 Environment-variable access.
repo/packages/components/nodes/llms/Azure OpenAI/AzureOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60c5094b5c522cc5 Environment-variable access.
repo/packages/components/nodes/memory/AgentMemory/AgentMemory.ts:138
                : path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4430e1957a530434 Environment-variable access.
repo/packages/components/nodes/memory/AgentMemory/SQLiteAgentMemory/SQLiteAgentMemory.ts:72
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d6c44b4f0e80dd90 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:144
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #477880b604dd3803 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:145
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef305ab15ce4ff54 Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:151
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #534d1e9a014f95ae Environment-variable access.
repo/packages/components/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:152
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ef1d92c5ff1998c Environment-variable access.
repo/packages/components/nodes/multiagents/Worker/Worker.ts:235
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d94cdde8c7f518b6 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:10
const serverCredentialsExists = !!process.env.POSTGRES_RECORDMANAGER_USER && !!process.env.POSTGRES_RECORDMANAGER_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #442090373293ae79 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:139
        const user = getCredentialParam('user', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d07a6e032c58a2d Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:140
        const password = getCredentialParam('password', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba1a19caaa81e880 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_RECORDMANAGER_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d97c3c672a3d4226 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_RECORDMANAGER_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aaca9d0615411548 Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_RECORDMANAGER_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f4fce81f391cd6a Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_RECORDMANAGER_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32cb58bd2f7ad21c Environment-variable access.
repo/packages/components/nodes/recordmanager/PostgresRecordManager/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_RECORDMANAGER_TABLE_NAME, 'upsertion_records')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5759799eea3c2d5 Environment-variable access.
repo/packages/components/nodes/recordmanager/SQLiteRecordManager/SQLiteRecordManager.ts:124
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #cb2592ac6fb731f6 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/CohereRerankRetriever/CohereRerank.ts:44
            let returnedDocs = await axios.post(this.COHERE_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #15a97c0471dcd739 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/JinaRerankRetriever/JinaRerank.ts:39
            let returnedDocs = await axios.post(this.JINA_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #8dec65d15c0691b8 Environment-variable access.
repo/packages/components/nodes/retrievers/MultiQueryRetriever/MultiQueryRetriever.ts:75
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #5b494366711bd6c4 Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/retrievers/VoyageAIRetriever/VoyageAIRerank.ts:40
            let returnedDocs = await axios.post(this.VOYAGEAI_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #2635be5ff4b3361b Environment-variable access.
repo/packages/components/nodes/sequentialagents/Agent/Agent.ts:690
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2edfe2935158d12d Environment-variable access.
repo/packages/components/nodes/tools/Arxiv/Arxiv.ts:119
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cf73b4b48590295 Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:77
                    process.env.CUSTOM_MCP_PROTOCOL === 'sse'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86f8f1b5996529fa Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:176
            if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b136ee9bab32d315 Environment-variable access.
repo/packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts:186
            if (process.env.CUSTOM_MCP_PROTOCOL === 'stdio' && serverParams!.command) toolkit = new MCPToolkit(serverParams, 'stdio')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #4b79926a372b77fe Hardcoded external endpoint. Review what data is sent to this destination.
repo/packages/components/nodes/tools/MCP/Pipedream/PipedreamMCP.ts:212
            const response = await axios.post('https://api.pipedream.com/v1/oauth/token', body, {
                headers: {
                    'Content-Type': 'application/json'
                }
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #b05635bd185fa7e3 Environment-variable access.
repo/packages/components/nodes/tools/MCP/Supergateway/SupergatewayMCP.ts:109
        if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e30cfd6ce1dc124 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:416
        const originalAllowList = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae30ef347767e8f5 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:420
                delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d24f366a12e8c55a Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:422
                process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = originalAllowList

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cefbcef3caa51cce Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:427
            delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea646cd8fd8a9c48 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:435
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff3e364a34c16f55 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:447
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1705247f270db23 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:455
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR,API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27ab8eb850b1c32d Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:464
        const originalAllowedCommands = process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b63aa34e6ffb906 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:469
            process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'node,npx,python,python3,docker'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d23e28541a33238 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:474
                delete process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f0683136c8b28cf Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:476
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = originalAllowedCommands

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10357faf1dfa770e Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:536
            const original = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05f715a78bac06bf Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:537
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_TOKEN'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6a5f06f0f13d3fc Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:549
                    delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9036906478f113a Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:551
                    process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = original

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e849fe9d1fcaa0f Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:577
                delete process.env.CUSTOM_MCP_ALLOWED_COMMANDS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39c1b2d619d2a187 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:588
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'python3'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b8e8d4f53537eb4 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:599
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = 'npx,docker'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22ed080a3ef310c1 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.test.ts:610
                process.env.CUSTOM_MCP_ALLOWED_COMMANDS = ' node , npx '

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51f5a8e09b352dd7 Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:48
                    PATH: process.env.PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4a64dc4d28e869c Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:258
        (process.env.CUSTOM_MCP_ALLOWED_ENV_VARS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5cfaaedce5230ab Environment-variable access.
repo/packages/components/nodes/tools/MCP/core.ts:390
    const allowedCommands = (process.env.CUSTOM_MCP_ALLOWED_COMMANDS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21fe91a53101f229 Environment-variable access.
repo/packages/components/nodes/vectorstores/Pinecone/Pinecone_LlamaIndex.ts:238
        this.chunkSize = params?.chunkSize ?? Number.parseInt(process.env.PINECONE_CHUNK_SIZE ?? '100')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0ab375829c18e3e Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/Postgres.ts:13
const serverCredentialsExists = !!process.env.POSTGRES_VECTORSTORE_USER && !!process.env.POSTGRES_VECTORSTORE_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5479c56a64f5675d Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/driver/Base.ts:68
        const user = getCredentialParam('user', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca62541a92f34c87 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/driver/Base.ts:69
        const password = getCredentialParam('password', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #714cb2de6fd8fa2c Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_VECTORSTORE_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8b9d9e64799cd17 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_VECTORSTORE_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f30d5cb05cf649a Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_VECTORSTORE_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ab8b4077b276420 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_VECTORSTORE_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d0bf81bb69a820f Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_VECTORSTORE_TABLE_NAME, 'documents')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b66fa80d7988880 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:24
    return defaultChain(nodeData?.inputs?.contentColumnName, process.env.POSTGRES_VECTORSTORE_CONTENT_COLUMN_NAME, 'pageContent')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c649e83db6c18692 Environment-variable access.
repo/packages/components/nodes/vectorstores/Postgres/utils.ts:28
    return defaultChain(nodeData?.inputs?.schemaName, process.env.POSTGRES_VECTORSTORE_SCHEMA_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19854d73db33954a Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:154
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #810041423a8638b7 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:155
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84e27c23ae40ad3f Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:159
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09721110b78e04d1 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:160
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6be5a4b641798e9f Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:172
                    if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d95fc36b6173aa6 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:231
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e734a7dccb3a9ca Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:232
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d8413216a05fe55 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:236
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4093ee0c537bd17 Environment-variable access.
repo/packages/components/nodes/vectorstores/Redis/Redis.ts:237
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed0cdba693bb0d8b Environment-variable access.
repo/packages/components/src/handler.test.ts:388
        for (const k of LANGSMITH_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b36ce869c68dd707 Environment-variable access.
repo/packages/components/src/handler.test.ts:389
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #865eb6e7cedc39c7 Environment-variable access.
repo/packages/components/src/handler.test.ts:390
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1033f5b652670cc2 Environment-variable access.
repo/packages/components/src/handler.test.ts:391
        process.env.LANGSMITH_API_KEY = 'test-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #145fbdf116088051 Environment-variable access.
repo/packages/components/src/handler.test.ts:397
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #884ea4597509603a Environment-variable access.
repo/packages/components/src/handler.test.ts:400
            if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #25cd941279caefaf Environment-variable access.
repo/packages/components/src/handler.ts:81
        if (process.env.DEBUG === 'true') console.error(`Error setting up Arize tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db986ca945e0fb0d Environment-variable access.
repo/packages/components/src/handler.ts:135
        if (process.env.DEBUG === 'true') console.error(`Error setting up Phoenix tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38ded7359a36168b Environment-variable access.
repo/packages/components/src/handler.ts:179
        if (process.env.DEBUG === 'true') console.error(`Error setting up Opik tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a60659c955695b1 Environment-variable access.
repo/packages/components/src/httpSecurity.ts:36
    const securityCheckEnabled = process.env.HTTP_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #936e4da86d129125 Environment-variable access.
repo/packages/components/src/httpSecurity.ts:37
    const httpDenyListString = process.env.HTTP_DENY_LIST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a37b44b3a6eb47a0 Filesystem access.
repo/packages/components/src/modelLoader.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99d1d758aa4832b5 Environment-variable access.
repo/packages/components/src/modelLoader.ts:38
        process.env.MODEL_LIST_CONFIG_JSON ?? 'https://raw.githubusercontent.com/FlowiseAI/Flowise/main/packages/components/models.json'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bac86372687f4924 Filesystem access.
repo/packages/components/src/modelLoader.ts:48
            const models = await fs.promises.readFile(modelFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cc6d9a9b591384d Filesystem access.
repo/packages/components/src/modelLoader.ts:55
        const models = await fs.promises.readFile(getModelsJSONPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2914e6dc505d8f4 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:40
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bc51b7f39c8328a Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:41
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dea286e3c9714067 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:42
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f5fb18424387f21 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:43
        const containerName = process.env.AZURE_BLOB_STORAGE_CONTAINER_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81c40eb508e67b11 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:265
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef0ea90c3ae5153e Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:276
            storageConfig.accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #28f2969c9c0794ec Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:277
            storageConfig.accessKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b65490035f6b117 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:285
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7952dbc3a8c85f1b Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:286
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #464dc6e6d75eb257 Environment-variable access.
repo/packages/components/src/storage/AzureBlobStorageProvider.ts:287
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2004fc926b67164a Environment-variable access.
repo/packages/components/src/storage/BaseStorageProvider.ts:63
        const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fe0c78e319f12ff Environment-variable access.
repo/packages/components/src/storage/BaseStorageProvider.ts:64
            ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #194983ba9739948e Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:32
        const keyFilename = process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88a4d69864e0f484 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:33
        const projectId = process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16f7853f418f20d5 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:34
        const bucketName = process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #093f2a3e29668595 Environment-variable access.
repo/packages/components/src/storage/GCSStorageProvider.ts:333
                uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de83ccbea4293c74 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b151077f5f88f8ce Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:40
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc3313a2b24a67e4 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:60
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6eb43822d9bcacc9 Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:74
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff259a932edbcc2f Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:81
        return fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec433ee619876d7d Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:88
            return fs.readFileSync(fileInStorage)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f56ba27494be09b Filesystem access.
repo/packages/components/src/storage/LocalStorageProvider.ts:114
                    return fs.readFileSync(targetPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d52e499c5eda11c Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:344
        return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eabe332ad9a9c371 Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:345
            ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e24734ac2b246484 Environment-variable access.
repo/packages/components/src/storage/LocalStorageProvider.ts:350
        return process.env.HOME || process.env.USERPROFILE || process.env.HOMEPATH || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3a3446aef8c50b0 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:34
        const accessKeyId = process.env.S3_STORAGE_ACCESS_KEY_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efda52d05259830c Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:35
        const secretAccessKey = process.env.S3_STORAGE_SECRET_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97b28c63d0af96d6 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:36
        const region = process.env.S3_STORAGE_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc2389076d0381d7 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:37
        const bucket = process.env.S3_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27ad93b0fcfd252d Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:38
        const customURL = process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfd75aa90feb3f5c Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:39
        const forcePathStyle = process.env.S3_FORCE_PATH_STYLE === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #398acc43c12c606a Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:73
            region: process.env.S3_STORAGE_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c5442d8d9847587 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:74
            endpoint: process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac8df373e885de94 Environment-variable access.
repo/packages/components/src/storage/S3StorageProvider.ts:536
            const instance = process.env.HOSTNAME || process.env.POD_NAME || String(process.pid)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d64f5d5987e98f8 Environment-variable access.
repo/packages/components/src/storage/StorageProviderFactory.ts:20
            const storageType = process.env.STORAGE_TYPE || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e657c86090081bda Filesystem access.
repo/packages/components/src/storageUtils.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #17b92d7b9d7841ec Environment-variable access.
repo/packages/components/src/storageUtils.ts:51
    const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d7402933b495c48e Environment-variable access.
repo/packages/components/src/storageUtils.ts:52
        ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c4cbc6b279199ea Environment-variable access.
repo/packages/components/src/storageUtils.ts:64
    return process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58e6428494ff903f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:21
    for (const k of ENV_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d2eeccd3a2ec20e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:28
    for (const k of ENV_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ba677245c1660bb Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:37
        if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3298bc4350d11252 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:48
        process.env.LANGSMITH_TRACING = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0046c9545f6aebb Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:49
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de7cace9b05885a9 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:52
        process.env.LANGSMITH_TRACING = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a503d235d5fb4653 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:55
        process.env.LANGSMITH_TRACING = 'TRUE'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e032dd3d0e851210 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:60
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb320fe803890b2f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:65
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e46b28abe944554 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:66
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bea6796b7ed3d82a Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:75
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18db04a801912b84 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:76
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ae339da3b69074b Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:77
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9a1832dc037cfb2 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:78
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e81b0a25b3808869 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:87
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #019640a8de274266 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:88
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4552aa852fb8834f Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:89
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #249aefe0f75489c0 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:90
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #56f5041002dc9240 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:91
        process.env.LANGSMITH_ENDPOINT = 'https://new.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50840e3dec4b4466 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:92
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba2eb420c7a3caad Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:93
        process.env.LANGSMITH_PROJECT = 'new-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78f847911e902297 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:94
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b2afe011e159e2b Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:103
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a526ce535085b83d Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:104
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af9a3e933deaccdd Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:113
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd99938bdceb9531 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:114
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb4428c708c808cf Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:115
        process.env.LANGSMITH_ENDPOINT = 'https://api.smith.langchain.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6380bc6277a38af Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:116
        process.env.LANGSMITH_PROJECT = 'my-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34e17207f5b05d0d Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:129
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36a708a70c604b8b Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:130
        process.env.LANGSMITH_API_KEY = 'k1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06509a66e0b8ad05 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:135
        process.env.LANGSMITH_API_KEY = 'k2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e9b2520e05469982 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:144
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #617f939877177886 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:145
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8fc0b221c6a87e2 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:152
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21ff5e8bc1b73649 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:153
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4757708b7ca1ca6e Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:197
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #988ee18cfdd38ffa Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:198
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ec8c33fe76c696ae Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:212
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f8730438320f0fd Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:213
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0520c33bbca1c29 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:214
        process.env.LANGSMITH_ENDPOINT = 'https://e.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #140f442f04e9c793 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:215
        process.env.LANGSMITH_PROJECT = 'proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4ab63b92da731bed Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:233
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad8dae0cc3d1b033 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:234
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #456631ad50c65f9d Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:245
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #291d66150cd726b5 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:246
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e95970b41596012 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:259
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bae05c9aac2d688 Environment-variable access.
repo/packages/components/src/tracingEnv.test.ts:260
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9023b05fec9cee20 Environment-variable access.
repo/packages/components/src/tracingEnv.ts:71
    for (const k of LANGCHAIN_TRACING_FLAG_VARS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fdc1a8aeeec4265f Environment-variable access.
repo/packages/components/src/utils.test.ts:245
        delete process.env.ALLOW_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4d35173b96448c9d Environment-variable access.
repo/packages/components/src/utils.test.ts:246
        delete process.env.TOOL_FUNCTION_EXTERNAL_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19befd6486ddfaeb Environment-variable access.
repo/packages/components/src/utils.test.ts:251
            process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fa0e5c429093d38 Environment-variable access.
repo/packages/components/src/utils.test.ts:278
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #672501b6d8c53016 Environment-variable access.
repo/packages/components/src/utils.test.ts:284
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aef3283f7ecb3ddb Environment-variable access.
repo/packages/components/src/utils.test.ts:285
        process.env.TOOL_FUNCTION_EXTERNAL_DEP = 'pg'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6584d041349b16f6 Filesystem access.
repo/packages/components/src/utils.ts:12
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4ad9d89ba6c3ae1 Environment-variable access.
repo/packages/components/src/utils.ts:32
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e83e3bb2250265c7 Environment-variable access.
repo/packages/components/src/utils.ts:34
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fb70ed4f8ffefa6 Environment-variable access.
repo/packages/components/src/utils.ts:35
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38f0d0580a708501 Environment-variable access.
repo/packages/components/src/utils.ts:36
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0fdecd7da39dfb5 Environment-variable access.
repo/packages/components/src/utils.ts:408
            if (process.env.DEBUG === 'true') console.error(`error with scraped URL: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99d4f1a9ec14883a Environment-variable access.
repo/packages/components/src/utils.ts:454
    if (process.env.DEBUG === 'true') console.info(`actively crawling ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87e83855a91b7282 Environment-variable access.
repo/packages/components/src/utils.ts:459
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad44988d17b6989d Environment-variable access.
repo/packages/components/src/utils.ts:465
            if (process.env.DEBUG === 'true') console.error(`non html response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a01350e6ba67aacf Environment-variable access.
repo/packages/components/src/utils.ts:475
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d94278dccee6727 Environment-variable access.
repo/packages/components/src/utils.ts:510
    if (process.env.DEBUG === 'true') console.info(`actively scarping ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16aa0be0a70679f1 Environment-variable access.
repo/packages/components/src/utils.ts:515
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fcaba53cfb148dc Environment-variable access.
repo/packages/components/src/utils.ts:521
            if (process.env.DEBUG === 'true') console.error(`non xml response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d64fbc8a5781835 Environment-variable access.
repo/packages/components/src/utils.ts:528
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b844e38e30522ccf Environment-variable access.
repo/packages/components/src/utils.ts:540
        return typeof process !== 'undefined' ? process.env?.[name] : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a13ce60814a0541d Environment-variable access.
repo/packages/components/src/utils.ts:571
    return process.env.SECRETKEY_PATH ? path.join(process.env.SECRETKEY_PATH, 'encryption.key') : getEncryptionKeyFilePath()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6fd9112298558cd1 Environment-variable access.
repo/packages/components/src/utils.ts:579
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #003bfe811007f08d Environment-variable access.
repo/packages/components/src/utils.ts:580
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcd1c082c5beedba Environment-variable access.
repo/packages/components/src/utils.ts:584
            const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ad86ecde75a1820e Filesystem access.
repo/packages/components/src/utils.ts:592
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #45ad5829c97ab07c Environment-variable access.
repo/packages/components/src/utils.ts:734
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4ebc27f91a7e34b Environment-variable access.
repo/packages/components/src/utils.ts:738
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29f0412a23f91906 Environment-variable access.
repo/packages/components/src/utils.ts:1021
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #502d55e03566922e Filesystem access.
repo/packages/components/src/utils.ts:1048
            const content = await fs.promises.readFile(checkPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61802d96bc44fec2 Environment-variable access.
repo/packages/components/src/utils.ts:1603
    const shouldUseE2BSandbox = useSandbox && process.env.E2B_APIKEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a44e7a7cd190aded Environment-variable access.
repo/packages/components/src/utils.ts:1606
    if (process.env.SANDBOX_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73149ed6a5bf0144 Environment-variable access.
repo/packages/components/src/utils.ts:1607
        timeoutMs = parseInt(process.env.SANDBOX_TIMEOUT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #35eb21f19c8ea425 Environment-variable access.
repo/packages/components/src/utils.ts:1665
            const sbx = await Sandbox.create({ apiKey: process.env.E2B_APIKEY, timeoutMs })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32afd169e39968fa Environment-variable access.
repo/packages/components/src/utils.ts:1729
        const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00ffea66c1cbd219 Environment-variable access.
repo/packages/components/src/utils.ts:1730
            ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #653d95d92baf1d50 Environment-variable access.
repo/packages/components/src/utils.ts:1732
        const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57455e1adc3bcb97 Environment-variable access.
repo/packages/components/src/utils.ts:1733
        let deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d507779e2fa6413 Environment-variable access.
repo/packages/components/src/validator.test.ts:55
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #033126e76875c600 Environment-variable access.
repo/packages/components/src/validator.test.ts:58
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b62ab91e9586c4b1 Environment-variable access.
repo/packages/components/src/validator.test.ts:75
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3000aa73611d5dc Environment-variable access.
repo/packages/components/src/validator.test.ts:78
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1cbc6382a0b38a4 Environment-variable access.
repo/packages/components/src/validator.test.ts:365
            const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9b1f4ae0f969c1d1 Environment-variable access.
repo/packages/components/src/validator.test.ts:366
            delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46573cd71de1a05b Environment-variable access.
repo/packages/components/src/validator.test.ts:375
                    process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b56062f63ec9eacb Environment-variable access.
repo/packages/components/src/validator.test.ts:396
        const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd4a50b68c57458e Environment-variable access.
repo/packages/components/src/validator.test.ts:401
                process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1b58a7b3b61511f Environment-variable access.
repo/packages/components/src/validator.test.ts:403
                delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a72c62fb21e6e794 Environment-variable access.
repo/packages/components/src/validator.test.ts:409
            process.env.BLOB_STORAGE_PATH = customStoragePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #871350473cd90343 Environment-variable access.
repo/packages/components/src/validator.test.ts:418
            process.env.BLOB_STORAGE_PATH = path.join(userHome, 'custom-storage')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60843533f6398baf Environment-variable access.
repo/packages/components/src/validator.test.ts:453
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b405ca8c7a3cd4f9 Environment-variable access.
repo/packages/components/src/validator.test.ts:456
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42c5be839fda8aef Environment-variable access.
repo/packages/components/src/validator.test.ts:591
        const originalDatabasePath = process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c7fc760dccf088a Environment-variable access.
repo/packages/components/src/validator.test.ts:595
                delete process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6688bcd1111c9120 Environment-variable access.
repo/packages/components/src/validator.test.ts:597
                process.env.DATABASE_PATH = originalDatabasePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b79414380d536b7c Environment-variable access.
repo/packages/components/src/validator.test.ts:603
            process.env.DATABASE_PATH = customBase

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae5902cef2328fe9 Environment-variable access.
repo/packages/components/src/validator.test.ts:609
            process.env.DATABASE_PATH = path.join(userHome, 'custom-flowise-data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #006a54982ff1eb35 Environment-variable access.
repo/packages/components/src/validator.test.ts:616
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5df26cbdea507600 Environment-variable access.
repo/packages/components/src/validator.test.ts:619
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #afaca50ff75b2e7a Environment-variable access.
repo/packages/components/src/validator.test.ts:788
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #645165f2f93e25a7 Environment-variable access.
repo/packages/components/src/validator.test.ts:791
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f47cb94875cb2c70 Environment-variable access.
repo/packages/components/src/validator.ts:41
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d71f12199554bb0e Environment-variable access.
repo/packages/components/src/validator.ts:70
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d06d5f7391defd7a Environment-variable access.
repo/packages/components/src/validator.ts:195
    if (process.env.BLOB_STORAGE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c771d827f21ca554 Environment-variable access.
repo/packages/components/src/validator.ts:196
        allowedDirs.push(path.resolve(process.env.BLOB_STORAGE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #132d4e434455d637 Environment-variable access.
repo/packages/components/src/validator.ts:213
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a661c25bfe0b3bf Environment-variable access.
repo/packages/components/src/validator.ts:290
    if (process.env.DATABASE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aed686d046302cc3 Environment-variable access.
repo/packages/components/src/validator.ts:291
        dirs.push(path.resolve(process.env.DATABASE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be4c363c5aa1694 Environment-variable access.
repo/packages/components/src/validator.ts:324
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a1c31cbeac2e802 Environment-variable access.
repo/packages/components/src/validator.ts:423
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm)

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #42504391c84f505a Environment-variable access.
repo/.eslintrc.js:25
        'no-console': [process.env.CI ? 'error' : 'warn', { allow: ['warn', 'error', 'info'] }],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24c1ec9db374d4e0 Environment-variable access.
repo/docker/worker/healthcheck/healthcheck.js:4
const port = process.env.WORKER_PORT || 5566

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (npm): packages/agentflow

npm first-party
expand_more 2 low-confidence finding(s)
low pii_flow test-only Excluded from app score #126e5bfa8d8c8a79 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37 · flow /tmp/closeopen-q876yqrd/repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:26 → /tmp/closeopen-q876yqrd/repo/packages/agentflow/examples/src/SaveToDbDialog.tsx:37
            const res = await fetch(`${apiBaseUrl}/api/v1/chatflows`, {
                method: 'POST',
                headers: authHeaders,
                credentials: token ? 'omit' : 'include',
                body: JSON.stringify(body)
            })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low pii_flow test-only Excluded from app score #99f258a422454ffd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
repo/packages/agentflow/examples/src/TestRunDialog.tsx:44 · flow /tmp/closeopen-q876yqrd/repo/packages/agentflow/examples/src/TestRunDialog.tsx:32 → /tmp/closeopen-q876yqrd/repo/packages/agentflow/examples/src/TestRunDialog.tsx:44
            const res = await fetch(`${apiBaseUrl}/api/v1/internal-prediction/${agentflowId}`, {
                method: 'POST',
                headers: authHeaders,
                credentials: token ? 'omit' : 'include',
                body: JSON.stringify({ question: question.trim(), streaming: true, chatId })
            })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

</> Dependencies

@elastic/elasticsearch

npm dependency
high pii_flow dependency Excluded from app score #48be20433aa96084 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:952 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:935 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:952
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #3e0170c1119f6722 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1574 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:1562 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:1574
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #01c8b0d6db4851b6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1612 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:1600 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:1612
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #016848e7159ff5b2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:1688 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:1676 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:1688
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #fe90536eeec35f0c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2274 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:2257 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:2274
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #e2fd2e0862cb9dd4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2454 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:2437 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:2454
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #22b804915a96484b User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/esm/api/api/security.js:2927 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:2915 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/esm/api/api/security.js:2927
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0cb1194f6e7b4cf4 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:954 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:937 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:954
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #4f641841721d56f0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1576 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:1564 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:1576
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #ca69243c74522d34 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1614 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:1602 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:1614
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #7203d43846b18576 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:1690 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:1678 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:1690
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #ee084913d63b0adc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2276 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:2259 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:2276
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #0180bb7ec13805cc User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2456 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:2439 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:2456
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #b764eed84c71d808 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]/lib/api/api/security.js:2929 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:2917 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]/lib/api/api/security.js:2929
        return await this.transport.request({ path, method, querystring, body, meta }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

@gomomento/sdk

npm dependency
high pii_flow tooling Excluded from app score unknown #1ba10f3d37d56e2c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:24 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:24
		const resp = await fetch(`${this.baseurl}/${cacheName}?key=${key}&token=${this.apiKey}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #1678dfd8999740ea User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:35 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:35
		const resp = await fetch(`${this.baseurl}/${cacheName}?key=${key}&token=${this.apiKey}&&ttl_seconds=${ttl_seconds}`, {
			method: 'PUT',
			body: value
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #323757dac66a71b2 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:50 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:50
		const resp = await fetch(`${this.baseurl}/${cacheName}?key=${key}&token=${this.apiKey}`, {
			method: 'DELETE',
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #e2db575d545ade39 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45
  const resp = await fetch(process.env.TVM_ENDPOINT as string);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 42 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #8be00ba27936682b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:12
    accessKeyId: process.env.AWS_ACCESS_KEY_ID || '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8942a7150bc049af Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:13
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY || '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #de919cf927966195 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:14
    sessionToken: process.env.AWS_SESSION_TOKEN || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3cf138711b65370b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:16
  region: process.env.AWS_REGION || 'us-west-2',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #932abb1ff68fba16 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/helper.ts:3
    if (!process.env[variable]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #55c245987bdcfbba Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/momento.ts:34
    credentialProvider: new StringMomentoTokenProvider(process.env.MOMENTO_API_KEY || ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b5948aa13196addc Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/momento.ts:42
    credentialProvider: new StringMomentoTokenProvider(process.env.MOMENTO_API_KEY || ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #073752c6571e3ca9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/advanced-compression-cdk/infrastructure/bin/advanced-compression-cdk.ts:6
const momentoApiKey = process.env.MOMENTO_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0b21eb90acf0ffa2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/docker/ecs-code/index.ts:38
  const apiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a4467b3d0aa7d6a6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:21
    if (!this.validateMomentoApiKey(process.env.MOMENTO_API_KEY)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5be578da3daaffda Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:24
    const momentoApiKey = String(process.env.MOMENTO_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #701f56d794ceae11 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:26
    if (!this.validateStackConfig(process.env.EXAMPLE_MOMENTO_APPLICATION)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dcf79738412d7826 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:29
    const stackConfig = String(process.env.EXAMPLE_MOMENTO_APPLICATION);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fb323b74d2c42088 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:31
    if (!this.validateLogGroupName(stackConfig, process.env.LOG_GROUP_NAME)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #97e600b9cc194ee7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:34
    const dashboardOnlyLogGroupName = String(process.env.LOG_GROUP_NAME);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f7784724365edd4d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/lambda/handler.ts:52
  const apiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #82c4b36f18f0089c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/simple-get/lambda/simple-get/handler.ts:51
  const apiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e8b707d559b89c4c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/simple-get/lambda/simple-get/handler.ts:55
  const endpointSecretName = process.env.MOMENTO_ENDPOINT_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c9907548b6510522 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/advanced.ts:16
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #39193210aa8261a4 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/advanced.ts:168
  logger.info(`Here are the contents of the metrics csv file:\n\n${fs.readFileSync(metricsCsvPath).toString()}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #eee139a483e59ff6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1942
  const originalApiKey = process.env['MOMENTO_API_KEY'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e434471d0d5c80e8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1943
  process.env['MOMENTO_API_KEY'] = retrieveApiKeyFromYourSecretsManager();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #60bf1b0d5da5d731 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1946
  process.env['MOMENTO_API_KEY'] = retrieveApiKeyV2FromYourSecretsManager();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #47cb02b4a60fc6c5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1950
  process.env['MOMENTO_API_KEY'] = originalApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #accc3f428574d2fc Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/working-with-files.ts:11
    const data = fs.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b3b6949c5cb00dc1 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/working-with-files.ts:50
      fs.writeFileSync('./myfile2.json', buffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #02cd7697841fe4b2 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/get-set-batch-perf-test/utils/perf-test-utils.ts:4
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #2eb1ad63401cee91 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/get-set-batch-perf-test/utils/perf-test-utils.ts:104
    fs.writeFileSync(filename, header);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #19358e7c695b1ce5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/token-vending-machine/lambda/token-vending-machine/handler.ts:19
    const vendorApiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b0951a84ab8354f9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45
  const resp = await fetch(process.env.TVM_ENDPOINT as string);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #082472b71aecb326 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/api/auth/[...nextauth]/auth-options.ts:5
  secret: process.env.NEXTAUTH_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #72bf64668c37f0dd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/api/auth/[...nextauth]/auth-options.ts:23
        const envUsername = String(process.env.MOMENTO_AUTH_USERNAME);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c333df0013a74e4e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/api/auth/[...nextauth]/auth-options.ts:24
        const envPassword = String(process.env.MOMENTO_AUTH_PASSWORD);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f333c1ec9153f26f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/page.tsx:9
  const cacheName = String(process.env.NEXT_PUBLIC_MOMENTO_CACHE_NAME);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #707d81d99498fa53 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/page.tsx:10
  const authMethod = String(process.env.NEXT_PUBLIC_AUTH_METHOD);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11223fbdc50d4906 Filesystem access.
pkgs/npm/@[email protected]__reposrc/packages/client-sdk-nodejs/src/config/middleware/experimental-metrics-csv-middleware.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa2c2d1d325e3674 Filesystem access.
pkgs/npm/@[email protected]__reposrc/packages/client-sdk-nodejs/src/config/middleware/experimental-metrics-csv-middleware.ts:82
    fs.writeFileSync(this.csvPath, `${this.fieldNames().join(',')}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #184e7ca2970831a9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/common-integration-tests/src/common-int-test-utils.ts:14
const isInsideGithubCI = process.env.CI === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87d63d4c4d5a77f6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/common-integration-tests/src/common-int-test-utils.ts:27
  const useLocalhost = process.env.MOMENTO_SDK_TESTS_USE_LOCALHOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5dca30691b1812f2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/core/src/auth/credential-provider.ts:375
    const authToken = process.env[props.environmentVariableName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b91d283e549cde9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/core/src/auth/credential-provider.ts:593
    const endpoint = process.env[endpointEnvVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2471984921298185 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/core/src/auth/credential-provider.ts:603
    const authToken = process.env[apiKeyEnvVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@gomomento/sdk-core

npm dependency
high pii_flow tooling Excluded from app score unknown #9fc3fdf832e02f61 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:24 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:24
		const resp = await fetch(`${this.baseurl}/${cacheName}?key=${key}&token=${this.apiKey}`);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #3a12aaeb9d506b6c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:35 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:35
		const resp = await fetch(`${this.baseurl}/${cacheName}?key=${key}&token=${this.apiKey}&&ttl_seconds=${ttl_seconds}`, {
			method: 'PUT',
			body: value
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #b5313e30c35fd0a1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:50 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:15 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/cloudflare-workers/http-api/src/worker.ts:50
		const resp = await fetch(`${this.baseurl}/${cacheName}?key=${key}&token=${this.apiKey}`, {
			method: 'DELETE',
		});

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #87f4bc99ef9f6786 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45
  const resp = await fetch(process.env.TVM_ENDPOINT as string);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 42 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #25889a54491e9d04 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:12
    accessKeyId: process.env.AWS_ACCESS_KEY_ID || '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1db8cbbbfb8cc60c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:13
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY || '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0e3c714c64e01490 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:14
    sessionToken: process.env.AWS_SESSION_TOKEN || undefined,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0413c2ed8d7db016 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/dynamodb.ts:16
  region: process.env.AWS_REGION || 'us-west-2',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #af15bf94b97d9433 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/helper.ts:3
    if (!process.env[variable]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0b82650f9ee93ec6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/momento.ts:34
    credentialProvider: new StringMomentoTokenProvider(process.env.MOMENTO_API_KEY || ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7fb1967291a5f028 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/eventbridge/cliApp/utils/momento.ts:42
    credentialProvider: new StringMomentoTokenProvider(process.env.MOMENTO_API_KEY || ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fbba4c880ccceea4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/advanced-compression-cdk/infrastructure/bin/advanced-compression-cdk.ts:6
const momentoApiKey = process.env.MOMENTO_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #bfd6eddc324d06c0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/docker/ecs-code/index.ts:38
  const apiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #baf81c05bbc730cd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:21
    if (!this.validateMomentoApiKey(process.env.MOMENTO_API_KEY)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c5e62af1618273e6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:24
    const momentoApiKey = String(process.env.MOMENTO_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #713ce204affb4517 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:26
    if (!this.validateStackConfig(process.env.EXAMPLE_MOMENTO_APPLICATION)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fe4fcbaf2028db53 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:29
    const stackConfig = String(process.env.EXAMPLE_MOMENTO_APPLICATION);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3a9b5b778f4b4b1a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:31
    if (!this.validateLogGroupName(stackConfig, process.env.LOG_GROUP_NAME)) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4b527cd0b8bf85e6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/infrastructure/lib/momento-metrics-stack.ts:34
    const dashboardOnlyLogGroupName = String(process.env.LOG_GROUP_NAME);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f446d71d58195c16 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/cloudwatch-metrics/lambda/handler.ts:52
  const apiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7e4ae30ca07aa127 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/simple-get/lambda/simple-get/handler.ts:51
  const apiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4e03a306f7f3515e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/aws/lambda-examples/simple-get/lambda/simple-get/handler.ts:55
  const endpointSecretName = process.env.MOMENTO_ENDPOINT_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ed24721de40be63b Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/advanced.ts:16
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a0b57d0e028b3938 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/advanced.ts:168
  logger.info(`Here are the contents of the metrics csv file:\n\n${fs.readFileSync(metricsCsvPath).toString()}`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c778213b305ef410 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1942
  const originalApiKey = process.env['MOMENTO_API_KEY'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fe97ab3a3a2027c3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1943
  process.env['MOMENTO_API_KEY'] = retrieveApiKeyFromYourSecretsManager();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a126eb0bf593ea48 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1946
  process.env['MOMENTO_API_KEY'] = retrieveApiKeyV2FromYourSecretsManager();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #123d865f4ea135c5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/doc-examples-js-apis.ts:1950
  process.env['MOMENTO_API_KEY'] = originalApiKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4f05e40ab9b4617f Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/working-with-files.ts:11
    const data = fs.readFileSync(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5b480ce7af975224 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/cache/doc-example-files/working-with-files.ts:50
      fs.writeFileSync('./myfile2.json', buffer);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b8ccb6d54e044cba Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/get-set-batch-perf-test/utils/perf-test-utils.ts:4
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9c4c9a9744ec9f85 Filesystem access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/get-set-batch-perf-test/utils/perf-test-utils.ts:104
    fs.writeFileSync(filename, header);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #227be8834f6c74ee Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nodejs/token-vending-machine/lambda/token-vending-machine/handler.ts:19
    const vendorApiKeySecretName = process.env.MOMENTO_API_KEY_SECRET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fc5172db6cf14afd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/cache/refresh-disposable-tokens.ts:45
  const resp = await fetch(process.env.TVM_ENDPOINT as string);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1790e0f90388a6df Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/api/auth/[...nextauth]/auth-options.ts:5
  secret: process.env.NEXTAUTH_SECRET,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #d44e20080aa98ec9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/api/auth/[...nextauth]/auth-options.ts:23
        const envUsername = String(process.env.MOMENTO_AUTH_USERNAME);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4fc883473aaa4b26 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/api/auth/[...nextauth]/auth-options.ts:24
        const envPassword = String(process.env.MOMENTO_AUTH_PASSWORD);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f23406747424ef27 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/page.tsx:9
  const cacheName = String(process.env.NEXT_PUBLIC_MOMENTO_CACHE_NAME);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8ef989a65be8e780 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/web/nextjs-chat/src/app/page.tsx:10
  const authMethod = String(process.env.NEXT_PUBLIC_AUTH_METHOD);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08717e72556d7b7f Filesystem access.
pkgs/npm/@[email protected]__reposrc/packages/client-sdk-nodejs/src/config/middleware/experimental-metrics-csv-middleware.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6bb2493670df197 Filesystem access.
pkgs/npm/@[email protected]__reposrc/packages/client-sdk-nodejs/src/config/middleware/experimental-metrics-csv-middleware.ts:82
    fs.writeFileSync(this.csvPath, `${this.fieldNames().join(',')}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b242337ef8db954 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/common-integration-tests/src/common-int-test-utils.ts:14
const isInsideGithubCI = process.env.CI === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #970d3c86f931bf67 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/common-integration-tests/src/common-int-test-utils.ts:27
  const useLocalhost = process.env.MOMENTO_SDK_TESTS_USE_LOCALHOST;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e02f917c9a9674d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/core/src/auth/credential-provider.ts:375
    const authToken = process.env[props.environmentVariableName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f03f309e2acd7df Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/core/src/auth/credential-provider.ts:593
    const endpoint = process.env[endpointEnvVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e405e475e57378ea Environment-variable access.
pkgs/npm/@[email protected]__reposrc/packages/core/src/auth/credential-provider.ts:603
    const authToken = process.env[apiKeyEnvVar];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@datastax/astra-db-ts

npm dependency
high pii_flow dependency Excluded from app score #446a745e8348b749 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:252 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:83 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:252
    const resp = await this.#httpClient.request({
      method: HttpMethods.Get,
      path: `/databases/${id}`,
    }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #56ddbfbd5b16d937 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:305 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:83 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/devops/astra-admin.ts:305
    const resp = await this.#httpClient.request({
      method: HttpMethods.Get,
      path: `/databases`,
      params: params,
    }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #4396c113aadf1a37 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/devops/astra-db-admin.ts:171 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/devops/astra-db-admin.ts:97 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/devops/astra-db-admin.ts:171
    const resp = await this.#httpClient.request({
      method: HttpMethods.Get,
      path: `/databases/${this.#db.id}`,
    }, options);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 12 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #9355353cb70d4aa7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/http2-when-minified/src/app/route.ts:6
const client = new DataAPIClient(process.env.ASTRA_DB_TOKEN!, {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #58a0404a5a57b346 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/http2-when-minified/src/app/route.ts:11
const db = client.db(process.env.ASTRA_DB_ENDPOINT!);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1d4c11d16ccf27e3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nextjs/src/app/route.ts:6
const client = new DataAPIClient(process.env.ASTRA_DB_TOKEN!);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #0a8b209dc39029bf Environment-variable access.
pkgs/npm/@[email protected]__reposrc/examples/nextjs/src/app/route.ts:7
const db = client.db(process.env.ASTRA_DB_ENDPOINT!);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f702630473b0be1b Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/add-license-bumf.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #78de41b961264606 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/add-license-bumf.js:23
fs.readFile(filePath, 'utf8', (err, data) => {
  if (err) {
    throw new Error('Error reading file ${filePath}: ${err}');
  }

  fs.writeFile(filePath, bumf + '\n\n' + data, 'utf8', (err) => {
    if (err) {
      throw new Error('Error writing file ${filePath}: ${err}');
    }
  });
});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b48eefd73db76ea7 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/add-license-bumf.js:28
  fs.writeFile(filePath, bumf + '\n\n' + data, 'utf8', (err) => {
    if (err) {
      throw new Error('Error writing file ${filePath}: ${err}');
    }
  });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #126a4049ce22b92a Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/del-empty-dist-files.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ce1d1a08c2d41292 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/del-empty-dist-files.js:29
        fs.readFile(filePath, 'utf8', (err, data) => {
          if (err) {
            return console.error('Error reading file: ' + err);
          }

          if (data === targetContent) {
            fs.unlink(filePath, (err) => err && console.error('Error deleting file: ' + err));
          }
        });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ea27f07488cb7eaf Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/reduce-comments.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1df6cd808653877b Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/reduce-comments.js:27
fs.readFile(filePath, 'utf8', (err, data) => {
  if (err) {
    throw new Error('Error reading file ${filePath}: ${err}');
  }

  const withShortenedLicense = data.replace(longBumf, shortBumf);
  const withStrippedBlockComments = strip.block(withShortenedLicense);

  fs.writeFile(filePath, withStrippedBlockComments, 'utf8', (err) => {
    if (err) {
      throw new Error('Error writing file ${filePath}: ${err}');
    }
  });
});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #89d521ec3499f24b Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/utils/reduce-comments.js:35
  fs.writeFile(filePath, withStrippedBlockComments, 'utf8', (err) => {
    if (err) {
      throw new Error('Error writing file ${filePath}: ${err}');
    }
  });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@modelcontextprotocol/sdk

npm dependency
high pii_flow tooling Excluded from app score unknown #6a724ea6b220d918 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:245 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:245
        const response = await fetch(endpoint, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/x-www-form-urlencoded'
            },
            body: new URLSearchParams({
                token: token
            }).toString()
        });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow tooling Excluded from app score unknown #0c584590b074beeb User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:643 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:643
            const response = await fetch(endpoint, {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                body: new URLSearchParams({
                    token: token
                }).toString()
            });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 18 low-confidence finding(s)
low egress tooling Excluded from app score unknown #152555e824f83765 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/@[email protected]__reposrc/scripts/fetch-spec-types.ts:16
    const response = await fetch(url);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unknown #b167772531b5fb0c Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/fetch-spec-types.ts:77
        writeFileSync(outputPath, fullContent, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9239436d89a93c18 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/client/stdio.ts:71
        const value = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b9bacd504b0e9732 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:26
const DEFAULT_SERVER_URL = process.env.MCP_SERVER_URL || 'http://localhost:3000/mcp';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #68e124d31144cd9e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:29
    const clientId = process.env.MCP_CLIENT_ID;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8c6834ccab2c75b9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:36
    const privateKeyPem = process.env.MCP_CLIENT_PRIVATE_KEY_PEM;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f84b601967c3d908 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:38
        const algorithm = process.env.MCP_CLIENT_ALGORITHM || 'RS256';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7179098e61273a10 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/client/simpleClientCredentials.ts:48
    const clientSecret = process.env.MCP_CLIENT_SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #dcc2b12b4a2f6cf7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationFormExample.ts:350
    const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9d8ac89e76d504c7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215
const MCP_PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fc5163f3289d5289 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:216
const AUTH_PORT = process.env.MCP_AUTH_PORT ? parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow tooling Excluded from app score unknown #76dfa5826b3e38b3 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:681 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:215 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/elicitationUrlExample.ts:681
app.post('/mcp', authMiddleware, mcpPostHandler);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs tooling Excluded from app score unknown #6fb8dc5fb353ccd7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/honoWebStandardStreamableHttp.ts:69
const PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5272a1362d47d8f3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621
const MCP_PORT = process.env.MCP_PORT ? parseInt(process.env.MCP_PORT, 10) : 3000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #efd933bdec3b2ff7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:622
const AUTH_PORT = process.env.MCP_AUTH_PORT ? parseInt(process.env.MCP_AUTH_PORT, 10) : 3001;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow tooling Excluded from app score unknown #2d4c44beb6872d75 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Same-origin destination — not external exfiltration.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:778 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:621 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleStreamableHttp.ts:778
    app.post('/mcp', authMiddleware, mcpPostHandler);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs tooling Excluded from app score unknown #53b8d0286e8f3135 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/examples/server/simpleTaskInteractive.ts:448
const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : 8000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b39d91da2d02d9b1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/server/auth/router.ts:12
    process.env.MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL === 'true' || process.env.MCP_DANGEROUSLY_ALLOW_INSECURE_ISSUER_URL === '1';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

axios

npm dependency
high pii_flow dependency Excluded from app score #e671b95673605dc7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:708 · flow /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/adapters/http.js:610 → /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/adapters/http.js:708
      req = transport.request(options, function handleResponse(res) {
        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (config.decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + config.maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (req.destroyed) return;
            reject(AxiosError.from(err, null, config, lastRequest));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium pii_flow dependency Excluded from app score #75b4aaa92beaac88 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:708 · flow /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/adapters/http.js:616 → /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/adapters/http.js:708
      req = transport.request(options, function handleResponse(res) {
        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (config.decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (config.maxContentLength > -1 && totalResponseBytes > config.maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + config.maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (req.destroyed) return;
            reject(AxiosError.from(err, null, config, lastRequest));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #801faba6471dec58 Environment-variable access.
pkgs/npm/[email protected]/lib/helpers/shouldBypassProxy.js:64
  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

flowise-components

npm dependency
high pii_flow dependency Excluded from app score #b6f9549da75e144f User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:132 · flow /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:129 → /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:132
        const response = await fetch(this.apiUrl, {
            method: 'POST',
            body: formData,
            headers
        })

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 315 low-confidence finding(s)
low env_fs dependency Excluded from app score #4661213000f17fcb Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ConversationalAgent/ConversationalAgent.ts:283
        verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f10a833b0a90668 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ConversationalRetrievalToolAgent/ConversationalRetrievalToolAgent.ts:360
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd719208f6125a33 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:104
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30d2e935c88b86b8 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/AnthropicAgent/AnthropicAgent_LlamaIndex.ts:113
        const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02b699c5e1c7a56d Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:115
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8925cf33340e0f33 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:130
                verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bf13a71405cb645 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/LlamaIndexAgents/OpenAIToolAgent/OpenAIToolAgent_LlamaIndex.ts:157
            const response = await agent.chat({ message: input, chatHistory, verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bd4c5268669dbc0 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ReActAgentChat/ReActAgentChat.ts:132
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7f94269ded5ab8 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ReActAgentLLM/ReActAgentLLM.ts:105
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #962a3c34418c23ab Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/ToolAgent/ToolAgent.ts:359
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a356651aa2ac9f17 Environment-variable access.
pkgs/npm/[email protected]/nodes/agents/XMLAgent/XMLAgent.ts:284
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e7b445d93cafa61 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:130
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dedc7a0537b99613 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:131
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2dd266af78de1eb Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:138
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0da4000645a1cd6 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisCache.ts:139
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b938bb7ab92d790a Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:87
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e29a1c90ee290b8f Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:88
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9b1112476d0e8f3 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:95
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8330039c29755c92 Environment-variable access.
pkgs/npm/[email protected]/nodes/cache/RedisCache/RedisEmbeddingsCache.ts:96
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1a616323998e46c Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ApiChain/GETApiChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9e2a272e1a9cbb8 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ApiChain/OpenAPIChain.ts:134
        verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a81104e8a1aa7109 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ApiChain/POSTApiChain.ts:124
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93ce7cf1dfcba24b Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ConversationChain/ConversationChain.ts:139
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddcfeae12212b573 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/ConversationalRetrievalQAChain/ConversationalRetrievalQAChain.ts:229
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a765b845b4079e1d Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/GraphCypherQAChain/GraphCypherQAChain.ts:423
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9316cd346ab6f107 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/LLMChain/LLMChain.ts:109
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #baf13929c6b205c7 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/LLMChain/LLMChain.ts:117
                verbose: process.env.DEBUG === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dcac45d5884a397 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/MultiPromptChain/MultiPromptChain.ts:71
            llmChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dfd43fc5f5b55e9 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/MultiRetrievalQAChain/MultiRetrievalQAChain.ts:79
            retrievalQAChainOpts: { verbose: process.env.DEBUG === 'true' ? true : false, returnSourceDocuments }

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e20b5481f8f97e59 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/RetrievalQAChain/RetrievalQAChain.ts:58
        const chain = RetrievalQAChain.fromLLM(model, vectorStoreRetriever, { verbose: process.env.DEBUG === 'true' ? true : false })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40cc295a093c5122 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/SqlDatabaseChain/SqlDatabaseChain.ts:245
        verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #75e804dfff511b52 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/chains/VectaraChain/VectaraChain.ts:312
            const response = await fetch(`https://api.vectara.io/v1/query`, {
                method: 'POST',
                headers: headers?.headers,
                body: JSON.stringify(data)
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #03f411daeffad809 Environment-variable access.
pkgs/npm/[email protected]/nodes/chains/VectorDBQAChain/VectorDBQAChain.ts:60
            verbose: process.env.DEBUG === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b3fba754a86543c Filesystem access.
pkgs/npm/[email protected]/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:1
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6dca8214a140eea Filesystem access.
pkgs/npm/[email protected]/nodes/chatmodels/AWSBedrock/AWSBedrockCatalog.test.ts:9
        const raw = JSON.parse(fs.readFileSync(modelsPath, 'utf8'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67f6bc9ae826523f Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd6c1251cad85a87 Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd2a454c5d0b3e42 Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75af8419ab159c03 Environment-variable access.
pkgs/npm/[email protected]/nodes/chatmodels/AzureChatOpenAI/AzureChatOpenAI.ts:13
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8abdfe74303d9b3e Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:153
                    if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b31b941d7ff5f45 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:166
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63a4d78aa6c6f969 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:175
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63be78260622b768 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:186
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee2a96c6ec48699a Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:192
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish CheerioWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae88d0c98c69e947 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Cheerio/Cheerio.ts:194
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82584dad32c83e9c Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/Epub/Epub.ts:7
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9a60493fa9520fd Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/Epub/Epub.ts:127
                    fs.writeFileSync(tempFilePath, fileData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c47e88434313af85 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/Epub/Epub.ts:139
                    fs.writeFileSync(tempFilePath, fileBuffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca0c4ce28c2a5a6b Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:15
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #d6c782ca26668d30 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:227
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #4fc1321dc5ca4530 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:454
            const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #4fa0c617d7b15d04 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleDrive/GoogleDrive.ts:702
        fs.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #35a3b14250b447f5 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/documentloaders/GoogleSheets/GoogleSheets.ts:155
                const url = new URL('https://www.googleapis.com/drive/v3/files')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #810e65362b099471 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:194
                const executablePath = process.env.PLAYWRIGHT_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7308a820f14e58f1 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:235
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92e75a99079be7ff Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:242
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40af442b4b406250 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:253
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68ea02b97849c68d Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:262
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PlaywrightWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd92427b4a9e7e3b Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Playwright/Playwright.ts:264
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a01fef16f1ab573 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:185
                const executablePath = process.env.PUPPETEER_EXECUTABLE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86863f60d50a31f2 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:226
                if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57e1d2cd2ddf4491 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:233
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Start PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d546c81a2b3db51 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:244
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84d2b2e198c65249 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:253
            if (process.env.DEBUG === 'true') options.logger.info(`[${orgId}]: Finish PuppeteerWebBaseLoader ${relativeLinksMethod}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6a38892d970cd70 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Puppeteer/Puppeteer.ts:255
            if (process.env.DEBUG === 'true')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c722bd88f26594c9 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/S3Directory/S3Directory.ts:217
                        fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6afecd3b274b6b2a Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:130
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed5ab0a8ff4a72dc Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:131
                optional: !!process.env.UNSTRUCTURED_API_URL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1088416f6c06f49 Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:784
                    fsDefault.writeFileSync(filePath, objectData)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b6413668a375fab Filesystem access.
pkgs/npm/[email protected]/nodes/documentloaders/S3File/S3File.ts:1020
        fsDefault.writeFileSync(tempFilePath, buffer)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c0c6722741e38be Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:30
    private apiUrl = process.env.UNSTRUCTURED_API_URL || 'https://api.unstructuredapp.io/general/v0/general'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #995f2c5c0f712698 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/Unstructured.ts:32
    private apiKey: string | undefined = process.env.UNSTRUCTURED_API_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34f583769605f056 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/UnstructuredFile.ts:57
                placeholder: process.env.UNSTRUCTURED_API_URL || 'http://localhost:8000/general/v0/general',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f818beeec353f71 Environment-variable access.
pkgs/npm/[email protected]/nodes/documentloaders/Unstructured/UnstructuredFile.ts:58
                optional: !!process.env.UNSTRUCTURED_API_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d20eab8c49250643 Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:6
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7a58b741a0e43c6 Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:7
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7425963415a64967 Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:8
    (!!process.env.AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME || !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3ababd39359521e Environment-variable access.
pkgs/npm/[email protected]/nodes/embeddings/AzureOpenAIEmbedding/AzureOpenAIEmbedding.ts:9
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c47495f7ef44463f Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:9
    !!process.env.AZURE_OPENAI_API_KEY &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26ed2eeafbc13e6e Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:10
    !!process.env.AZURE_OPENAI_API_INSTANCE_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce67b6bee6743faa Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:11
    !!process.env.AZURE_OPENAI_API_DEPLOYMENT_NAME &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fb586a533e7d2eb Environment-variable access.
pkgs/npm/[email protected]/nodes/llms/Azure OpenAI/AzureOpenAI.ts:12
    !!process.env.AZURE_OPENAI_API_VERSION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a55ae1be7dce9986 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/AgentMemory/AgentMemory.ts:138
                : path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8df7c1bf2c82e3c6 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/AgentMemory/SQLiteAgentMemory/SQLiteAgentMemory.ts:72
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20379be612934cd4 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:144
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f9e6a8dbaa1e6a3 Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:145
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #295e10bf6db3b07b Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:151
                          process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb22dea85dc103fb Environment-variable access.
pkgs/npm/[email protected]/nodes/memory/RedisBackedChatMemory/RedisBackedChatMemory.ts:152
                              ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a89d09c29bb90870 Environment-variable access.
pkgs/npm/[email protected]/nodes/multiagents/Worker/Worker.ts:235
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8c87d56aedf7acd Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:10
const serverCredentialsExists = !!process.env.POSTGRES_RECORDMANAGER_USER && !!process.env.POSTGRES_RECORDMANAGER_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f78e11d49da3939 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:139
        const user = getCredentialParam('user', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed144e179a697351 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/PostgresRecordManager.ts:140
        const password = getCredentialParam('password', credentialData, nodeData, process.env.POSTGRES_RECORDMANAGER_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fac925ff39a54ec7 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_RECORDMANAGER_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec35b5ce40f3ebcb Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_RECORDMANAGER_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #802434fe2fac62a8 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_RECORDMANAGER_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb90f3b808d6b76d Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_RECORDMANAGER_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fc5653128fab264 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/PostgresRecordManager/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_RECORDMANAGER_TABLE_NAME, 'upsertion_records')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ac15dff0f19e150 Environment-variable access.
pkgs/npm/[email protected]/nodes/recordmanager/SQLiteRecordManager/SQLiteRecordManager.ts:124
        const database = validateSQLitePath(path.join(process.env.DATABASE_PATH ?? path.join(getUserHome(), '.flowise'), 'database.sqlite'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #f939a90df469bc32 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/retrievers/CohereRerankRetriever/CohereRerank.ts:44
            let returnedDocs = await axios.post(this.COHERE_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress dependency Excluded from app score #50f43ac2a6a464b1 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/retrievers/JinaRerankRetriever/JinaRerank.ts:39
            let returnedDocs = await axios.post(this.JINA_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #3f9cfcdd3e25ebb0 Environment-variable access.
pkgs/npm/[email protected]/nodes/retrievers/MultiQueryRetriever/MultiQueryRetriever.ts:75
            verbose: process.env.DEBUG === 'true',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #f0f0666ba4c1a46d Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/retrievers/VoyageAIRetriever/VoyageAIRerank.ts:40
            let returnedDocs = await axios.post(this.VOYAGEAI_RERANK_API_URL, data, config)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #268d2528c8382b2f Environment-variable access.
pkgs/npm/[email protected]/nodes/sequentialagents/Agent/Agent.ts:690
            verbose: process.env.DEBUG === 'true' ? true : false,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #092710240d2a400f Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/Arxiv/Arxiv.ts:119
        if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #398c1122a351cef9 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/CustomMCP/CustomMCP.ts:77
                    process.env.CUSTOM_MCP_PROTOCOL === 'sse'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #fb996eb18bace455 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/CustomMCP/CustomMCP.ts:176
            if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #51657663aaedf288 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/CustomMCP/CustomMCP.ts:186
            if (process.env.CUSTOM_MCP_PROTOCOL === 'stdio' && serverParams!.command) toolkit = new MCPToolkit(serverParams, 'stdio')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unknown #e2a567350f7bfbeb Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/nodes/tools/MCP/Pipedream/PipedreamMCP.ts:212
            const response = await axios.post('https://api.pipedream.com/v1/oauth/token', body, {
                headers: {
                    'Content-Type': 'application/json'
                }
            })

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unknown #5c5a9a59528e08e6 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/Supergateway/SupergatewayMCP.ts:109
        if (process.env.CUSTOM_MCP_SECURITY_CHECK !== 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #9e898796a1b029ec Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:416
        const originalAllowList = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #752ed2aedbeb5e64 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:420
                delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c34f3aa5f2fbb9db Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:422
                process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = originalAllowList

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #106f73102320f328 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:427
            delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e4155b267ada30ef Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:435
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e649a1626f13c873 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:447
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #c51adccb4b6e4838 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:455
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'CUSTOM_VAR,API_KEY'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5ea8cb8fa3d792ef Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:520
            const original = process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #91155de6cee1f936 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:521
            process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = 'API_TOKEN'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e3e08d9d99bef6b0 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:533
                    delete process.env.CUSTOM_MCP_ALLOWED_ENV_VARS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #4c667c678e88e693 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.test.ts:535
                    process.env.CUSTOM_MCP_ALLOWED_ENV_VARS = original

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7f806d049fa7f60f Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.ts:48
                    PATH: process.env.PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3298416164ce9356 Environment-variable access.
pkgs/npm/[email protected]/nodes/tools/MCP/core.ts:258
        (process.env.CUSTOM_MCP_ALLOWED_ENV_VARS ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26aa30d4d832a509 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Pinecone/Pinecone_LlamaIndex.ts:238
        this.chunkSize = params?.chunkSize ?? Number.parseInt(process.env.PINECONE_CHUNK_SIZE ?? '100')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70602e8f562ebf0e Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/Postgres.ts:13
const serverCredentialsExists = !!process.env.POSTGRES_VECTORSTORE_USER && !!process.env.POSTGRES_VECTORSTORE_PASSWORD

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #255d4019fbb590bd Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/driver/Base.ts:68
        const user = getCredentialParam('user', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_USER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7ce1c2dbb12596c Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/driver/Base.ts:69
        const password = getCredentialParam('password', credentialData, this.nodeData, process.env.POSTGRES_VECTORSTORE_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef8e9f48f128d2b7 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:4
    return defaultChain(nodeData?.inputs?.host, process.env.POSTGRES_VECTORSTORE_HOST)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ab9221e84609b2c Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:8
    return defaultChain(nodeData?.inputs?.database, process.env.POSTGRES_VECTORSTORE_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64e393617937c146 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:12
    return defaultChain(nodeData?.inputs?.port, process.env.POSTGRES_VECTORSTORE_PORT, '5432')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60247f4aecf4ae9c Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:16
    return defaultChain(nodeData?.inputs?.ssl, process.env.POSTGRES_VECTORSTORE_SSL, false)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #862a90029451e015 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:20
    return defaultChain(nodeData?.inputs?.tableName, process.env.POSTGRES_VECTORSTORE_TABLE_NAME, 'documents')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbce5177ff9488ce Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:24
    return defaultChain(nodeData?.inputs?.contentColumnName, process.env.POSTGRES_VECTORSTORE_CONTENT_COLUMN_NAME, 'pageContent')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab2fa72397bfedcf Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Postgres/utils.ts:28
    return defaultChain(nodeData?.inputs?.schemaName, process.env.POSTGRES_VECTORSTORE_SCHEMA_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c286678ad104ef66 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:154
                            process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c210a1b6dac8787 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:155
                                ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d19f0905080b207 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:159
                        process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4a5f53b1a5c85da Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:160
                            ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #211d3e8e06b1b6cf Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:172
                    if (process.env.DEBUG === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3196a83b3c455426 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:231
                    process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84f3b883a0b618f8 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:232
                        ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #047d76851cae743e Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:236
                process.env.REDIS_KEEP_ALIVE && !isNaN(parseInt(process.env.REDIS_KEEP_ALIVE, 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #296c6725af357233 Environment-variable access.
pkgs/npm/[email protected]/nodes/vectorstores/Redis/Redis.ts:237
                    ? parseInt(process.env.REDIS_KEEP_ALIVE, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad04206b8e730c2e Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:388
        for (const k of LANGSMITH_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ba70d3041582d6d Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:389
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbdccc0d4e1af043 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:390
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cffa537931f543f0 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:391
        process.env.LANGSMITH_API_KEY = 'test-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27f4a20c106ce0b6 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:397
        for (const k of LANGSMITH_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b65b47f43d335710 Environment-variable access.
pkgs/npm/[email protected]/src/handler.test.ts:400
            if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5991cf2bc3531704 Environment-variable access.
pkgs/npm/[email protected]/src/handler.ts:81
        if (process.env.DEBUG === 'true') console.error(`Error setting up Arize tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b896815bf3fd67a7 Environment-variable access.
pkgs/npm/[email protected]/src/handler.ts:135
        if (process.env.DEBUG === 'true') console.error(`Error setting up Phoenix tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7cc639774979e1e Environment-variable access.
pkgs/npm/[email protected]/src/handler.ts:179
        if (process.env.DEBUG === 'true') console.error(`Error setting up Opik tracer: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a75b1bc4cf7b215b Environment-variable access.
pkgs/npm/[email protected]/src/httpSecurity.ts:36
    const securityCheckEnabled = process.env.HTTP_SECURITY_CHECK !== 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98a913413ee2ac03 Environment-variable access.
pkgs/npm/[email protected]/src/httpSecurity.ts:37
    const httpDenyListString = process.env.HTTP_DENY_LIST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b927b3b0c0422b0 Filesystem access.
pkgs/npm/[email protected]/src/modelLoader.ts:2
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b8e866c89416b61 Environment-variable access.
pkgs/npm/[email protected]/src/modelLoader.ts:38
        process.env.MODEL_LIST_CONFIG_JSON ?? 'https://raw.githubusercontent.com/FlowiseAI/Flowise/main/packages/components/models.json'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41cd339947a84f8a Filesystem access.
pkgs/npm/[email protected]/src/modelLoader.ts:48
            const models = await fs.promises.readFile(modelFile, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9fdbfd26274a4d0 Filesystem access.
pkgs/npm/[email protected]/src/modelLoader.ts:55
        const models = await fs.promises.readFile(getModelsJSONPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2315ffce97f68b06 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:40
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #481c1e472b52964e Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:41
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92a8cba42df87ade Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:42
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d66e8342ca96de2 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:43
        const containerName = process.env.AZURE_BLOB_STORAGE_CONTAINER_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #150cfd7caf166374 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:265
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4256583454888d0 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:276
            storageConfig.accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #348f5627919dc0a4 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:277
            storageConfig.accessKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbfc316896d5e888 Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:285
        const connectionString = process.env.AZURE_BLOB_STORAGE_CONNECTION_STRING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85abda338db705ff Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:286
        const accountName = process.env.AZURE_BLOB_STORAGE_ACCOUNT_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a2fa1bc11b1c06f Environment-variable access.
pkgs/npm/[email protected]/src/storage/AzureBlobStorageProvider.ts:287
        const accountKey = process.env.AZURE_BLOB_STORAGE_ACCOUNT_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #794ccf6dbd1fc85d Environment-variable access.
pkgs/npm/[email protected]/src/storage/BaseStorageProvider.ts:63
        const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62203beab3f922b6 Environment-variable access.
pkgs/npm/[email protected]/src/storage/BaseStorageProvider.ts:64
            ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b12823911d3f1e4 Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:32
        const keyFilename = process.env.GOOGLE_CLOUD_STORAGE_CREDENTIAL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13a264935f341225 Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:33
        const projectId = process.env.GOOGLE_CLOUD_STORAGE_PROJ_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c64f6a6bc43e365 Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:34
        const bucketName = process.env.GOOGLE_CLOUD_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e4225d39ceb8a06 Environment-variable access.
pkgs/npm/[email protected]/src/storage/GCSStorageProvider.ts:333
                uniformBucketLevelAccess: Boolean(process.env.GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS) ?? true,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cfd93ce6a1f7ec4 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcadd35b22443e53 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:40
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53a8e15a01e6f1a4 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:60
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2e5644ddd54d0b5 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:74
        fs.writeFileSync(filePath, bf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ba2d117a8f329eb Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:81
        return fs.readFileSync(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf86769d5787c603 Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:88
            return fs.readFileSync(fileInStorage)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64386a30b7f3561c Filesystem access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:114
                    return fs.readFileSync(targetPath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00d449030a625c8b Environment-variable access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:344
        return process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c62a96365d27bc4f Environment-variable access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:345
            ? path.join(process.env.BLOB_STORAGE_PATH, 'uploads')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #200ac4809dc3b4a2 Environment-variable access.
pkgs/npm/[email protected]/src/storage/LocalStorageProvider.ts:350
        return process.env.HOME || process.env.USERPROFILE || process.env.HOMEPATH || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffc185250690c5b2 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:34
        const accessKeyId = process.env.S3_STORAGE_ACCESS_KEY_ID

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7a414a3184d3b15 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:35
        const secretAccessKey = process.env.S3_STORAGE_SECRET_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd7db8e693d74cb8 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:36
        const region = process.env.S3_STORAGE_REGION

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2be41bec9227eb38 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:37
        const bucket = process.env.S3_STORAGE_BUCKET_NAME

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #719acc0738b84ee0 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:38
        const customURL = process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a57642168aa5bf82 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:39
        const forcePathStyle = process.env.S3_FORCE_PATH_STYLE === 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e28db98b879aed66 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:73
            region: process.env.S3_STORAGE_REGION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2531dd67a18888db Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:74
            endpoint: process.env.S3_ENDPOINT_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #694ff81777c222b1 Environment-variable access.
pkgs/npm/[email protected]/src/storage/S3StorageProvider.ts:536
            const instance = process.env.HOSTNAME || process.env.POD_NAME || String(process.pid)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67198e984acdfb79 Environment-variable access.
pkgs/npm/[email protected]/src/storage/StorageProviderFactory.ts:20
            const storageType = process.env.STORAGE_TYPE || 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fcb7ef1a6aa4903 Filesystem access.
pkgs/npm/[email protected]/src/storageUtils.ts:1
import fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9288721891843d18 Environment-variable access.
pkgs/npm/[email protected]/src/storageUtils.ts:51
    const storagePath = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce78f67e4812ab56 Environment-variable access.
pkgs/npm/[email protected]/src/storageUtils.ts:52
        ? path.join(process.env.BLOB_STORAGE_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be32f87f106e470f Environment-variable access.
pkgs/npm/[email protected]/src/storageUtils.ts:64
    return process.env.STORAGE_TYPE ? process.env.STORAGE_TYPE : 'local'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7b48fa8dc1260ce Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:21
    for (const k of ENV_KEYS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f31c7ef0de8ff132 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:28
    for (const k of ENV_KEYS) envSnapshot[k] = process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #909da5a23044069a Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:37
        if (v !== undefined) process.env[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a0777e6550fc46d Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:48
        process.env.LANGSMITH_TRACING = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7fefc237ce907bd Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:49
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f8d2cf4d6c61a1b Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:52
        process.env.LANGSMITH_TRACING = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a67ee398dc58ea4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:55
        process.env.LANGSMITH_TRACING = 'TRUE'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #463f0f41b0a695d6 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:60
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54f2c389a2d68654 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:65
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #910a986cda79903e Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:66
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6febe1dca2f95ae5 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:75
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a76fc9e3057b39e Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:76
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #096f1672b7d13888 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:77
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d37962bce90accf3 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:78
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaf3db518864d50e Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:87
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2d86e460359c47d Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:88
        process.env.LANGCHAIN_TRACING_V2 = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92457c30283bce77 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:89
        process.env.LANGSMITH_API_KEY = 'new-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91794eb7ff56b3f7 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:90
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f89bf6d706b0ebce Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:91
        process.env.LANGSMITH_ENDPOINT = 'https://new.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca55ff6914fa4689 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:92
        process.env.LANGCHAIN_ENDPOINT = 'https://legacy.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c47ebc939b8e4300 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:93
        process.env.LANGSMITH_PROJECT = 'new-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f54cf0397ae59721 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:94
        process.env.LANGCHAIN_PROJECT = 'legacy-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f60c1bfec6b2a29a Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:103
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58205167bfbcf801 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:104
        process.env.LANGCHAIN_API_KEY = 'legacy-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6675a1473fbd8a66 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:113
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30459872573a8695 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:114
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c807d3195c531acd Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:115
        process.env.LANGSMITH_ENDPOINT = 'https://api.smith.langchain.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec2a5734531acac9 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:116
        process.env.LANGSMITH_PROJECT = 'my-proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #156d06d426edba43 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:129
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8488c5ca5225a992 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:130
        process.env.LANGSMITH_API_KEY = 'k1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8840e6c8e7889d0f Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:135
        process.env.LANGSMITH_API_KEY = 'k2'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9dcd89b451c40c09 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:144
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41b7f110faa267f9 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:145
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd4624a946753598 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:152
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfcd037e2bee1c1f Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:153
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd47cea17f99334b Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:197
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #543ebdce02a02651 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:198
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a025e6c793f7bd4 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:212
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7276cb2c20b5cb65 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:213
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbcdcb7bb79050ed Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:214
        process.env.LANGSMITH_ENDPOINT = 'https://e.example.com'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d41f8850f19f27b8 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:215
        process.env.LANGSMITH_PROJECT = 'proj'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6748168e3491118 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:233
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdfc9b923fb7f7fd Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:234
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #040e48e6d9baef85 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:245
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #540625a66665e598 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:246
        process.env.LANGSMITH_API_KEY = 'env-key'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #964814010ec773a3 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:259
        process.env.LANGSMITH_TRACING = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1433576f455b36a6 Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.test.ts:260
        process.env.LANGSMITH_API_KEY = 'k'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31545d5e3694f1fd Environment-variable access.
pkgs/npm/[email protected]/src/tracingEnv.ts:71
    for (const k of LANGCHAIN_TRACING_FLAG_VARS) delete process.env[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8307eff7d0724597 Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:245
        delete process.env.ALLOW_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5629a11521944855 Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:246
        delete process.env.TOOL_FUNCTION_EXTERNAL_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ad813fbe60f9d77 Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:251
            process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b6b821a905dd5c1 Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:278
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f60b2d7e118b2d8f Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:284
        process.env.ALLOW_BUILTIN_DEP = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1be053c35558cbdf Environment-variable access.
pkgs/npm/[email protected]/src/utils.test.ts:285
        process.env.TOOL_FUNCTION_EXTERNAL_DEP = 'pg'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a403a0a9a6745b2 Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:12
import * as fs from 'fs'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78cf4f1ea245604d Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:32
const USE_AWS_SECRETS_MANAGER = process.env.SECRETKEY_STORAGE_TYPE === 'aws'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b22829f00bfc4587 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:34
    const region = process.env.SECRETKEY_AWS_REGION || 'us-east-1' // Default region if not provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35def133bfca99d7 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:35
    const accessKeyId = process.env.SECRETKEY_AWS_ACCESS_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c951ed1147a4224 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:36
    const secretAccessKey = process.env.SECRETKEY_AWS_SECRET_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #285e1a867d845664 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:408
            if (process.env.DEBUG === 'true') console.error(`error with scraped URL: ${err.message}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #402d2c020ec028a9 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:454
    if (process.env.DEBUG === 'true') console.info(`actively crawling ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c25f8cb4e23b36df Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:459
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #195c594fc06dda16 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:465
            if (process.env.DEBUG === 'true') console.error(`non html response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e12dcd1e6e4e4642 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:475
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5266f94f6e88420 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:510
    if (process.env.DEBUG === 'true') console.info(`actively scarping ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b7b946a56e0df3f Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:515
            if (process.env.DEBUG === 'true') console.error(`error in fetch with status code: ${resp.status}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63fc27aeca4c7226 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:521
            if (process.env.DEBUG === 'true') console.error(`non xml response, content type: ${contentType}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1278fdd7fab61cd9 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:528
        if (process.env.DEBUG === 'true') console.error(`error in fetch url: ${err.message}, on page: ${currentURL}`)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5afe58700d6de4f Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:540
        return typeof process !== 'undefined' ? process.env?.[name] : undefined

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #379af0bf91cffd99 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:571
    return process.env.SECRETKEY_PATH ? path.join(process.env.SECRETKEY_PATH, 'encryption.key') : getEncryptionKeyFilePath()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62f3d79ac7d69163 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:579
    if (process.env.FLOWISE_SECRETKEY_OVERWRITE !== undefined && process.env.FLOWISE_SECRETKEY_OVERWRITE !== '') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ddda7a95a73eab5 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:580
        return process.env.FLOWISE_SECRETKEY_OVERWRITE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df431b23a9b0f5fc Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:584
            const secretId = process.env.SECRETKEY_AWS_NAME || 'FlowiseEncryptionKey'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bae788351891185a Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:592
        return await fs.promises.readFile(getEncryptionKeyPath(), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d8226f444e297e4 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:734
    if (process.env[variableName] === undefined) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e17e293bb4dce41 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:738
    return process.env[variableName] as string

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70224e22eaa0a3c1 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1021
                value = process.env[item.name] ?? ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2ffecf2e32a8d63 Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:1048
            const content = await fs.promises.readFile(checkPath, 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88eb636c8f1be1c5 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1603
    const shouldUseE2BSandbox = useSandbox && process.env.E2B_APIKEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #052aa85cf412ec19 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1606
    if (process.env.SANDBOX_TIMEOUT) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #883029bb51dc6aca Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1607
        timeoutMs = parseInt(process.env.SANDBOX_TIMEOUT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b861e1fd8224b70 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1665
            const sbx = await Sandbox.create({ apiKey: process.env.E2B_APIKEY, timeoutMs })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #011f95746b07828c Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1729
        const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43cecc57c52e1e80 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1730
            ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2d3e978a27c74f3 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1732
        const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcbafbfc6ca7ba28 Environment-variable access.
pkgs/npm/[email protected]/src/utils.ts:1733
        let deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7031f2175cafeaf1 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:55
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a6777af10b3712f Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:58
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96e57a6efb777ee0 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:75
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c010fbe8c55633b Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:78
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0495dc1d35de9c55 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:365
            const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84fa73a7185754ab Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:366
            delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aac4be1f5a313348 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:375
                    process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #518ba525c2eeda38 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:396
        const originalEnv = process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #127ab988e860821c Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:401
                process.env.BLOB_STORAGE_PATH = originalEnv

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #facaefeb1b6f6dd5 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:403
                delete process.env.BLOB_STORAGE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cd5d0e2151d4e0b Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:409
            process.env.BLOB_STORAGE_PATH = customStoragePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01889091d8016929 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:418
            process.env.BLOB_STORAGE_PATH = path.join(userHome, 'custom-storage')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14ce3ac113a01559 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:453
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf38db764d027ec0 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:456
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0055c541b9d43ca5 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:591
        const originalDatabasePath = process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08feb69edb76cb94 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:595
                delete process.env.DATABASE_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2671041f0aef875e Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:597
                process.env.DATABASE_PATH = originalDatabasePath

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bf1f09f457f68be Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:603
            process.env.DATABASE_PATH = customBase

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e0701b4251885f4 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:609
            process.env.DATABASE_PATH = path.join(userHome, 'custom-flowise-data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #100da233f73b7ddd Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:616
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #088badf9cf23fadd Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:619
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd0800aa088be637 Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:788
            process.env.PATH_TRAVERSAL_SAFETY = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dbc82adc6733bed Environment-variable access.
pkgs/npm/[email protected]/src/validator.test.ts:791
            delete process.env.PATH_TRAVERSAL_SAFETY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35dec4e4bf329ccf Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:41
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37e30257f6d07232 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:70
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #674d6070299a4168 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:195
    if (process.env.BLOB_STORAGE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f78cc6c54b1ff2a4 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:196
        allowedDirs.push(path.resolve(process.env.BLOB_STORAGE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32e866ac675fc965 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:213
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e41c6e92dabf5e91 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:290
    if (process.env.DATABASE_PATH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65831258ad271727 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:291
        dirs.push(path.resolve(process.env.DATABASE_PATH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbd5065037ff4bd2 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:324
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a90a1deeacb08b0 Environment-variable access.
pkgs/npm/[email protected]/src/validator.ts:423
    if (process.env.PATH_TRAVERSAL_SAFETY === 'false') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nodemailer

npm dependency
high pii_flow dependency Excluded from app score #2d122401ee7724ab User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/npm/[email protected]/lib/fetch/index.js:148 · flow /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/fetch/index.js:55 → /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/fetch/index.js:148
        req = handler.request(reqOptions);

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #56ae50d022f5bef3 Filesystem access.
pkgs/npm/[email protected]/lib/dkim/index.js:10
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6c9e877199c4264 Filesystem access.
pkgs/npm/[email protected]/lib/mime-node/index.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90e266b05b8764ae Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:15
const ETHEREAL_API = (process.env.ETHEREAL_API || 'https://api.nodemailer.com').replace(/\/+$/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b6dee1d0abcc97c Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:16
const ETHEREAL_WEB = (process.env.ETHEREAL_WEB || 'https://ethereal.email').replace(/\/+$/, '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9da404ef788e9342 Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:17
const ETHEREAL_API_KEY = (process.env.ETHEREAL_API_KEY || '').replace(/\s*/g, '') || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d02dd44561dcff82 Environment-variable access.
pkgs/npm/[email protected]/lib/nodemailer.js:18
const ETHEREAL_CACHE = ['true', 'yes', 'y', '1'].includes((process.env.ETHEREAL_CACHE || 'yes').toString().trim().toLowerCase());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3dc1c03a06b00bdd Filesystem access.
pkgs/npm/[email protected]/lib/shared/index.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@google/generative-ai

npm dependency
medium pii_flow dependency Excluded from app score #8653c42fd1ae3036 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/api_version.js:33 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/api_version.js:26 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/api_version.js:33
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #c5e8fb3cdbb5877d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:58 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:34 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:58
  console.log(cacheResult);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #87ce5b532d827c32 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:65 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:34 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:65
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #dfa44c7e8f92582c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:134 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:134
  console.log(`\n\nmodel: ${result.response.text()}`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #8375c89f05574896 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:138 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:138
  console.log(`\n\nmodel: ${result.response.text()}`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #e47ac4cc6dd26047 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:151 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:114 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:151
  console.log(`\n\nmodel: ${result.response.text()}`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #0b3bc8ce0ffc3bea PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:216 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:192 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:216
  console.log(cacheGetResult);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #cfd192b6e6dcd8a6 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:251 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:225 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:251
    console.log(item);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #e08a2bb37decd259 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:284 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:261 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:284
  console.log("initial cache data:", cacheResult);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #3ed602d197e43a15 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:291 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:261 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/cache.js:291
  console.log("updated cache data:", cacheUpdateResult);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #92be4e64c7f60953 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:45 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/chat.js:30 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/chat.js:45
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #7a3f523a351d6d3b PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:47 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/chat.js:30 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/chat.js:47
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #75fd3eeb46e80654 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:36 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:24 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:36
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #1ebe3619dc875241 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:66 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:44 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:66
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #9601e0e92c4baefa PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:87 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:74 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:87
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #6e64aa2559c982c7 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:56 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:27 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:56
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #ea7db08acd5013f4 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:76 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:64 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:76
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #bcd1cb665afe25d5 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:45 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:45
  console.log(countResult.totalTokens); // 11

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #e2496c04a4a5ff93 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:55 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:55
  console.log(generateResult.response.usageMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #901e2645a60b30d5 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:86 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:86
  console.log(countResult.totalTokens); // 10

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #63c22843a68bfd93 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:96 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:96
  console.log(chatResult.response.usageMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #45c594b7953f326c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:132 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:132
  console.log(countResult.totalTokens); // 265

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #279bb9df47681fe2 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:140 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:140
  console.log(generateResult.response.usageMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #7dbb2d01731d4c8c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:178 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:178
  console.log(countResult.totalTokens); // 265

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #40cfbf05d54d6452 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:186 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:186
  console.log(generateResult.response.usageMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #fe431a2c7a4a1b52 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:242 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:242
  console.log(countResult.totalTokens); // 302

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #696eda9bc20ba701 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:250 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:250
  console.log(generateResult.response.usageMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #ec71de35769189ca PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:302 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:302
  console.log(result.totalTokens); // 10

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #83559be0bcdc6ca9 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:311 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:311
  console.log(generateResult.response.usageMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #f2fc0dd664851ab7 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:335 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:335
  console.log(resultNoInstructions);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #72512955efa71d4a PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:349 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:349
  console.log(resultWithInstructions);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #580e5c8554c15403 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:368 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:368
  console.log(resultNoTools);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #db4959947ff82086 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:388 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:388
  console.log(resultWithTools);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #13df15cd43685d4b PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/embed.js:31 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/embed.js:24 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/embed.js:31
  console.log(result.embedding);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #f75e7d05ece91c9f PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/embed.js:56 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/embed.js:39 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/embed.js:56
  console.log(result.embeddings);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #80b66298892a4a7e PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:41 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:31 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:41
  console.log(
    `Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
  );

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #7da380aa8d0acfc6 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:69 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:31 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:69
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #7d2b50b9ac9bfb63 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:102 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:78 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:102
  console.log(
    `Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
  );

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #1445f1a2412bacdd PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:117 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:78 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:117
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #0cacb760f6646580 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:133 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:126 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:133
  console.log(
    `Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
  );

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #74c85cd292d400f8 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:161 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:126 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:161
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #7bf6be3e3efa5204 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:194 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:170 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:194
  console.log(
    `Uploaded file ${uploadResult.file.displayName} as: ${uploadResult.file.uri}`,
  );

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #6f22717c0ea18fe7 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:209 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:170 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:209
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #df32ceced90aa055 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:239 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:222 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:239
  console.log(
    `Uploaded file ${uploadResponse.file.displayName} as: ${uploadResponse.file.uri}`,
  );

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #7583a4d308f63d0c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:267 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:220 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:267
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #6334f8a89b6a054c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:281 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:275 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:281
    console.log(`name: ${file.name} | display name: ${file.displayName}`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #af9e4e7e6340837e PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:304 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:290 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:304
  console.log(
    `Retrieved file ${getResponse.displayName} as ${getResponse.uri}`,
  );

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #ce9d444d7df3e65d PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/files.js:327 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:314 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/files.js:327
  console.log(`Deleted ${uploadResult.file.displayName}`);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #765788ee0e16370a PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:93 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:61 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:93
    console.log(result2.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #95738eb0673ace14 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:37 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:24 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:37
    console.log(result.response.candidates[0].logprobsResult);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #4d9f1345ca3270c1 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:38 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:24 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:38
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #752d64621792117e PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:50 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:28 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:50
    console.log(result.response.candidates[0].safetyRatings);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #c5e4157b8f7ed3d0 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:85 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:59 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:85
    console.log(result.response.candidates[0].safetyRatings);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #1c9983ae94d85e2c PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:50 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:31 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:50
  console.log(result.response.candidates[0].groundingMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #d5a5e4a080695dc0 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:75 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:61 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:75
  console.log(result.response.candidates[0].groundingMetadata);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #b8c0edf46f19378a PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:35 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:24 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:35
  console.log(text);

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #828523244dc064b9 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:37 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:31 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:37
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #f257519ef8fe497a PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:84 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:64 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:84
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #6fca55f41afec6a5 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:149 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:125 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:149
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #d69990783f5eab48 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:214 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:194 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:214
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

medium pii_flow dependency Excluded from app score #4852cb73845ca191 PII-bearing data is written to a log sink. Logged PII is a privacy concern even when it does not leave the process.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:255 · flow /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:223 → /tmp/closeopen-q876yqrd/pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:255
  console.log(result.response.text());

PII-bearing data is written to a log/print sink — it stays in-process and does not leave the application, but logged PII is still a privacy concern.

Fix: Avoid logging user identifiers; redact or omit PII from log/print statements.

expand_more 156 low-confidence finding(s)
low env_fs dependency Excluded from app score #79542fa7629cc158 Filesystem access.
pkgs/npm/@[email protected]__reposrc/rollup.config.mjs:32
const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "package.json")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc0ffda293f89198 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/api_version.js:26
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03e3a1d31f0cf0d3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:34
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62b66533ab823240 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:35
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dffb6c608c44551b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:60
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec3ac96e2d18e81b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:75
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #371ecf3da6b305eb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:76
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e8fb4fe1a7f25bd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:102
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b85ad6b536169a2b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:114
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc5fea8ec4dc71f0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:115
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bda879f7ade36bb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:116
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #868dd446f2900b23 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:161
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a11183ec31d02ee Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:162
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec1a66b30b7750d4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:192
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1604663a1559feb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:193
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9d80a8096213f97 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:225
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #989c93e42af7290b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:226
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1a8709034a4bf25 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:261
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5eed08ac9d4b1b87 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/cache.js:262
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62591eed72691e75 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:19
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5e83ea108790644 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:30
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12bca3ce9e97adfb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:55
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72f69b8bbdcb6ce5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:86
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea3f7c22f9ef00da Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/chat.js:98
      data: Buffer.from(fs.readFileSync(`${mediaPath}/jetpack.jpg`)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb205f513a21b3af Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:24
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48716838d76fb37a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:44
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93d719b7c3acbb4f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/code_execution.js:74
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d7a1c78ffd000fa Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:27
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d62e104d1cca0579 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/controlled_generation.js:64
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60c29caf10be81ec Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:24
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30c7c88bf3e0d3a5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:35
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78b6e38d315d5f93 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:65
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f1173d08b52a6ca Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:106
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93fcd36efc3ee4c4 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:114
        data: Buffer.from(fs.readFileSync(path)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #110fd7833c47f5b1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:151
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #881d1af4e4032079 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:165
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #823cec7de7eb4a1f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:198
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f41a415a2cfaa8bc Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:228
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8713a417125ec8d4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:264
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43e2b80b47125faa Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:270
  const cacheManager = new GoogleAICacheManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f27eab3859365d34 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:293
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42997194417dd571 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:327
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f47664905a2abd3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/count_tokens.js:358
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9f9515f6b7f993a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/embed.js:24
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93aeb7c98dfb497d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/embed.js:39
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b45f8d55704e1fd8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:31
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #330ab2f6cfbdb3a3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:58
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c29ddf3fb2c6215a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:78
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #617aa0624452afbd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:106
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6856b7f73644f57 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:126
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #705b2cae419c21e0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:150
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f88bd8971d6f1df Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:170
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86eabe0fd26f86f5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:198
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e10b3ff20be4f9b0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:220
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad2d0d9509e3fad8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:222
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0de2db049b1e8b34 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:275
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4604916a2e5f7147 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:290
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a757c69825edf9bd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/files.js:314
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #319f5b049178b3b5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/function_calling.js:61
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8292e9ceab28b3c4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/log_prob.js:24
    const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d445d8ce235c69f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/model_configuration.js:24
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3303082e89e3b78e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:28
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8fc080ecf1029f1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/safety_settings.js:59
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2ff4c5ce2e2362f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:31
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d6747878080b8f4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/search_grounding.js:61
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc78a1f79aa118f8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/system_instruction.js:24
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c3137aacb0a602a Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:20
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #557e8ee9675f9a8a Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:31
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e79622cc949ef0e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:45
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f22fe052a317d55 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:64
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5041cc9dc5793736 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:70
        data: Buffer.from(fs.readFileSync(path)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82b6c28081a940d8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:92
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf01bc85cb3cd5c4 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:98
        data: Buffer.from(fs.readFileSync(path)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f547f583739aae8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:125
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c97b56cc7af7bfd9 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:131
        data: Buffer.from(fs.readFileSync(path)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #463e1b1aecfd82ce Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:157
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4dc0308554ead27 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:163
        data: Buffer.from(fs.readFileSync(path)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23fb8a42261b9a0c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:194
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #219b1f9839975a04 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:200
        data: Buffer.from(fs.readFileSync(path)).toString("base64"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5dbbfe7fabe556f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:223
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #767d82be9af4110c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:226
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d41a679dd3b7bb2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:265
  const genAI = new GoogleGenerativeAI(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50f2292198e67e26 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/text_generation.js:268
  const fileManager = new GoogleAIFileManager(process.env.API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fec35fe3a926b592 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/utils/check-samples.js:19
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47fa216fc31ebfee Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/utils/check-samples.js:30
      const file = fs.readFileSync(join(samplesDir, filename), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd8c2621245deb80 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/utils/insert-import-comments.js:19
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5960b31e967790cf Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/utils/insert-import-comments.js:27
  const typings = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97e58659597da4cb Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/utils/insert-import-comments.js:90
      const file = fs.readFileSync(join(samplesDir, filename), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7366ce29dd143391 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/utils/insert-import-comments.js:134
      fs.writeFileSync(join(samplesDir, filename), newFileLines.join("\n"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2337acf017099339 Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/web/http-server.js:18
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01115799a02e2e55 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/samples/web/http-server.js:28
const API_KEY = process.env.API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #720c409d1267765c Filesystem access.
pkgs/npm/@[email protected]__reposrc/samples/web/http-server.js:70
      const data = fs.readFileSync(sanitizedPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e0935e8655cc5088 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/license.ts:18
import fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #beb55d1ffce91ff3 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/license.ts:22
const licenseHeader = fs.readFileSync(
  join(__dirname, "./license.txt"),
  "utf-8",
);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #bfde6519d567d2e7 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/license.ts:33
  const fileContents = paths.map((path) => fs.readFileSync(path, "utf-8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #652b3f4681b1899c Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/license.ts:84
          return fs.writeFileSync(path, result, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec394078ee11d758 Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.test.ts:26
import { readFile } from "fs/promises";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d236666d9f05eb4b Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.test.ts:71
    const fileBuffer = await readFile("./test-utils/cat.png");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85026b0ac3915d00 Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.test.ts:112
    const fileBuffer = await readFile("./test-utils/cat.png");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91eeba0392c3c3ba Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.test.ts:147
    const fileBuffer = await readFile("./test-utils/cat.png");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc7842d623fcd616 Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.test.ts:194
    const fileBuffer = await readFile("./test-utils/cat.png");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #765da93f2fc7bc53 Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.ts:19
import { readFileSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7393d35a6c80c9 Filesystem access.
pkgs/npm/@[email protected]__reposrc/src/server/file-manager.ts:57
    const file = fileData instanceof Buffer ? fileData : readFileSync(fileData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99ebec0aebf94c3b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:42
      process.env.GEMINI_API_KEY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46ec4c64ba7c70c4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:57
    const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7489d150449b0aba Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:66
    const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f03c670826ed801c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:77
    const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #974ea836c5290aa2 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:84
    const fileManager = new GoogleAIFileManager(process.env.GEMINI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39efeb08793ff029 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:96
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb209a564c29087c Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:114
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a64adb37a2e28fc9 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:127
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abd0205a19db577d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:140
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0ef9aae1efef364 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:150
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3701571a8541541d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:160
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c578250f81c88b85 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:186
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a75177d388bedb4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:203
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4651b09d3b21b982 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:215
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfa9b7c4ad087c4b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:227
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2cdf1b82586919f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/abort-signal.test.ts:239
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7306088681f8578d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:40
      process.env.GEMINI_API_KEY || "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #110e45b86191dd53 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:68
      process.env.GEMINI_API_KEY || "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df3292a818ba2f84 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:99
      process.env.GEMINI_API_KEY || "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f56a9e5c6e5ae11 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:130
      process.env.GEMINI_API_KEY || "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #469e58307ddf04f4 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:180
      process.env.GEMINI_API_KEY || "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe22283e276d6c08 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:220
      process.env.GEMINI_API_KEY || "",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #467e6ad34686633b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/cache-content.test.ts:240
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ca0cb28720a8977 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/count-tokens.test.ts:33
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58892052c37db194 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/count-tokens.test.ts:51
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69161201523240b6 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/count-tokens.test.ts:70
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #febe4ea3b7aea747 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/embed-content.test.ts:32
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54a5edea6bcbbf58 Filesystem access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content-multimodal.test.ts:18
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3fb72113f164389 Filesystem access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content-multimodal.test.ts:35
    const imageBuffer = fs.readFileSync(
      join(__dirname, "../../test-utils/cat.png"),
    );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2bd98ea8ef933ddd Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content-multimodal.test.ts:38
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d881abc6da39b83d Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content-search-grounding.test.ts:37
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc6b9c42f19ff614 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content-tools.test.ts:35
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f35511b84d5482a0 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content-tools.test.ts:179
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cca38df416f1da69 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content.test.ts:39
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01aaa2cff049f2bf Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content.test.ts:66
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bc9c5d004e385a3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content.test.ts:88
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13be1075bff74a4e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/generate-content.test.ts:103
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79959a553689d3a7 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/start-chat-tools.test.ts:76
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ef5ce4829b2fd3b Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/start-chat.test.ts:32
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4aa3f435bf146511 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/start-chat.test.ts:55
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f129bd292a931f9f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/node/start-chat.test.ts:91
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfc3c16f935cdef8 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:28
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0879acac6255243e Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:43
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3380ddeaf058030 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:66
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2823556ce7176e76 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:89
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d4b21af5c0b4f8f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:125
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca2f46eaef6fdb83 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:173
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5659f539bffbe6eb Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:196
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22ccd955b0c90f7f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/test-integration/web/index.test.ts:211
    const genAI = new GoogleGenerativeAI(process.env.GEMINI_API_KEY || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a9820f127e6d95c Filesystem access.
pkgs/npm/@[email protected]__reposrc/test-utils/mock-response.ts:18
import * as fs from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ced5e7d80a054242 Filesystem access.
pkgs/npm/@[email protected]__reposrc/test-utils/mock-response.ts:68
  const fullText = fs.readFileSync(join(mockResponseDir, filename), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e0e1c84ef24d2ce Filesystem access.
pkgs/npm/@[email protected]__reposrc/test-utils/mock-response.ts:76
  const fullText = fs.readFileSync(join(mockResponseDir, filename), "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d684507e42fbf960 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/web-test-runner.config.mjs:17
        <script>window.process = { env: { GEMINI_API_KEY: "${process.env.GEMINI_API_KEY}" } }</script>

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

posthog-node

npm dependency
medium telemetry dependency Excluded from app score #1e69a08be03b012a Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:69
    posthog.withContext(buildRequestContextData(posthog, req), () => next())

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #66b8ed2071248b8f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:98
    posthog.addPendingPromise(
      ErrorTracking.buildEventMessage(
        posthog.getErrorPropertiesBuilder(),
        error,
        hint,
        contextData.distinctId,
        additionalProperties
      ).then((msg) => {
        return posthog._capturePreparedEvent(msg, false)
      })
    )

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #ee44c780e15cda86 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:100
        posthog.getErrorPropertiesBuilder(),

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #accbbadcca7a4f6c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/npm/[email protected]/src/extensions/express.ts:106
        return posthog._capturePreparedEvent(msg, false)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

winston

npm dependency
medium pii_flow dependency Excluded from app score #ad4000b6fa4e8840 Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/winston/transports/http.js:242 · flow /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/winston/transports/http.js:249 → /tmp/closeopen-q876yqrd/pkgs/npm/[email protected]/lib/winston/transports/http.js:242
    const req = (this.ssl ? https : http).request({
      ...this.options,
      method: 'POST',
      host: this.host,
      port: this.port,
      path: `/${path.replace(/^\//, '')}`,
      headers: headers,
      auth: (auth && auth.username && auth.password) ? (`${auth.username}:${auth.password}`) : '',
      agent: this.agent
    });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #dc324441b64c4550 Filesystem access.
pkgs/npm/[email protected]/lib/winston/tail-file.js:10
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76561a01a479cd06 Filesystem access.
pkgs/npm/[email protected]/lib/winston/transports/file.js:11
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@anthropic-ai/sdk

npm dependency
expand_more 44 low-confidence finding(s)
low env_fs dependency Excluded from app score #c42af419d23c45b0 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.js:110
        configRaw = await fs.promises.readFile(configPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c41c531dbd12de3 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.js:210
        raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef5e621497ecbda3 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.js:308
        return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f044d46bf39af68 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.mjs:73
        configRaw = await fs.promises.readFile(configPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdad19a5f154766e Filesystem access.
pkgs/npm/@[email protected]/core/credentials.mjs:172
        raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f157b3d35cc578a8 Filesystem access.
pkgs/npm/@[email protected]/core/credentials.mjs:268
        return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad2cd0047505178c Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/credential-chain.js:203
            const raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d62f1cb182ce6597 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/credential-chain.mjs:166
            const raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02217edf5443b206 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/identity-token.js:51
            content = await fs.promises.readFile(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #806abbe415470f95 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/identity-token.mjs:14
            content = await fs.promises.readFile(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb386564b4848f2e Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/types.js:195
            await fh.writeFile(JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2a82cc2d9fa18d2 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/types.mjs:154
            await fh.writeFile(JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a4973834c4e16d4 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/user-oauth.js:56
            raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9228b6facb09f85 Filesystem access.
pkgs/npm/@[email protected]/lib/credentials/user-oauth.mjs:20
            raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95053950d4352b5a Filesystem access.
pkgs/npm/@[email protected]/src/core/credentials.ts:154
    configRaw = await fs.promises.readFile(configPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85410d2b2dc1d706 Filesystem access.
pkgs/npm/@[email protected]/src/core/credentials.ts:258
    raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d64040aaf229507b Filesystem access.
pkgs/npm/@[email protected]/src/core/credentials.ts:372
    return (await fs.promises.readFile(filePath, 'utf-8')).trim() || 'default';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e8cfdbf3e483206 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/credential-chain.ts:250
      const raw = await fs.promises.readFile(credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dbf701c6d25b2cb Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/identity-token.ts:17
      content = await fs.promises.readFile(path, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f8064e20f17e1f1 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/types.ts:222
      await fh.writeFile(JSON.stringify(data, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fe76ebf0b22adb7 Filesystem access.
pkgs/npm/@[email protected]/src/lib/credentials/user-oauth.ts:45
      raw = await fs.promises.readFile(config.credentialsPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #01bafb322c4a213a Filesystem access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/fs-util.ts:112
    await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b9d57c479e567a75 Filesystem access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/node.ts:457
        data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #54f88914d875280d Filesystem access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/node.ts:533
        data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #24850531e9e4f588 Environment-variable access.
pkgs/npm/@[email protected]/src/tools/agent-toolset/node.ts:806
  const dirs = (process.env['PATH'] ?? '').split(path.delimiter);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #46cb27126e2f4d8e Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:4
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7c1b46646ec9e9bf Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:52
    await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #ee7b0eea2280575e Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:101
    return await fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #af982a243c13af21 Filesystem access.
pkgs/npm/@[email protected]/src/tools/memory/node.ts:256
      await handle.writeFile(command.file_text, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #98860cfc4656e364 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/fs-util.js:115
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #3e5048ee8d3d2f2e Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/fs-util.mjs:107
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #2be7ac7b9cc6e2c9 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.js:390
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a7d444f41b0f4845 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.js:469
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #00627ce310243838 Environment-variable access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.js:755
    const dirs = (process.env['PATH'] ?? '').split(path.delimiter);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #1a58af71e55eba78 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.mjs:375
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #2941ac2bcc641991 Filesystem access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.mjs:454
                data = await fs.readFile(abs, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #28f9afb2871dcecd Environment-variable access.
pkgs/npm/@[email protected]/tools/agent-toolset/node.mjs:740
    const dirs = (process.env['PATH'] ?? '').split(path.delimiter);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #efcd014d4671b4cc Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.js:43
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #11cd00aeb2306539 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.js:91
        return await fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a5bd2822b652504e Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.js:213
            await handle.writeFile(command.file_text, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f2d3b2e9523e43a2 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:2
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #6717d4cdf7642615 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:38
        await handle.writeFile(content, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b810133e195bc3c6 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:86
        return await fs.readFile(fullPath, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #f77b7dcf04b03437 Filesystem access.
pkgs/npm/@[email protected]/tools/memory/node.mjs:208
            await handle.writeFile(command.file_text, 'utf-8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@apidevtools/json-schema-ref-parser

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #c8436f6ce1c877bb Filesystem access.
pkgs/npm/@[email protected]/lib/resolvers/file.ts:39
      return await fs.promises.readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@brave/brave-search-mcp-server

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #df57b806dce835b3 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:14
    .default(process.env.BRAVE_API_KEY ?? ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e79e355bb2a7efd1 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:61
  braveApiKey: process.env.BRAVE_API_KEY ?? '',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64728c667c9b1fdf Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:77
    .option('--brave-api-key <string>', 'Brave API key', process.env.BRAVE_API_KEY ?? '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e83a09934bb508dc Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:78
    .option('--logging-level <string>', 'Logging level', process.env.BRAVE_MCP_LOG_LEVEL ?? 'info')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ee300cf57984421 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:82
      process.env.BRAVE_MCP_TRANSPORT ?? 'stdio'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5eacb7ff1a2c9e57 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:87
      process.env.BRAVE_MCP_ENABLED_TOOLS?.trim().split(' ') ?? []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89bff263d8ef0218 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:92
      process.env.BRAVE_MCP_DISABLED_TOOLS?.trim().split(' ') ?? []

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f700ffccd33c586f Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:97
      process.env.BRAVE_MCP_PORT ?? '8080'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02175f055c7655b5 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:102
      process.env.BRAVE_MCP_HOST ?? '0.0.0.0'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d089bbe9489cfb83 Environment-variable access.
pkgs/npm/@[email protected]__reposrc/src/config.ts:107
      process.env.BRAVE_MCP_STATELESS === 'true' ? true : false

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@dqbd/tiktoken

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #6e7c6c8f56c9c5e5 Filesystem access.
pkgs/npm/@[email protected]/lite/tiktoken.cjs:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c30fe1116ea3901 Filesystem access.
pkgs/npm/@[email protected]/lite/tiktoken.cjs:29
    bytes = fs.readFileSync(candidate);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efa66a4835357ffb Filesystem access.
pkgs/npm/@[email protected]/tiktoken.cjs:5
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6b1aba93673db46 Filesystem access.
pkgs/npm/@[email protected]/tiktoken.cjs:29
    bytes = fs.readFileSync(candidate);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@elevenlabs/elevenlabs-js

npm dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #8cdff41a804a3e11 Filesystem access.
pkgs/npm/@[email protected]/core/file/file.js:87
            const fs = yield Promise.resolve().then(() => __importStar(require("fs")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91e8ce276e69fe73 Filesystem access.
pkgs/npm/@[email protected]/core/file/file.js:130
            const fs = yield Promise.resolve().then(() => __importStar(require("fs")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #5e90ed794269284b Filesystem access.
pkgs/npm/@[email protected]/scripts/rename-to-esm-files.js:3
const fs = require("fs").promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #7cb082d441eb703a Filesystem access.
pkgs/npm/@[email protected]/scripts/rename-to-esm-files.js:48
    const content = await fs.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #627a42831d7ce285 Filesystem access.
pkgs/npm/@[email protected]/scripts/rename-to-esm-files.js:66
        await fs.writeFile(file, newContent, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40b0b625b29bce28 Environment-variable access.
pkgs/npm/@[email protected]/wrapper/ElevenLabsClient.js:46
        const apiKey = (_a = options.apiKey) !== null && _a !== void 0 ? _a : process.env.ELEVENLABS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75b33bb55fcdac02 Environment-variable access.
pkgs/npm/@[email protected]/wrapper/speech-engine/SpeechEngineServer.js:47
        const apiKey = (_b = this.options.apiKey) !== null && _b !== void 0 ? _b : process.env.ELEVENLABS_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@getzep/zep-cloud

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #7f4768c942d0e99b Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/rename-to-esm-files.js:3
const fs = require("fs").promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #2eca4c000a62b305 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/rename-to-esm-files.js:48
    const content = await fs.readFile(file, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #89173d144c25fa21 Filesystem access.
pkgs/npm/@[email protected]__reposrc/scripts/rename-to-esm-files.js:66
        await fs.writeFile(file, newContent, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@getzep/zep-js

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #6b03fb0cdfb3c184 Environment-variable access.
pkgs/npm/@[email protected]/api/resources/memory/client/Client.js:1080
            const apiKeyValue = (_a = (yield core.Supplier.get(this._options.apiKey))) !== null && _a !== void 0 ? _a : process === null || process === void 0 ? void 0 : process.env["ZEP_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fa94d5575c67fea Environment-variable access.
pkgs/npm/@[email protected]/api/resources/user/client/Client.js:505
            const apiKeyValue = (_a = (yield core.Supplier.get(this._options.apiKey))) !== null && _a !== void 0 ? _a : process === null || process === void 0 ? void 0 : process.env["ZEP_API_KEY"];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8d6f589f733e83b3 Environment-variable access.
pkgs/npm/@[email protected]/examples/memory/memory_example.ts:15
const apiKey = process.env.ZEP_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #75608aea126230e9 Environment-variable access.
pkgs/npm/@[email protected]/examples/memory/memory_example.ts:16
const apiUrl = process.env.ZEP_API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #b9fdd52e065883d3 Environment-variable access.
pkgs/npm/@[email protected]/examples/users/users.ts:6
    const apiKey = process.env.ZEP_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #8e5b9cec2fefde3c Environment-variable access.
pkgs/npm/@[email protected]/examples/users/users.ts:7
    const apiUrl = process.env.ZEP_API_URL;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@grpc/grpc-js

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #fe1d72de223cfb44 Filesystem access.
pkgs/npm/@[email protected]/src/certificate-provider.ts:18
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75978a6ce16b5ded Environment-variable access.
pkgs/npm/@[email protected]/src/environment.ts:19
  (process.env.GRPC_NODE_USE_ALTERNATIVE_RESOLVER ?? 'false') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a35c8151225ebae Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:51
  if (process.env.grpc_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #838a9ba367843c85 Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:53
    proxyEnv = process.env.grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #294c709b8ca40c8c Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:54
  } else if (process.env.https_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c33ad2f601fce0c Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:56
    proxyEnv = process.env.https_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #473d034d89a9544a Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:57
  } else if (process.env.http_proxy) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acfa215b42744a9b Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:59
    proxyEnv = process.env.http_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25d2e7a5d6c3618a Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:108
  let noProxyStr: string | undefined = process.env.no_grpc_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9137b2f719c081d9 Environment-variable access.
pkgs/npm/@[email protected]/src/http_proxy.ts:111
    noProxyStr = process.env.no_proxy;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a5dab147bb30b31 Environment-variable access.
pkgs/npm/@[email protected]/src/load-balancer-outlier-detection.ts:57
  (process.env.GRPC_EXPERIMENTAL_ENABLE_OUTLIER_DETECTION ?? 'true') === 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bf41119858d11b1 Environment-variable access.
pkgs/npm/@[email protected]/src/logging.ts:39
  process.env.GRPC_NODE_VERBOSITY ?? process.env.GRPC_VERBOSITY ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9efedff782b1f3e1 Environment-variable access.
pkgs/npm/@[email protected]/src/logging.ts:97
  process.env.GRPC_NODE_TRACE ?? process.env.GRPC_TRACE ?? '';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68ff5fe7eb8f75bc Filesystem access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:18
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1814fe116bd8a00d Environment-variable access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:21
  process.env.GRPC_SSL_CIPHER_SUITES;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e38aa12e15ed683d Environment-variable access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:23
const DEFAULT_ROOTS_FILE_PATH = process.env.GRPC_DEFAULT_SSL_ROOTS_FILE_PATH;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce4a8920aeb04e2c Filesystem access.
pkgs/npm/@[email protected]/src/tls-helpers.ts:30
      defaultRootsData = fs.readFileSync(DEFAULT_ROOTS_FILE_PATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@ibm-cloud/watsonx-ai

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #696a3f77005fc5c3 Filesystem access.
pkgs/npm/@[email protected]/base/base.js:32
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65118c862b1e47a6 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:27
import { readFileSync } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #581a9a2dc230c923 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:61
            const certFile = readFileSync(options.caCert);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9da16dba693d9270 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:68
            const certFile = readFileSync(options.caCert.auth.path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccf7461620bb6a39 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:97
                const certFile = readFileSync(options.caCert.service.path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab7935a616d25459 Filesystem access.
pkgs/npm/@[email protected]/base/base.mjs:103
                const certFile = readFileSync(options.caCert.dataplatform.path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eaa7d488a74696a6 Filesystem access.
pkgs/npm/@[email protected]/vml_v1.js:73
const fs_1 = __importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #965b8fdab44a0011 Filesystem access.
pkgs/npm/@[email protected]/vml_v1.mjs:36
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@oclif/core

npm dependency
expand_more 20 low-confidence finding(s)
low env_fs dependency Excluded from app score #a0b0f4b85d2165b1 Environment-variable access.
pkgs/npm/@[email protected]/lib/command.js:323
        keys.map((key) => delete process.env[key]);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37bc6f648e814343 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:201
        const base = process.env[`XDG_${category.toUpperCase()}_HOME`] ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d0d1afd2d23f6cb Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:202
            (this.windows && process.env.LOCALAPPDATA) ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fff1229eaeff1255 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:310
        this.home = process.env.HOME || (this.windows && this.windowsHome()) || (0, os_1.getHomeDir)() || (0, node_os_1.tmpdir)();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66aa900d119e24a1 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:548
        return process.env[this.scopedEnvVarKeys(k).find((k) => process.env[k])];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61d3599114d5626c Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:579
        return process.env.HOMEDRIVE && process.env.HOMEPATH && (0, node_path_1.join)(process.env.HOMEDRIVE, process.env.HOMEPATH);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e59914eb4278c621 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:582
        return process.env.USERPROFILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d326b8fe64235169 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/config.js:587
        const SHELL = process.env.SHELL ?? (0, node_os_1.userInfo)().shell?.split(node_path_1.sep)?.pop();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e040b204d048cbaf Environment-variable access.
pkgs/npm/@[email protected]/lib/config/plugin.js:222
                if (!process.env.OCLIF_NEXT_VERSION && manifest.version.split('-')[0] !== this.version.split('-')[0]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a15a73ff639412a3 Environment-variable access.
pkgs/npm/@[email protected]/lib/config/ts-path.js:266
        debug(`Skipping typescript path lookup for ${root} because it's an ESM module (NODE_ENV: ${process.env.NODE_ENV}, root plugin module type: ${rootPlugin?.moduleType})`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f9460aa28a4643a Environment-variable access.
pkgs/npm/@[email protected]/lib/execute.js:55
        process.env.NODE_ENV = 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e9f4bd926e79dca Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:16
        process.env.CLI_FLAGS_DEBUG === '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7245b05243e76c8 Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:337
            if (fws.inputFlag.flag.env && process.env[fws.inputFlag.flag.env]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6da9be543ddf04e0 Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:338
                const valueFromEnv = process.env[fws.inputFlag.flag.env];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2224240d7062d68a Environment-variable access.
pkgs/npm/@[email protected]/lib/parser/parse.js:348
                        valueFunction: async (i) => (0, util_1.isTruthy)(process.env[i.inputFlag.flag.env] ?? 'false'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #878f87a42250850e Environment-variable access.
pkgs/npm/@[email protected]/lib/screen.js:18
const columns = Number.parseInt(process.env.OCLIF_COLUMNS, 10) || settings_1.settings.columns;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e5b2ac6ae876ccc Environment-variable access.
pkgs/npm/@[email protected]/lib/util/read-pjson.js:16
    if (process.env.OCLIF_DISABLE_RC) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2b8efe2d0b71245 Environment-variable access.
pkgs/npm/@[email protected]/lib/util/util.js:58
    return !['development', 'test'].includes(process.env.NODE_ENV ?? '');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67f2ad388538a899 Environment-variable access.
pkgs/npm/@[email protected]/lib/ux/index.js:29
    !process.env.CI &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8cbf77e4681d1ee Environment-variable access.
pkgs/npm/@[email protected]/lib/ux/index.js:30
    !['dumb', 'emacs-color'].includes(process.env.TERM) &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

bullmq

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #91a2649b0684f466 Filesystem access.
pkgs/npm/[email protected]__reposrc/scripts/commandTransform.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #a111b801933317d4 Filesystem access.
pkgs/npm/[email protected]__reposrc/scripts/generateRawScripts.ts:3
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #e70df349042f96e6 Filesystem access.
pkgs/npm/[email protected]__reposrc/scripts/updateVersion.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #172311ab1c4066b1 Filesystem access.
pkgs/npm/[email protected]__reposrc/scripts/updateVersion.js:9
fs.writeFileSync(versionFilePath, content, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17e28098d371d697 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/classes/child-processor.ts:13
const RESPONSE_TIMEOUT = process.env.NODE_ENV === 'test' ? 500 : 5_000;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6040fe7612819150 Filesystem access.
pkgs/npm/[email protected]__reposrc/src/classes/worker.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccd3aef63a654b8d Filesystem access.
pkgs/npm/[email protected]__reposrc/src/commands/script-loader.ts:3
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dacbe67a78fbc225 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/utils.ts:137
  prefix = process.env.BULLMQ_TEST_PREFIX || 'bull',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

connect-pg-simple

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #5eddf7f6a43cc7d1 Environment-variable access.
pkgs/npm/[email protected]/index.js:137
        const conString = options.conString || process.env['DATABASE_URL'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e80876b499c3f010 Filesystem access.
pkgs/npm/[email protected]/index.js:183
        const tableDefString = await fs.readFile(pathModule.resolve(__dirname, './table.sql'), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

dotenv

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #1c5c7cc767fbfc7a Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:4
if (process.env.DOTENV_CONFIG_ENCODING != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0701cb31536c5651 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:5
  options.encoding = process.env.DOTENV_CONFIG_ENCODING

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cdc9546614733be Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:8
if (process.env.DOTENV_CONFIG_PATH != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22b253986d560571 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:9
  options.path = process.env.DOTENV_CONFIG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93048acac8ab208e Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:12
if (process.env.DOTENV_CONFIG_QUIET != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08943a62a3e51d95 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:13
  options.quiet = process.env.DOTENV_CONFIG_QUIET

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fea035c03a6880f Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:16
if (process.env.DOTENV_CONFIG_DEBUG != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #508c2927a92bddeb Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:17
  options.debug = process.env.DOTENV_CONFIG_DEBUG

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbb4f1516ea51ec8 Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:20
if (process.env.DOTENV_CONFIG_OVERRIDE != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a461d216a958e61e Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:21
  options.override = process.env.DOTENV_CONFIG_OVERRIDE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0f5eaa62d30ff1d Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:24
if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4761723b561eac2f Environment-variable access.
pkgs/npm/[email protected]/lib/env-options.js:25
  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fd7c8e3d8480bf2 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:1
const fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8bb7081f459888f Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:141
  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ded0c36b3405629 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:142
    return process.env.DOTENV_KEY

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41cfec9a9aef864b Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:221
  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69919d3708447550 Environment-variable access.
pkgs/npm/[email protected]/lib/main.js:222
  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69121f258a6f2597 Filesystem access.
pkgs/npm/[email protected]/lib/main.js:277
      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #626ecb0eff4ba38b Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express-mysql-session

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #0bb121909203a288 Filesystem access.
pkgs/npm/[email protected]/index.js:136
			const fs = require('fs').promises;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c8225a26c5276e4 Filesystem access.
pkgs/npm/[email protected]/index.js:138
			return fs.readFile(schemaFilePath, 'utf-8').then(sql => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express-session

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #32767762fe70b472 Environment-variable access.
pkgs/npm/[email protected]/index.js:33
var env = process.env.NODE_ENV;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

flowise-nim-container-manager

npm dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #0d349479c1f7418d Filesystem access.
pkgs/npm/[email protected]/src/NimContainerManager.js:9
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84df0bf77dce6898 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:15
process.env.LLM_PROVIDER = "nvidia-nim";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab1918b9200b582f Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:16
process.env.NVIDIA_NIM_LLM_MODE = "managed";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6868f100cf37a0e3 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:49
      process.env.LLM_PROVIDER === "nvidia-nim" &&

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #664a9f65a8a9f999 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:50
      process.env.NVIDIA_NIM_LLM_MODE === "managed"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a8304206c254b92 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:60
        process.env.NVIDIA_NIM_LLM_MODE = "remote";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #687f477f3726f538 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:74
      if (process.env.LLM_PROVIDER !== "nvidia-nim") return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16d1b0e66f001872 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:75
      if (process.env.NVIDIA_NIM_LLM_MODE !== "managed") return;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37294044f6de633c Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:520
      process.env.NODE_ENV === "development"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75e9da35707ea8de Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:588
    if (process.env.NODE_ENV === "development" || !!process.env.NGC_PATCH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5b332ace3bf532b Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:629
          ...(process.env.NODE_ENV === "development" || !!process.env.NGC_PATCH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81e39180e3168064 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:874
    process.env.NVIDIA_NIM_LLM_NGC_API_KEY = newKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39bc1c3255fb8dcb Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:929
      process.env.NVIDIA_NIM_LLM_NGC_API_KEY = providedKey;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb3be042f090fe05 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:990
    if (!!process.env.NVIDIA_NIM_LLM_NGC_API_KEY) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c7c5331612fc6bc Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:992
        `Using stored NGC API key: ${process.env.NVIDIA_NIM_LLM_NGC_API_KEY.slice(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #413302f50167d294 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:995
        )}...${process.env.NVIDIA_NIM_LLM_NGC_API_KEY.slice(-5)}`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c4f363c5df7e274 Environment-variable access.
pkgs/npm/[email protected]/src/NimContainerManager.js:997
      this.ngcApiKey = process.env.NVIDIA_NIM_LLM_NGC_API_KEY;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

flowise-ui

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #d3657e50420f1086 Environment-variable access.
pkgs/npm/[email protected]/vite.config.js:47
            port: process.env.VITE_PORT ?? 8080,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95a9b88eb7c6d065 Environment-variable access.
pkgs/npm/[email protected]/vite.config.js:48
            host: process.env.VITE_HOST

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

global-agent

npm dependency
expand_more 24 low-confidence finding(s)
low env_fs dependency Excluded from app score #139759d7652ff545 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/classes/Agent.ts:112
    const rejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e612ddd9475f6108 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:62
const defaultNodeTlsRejectUnauthorized = process.env.NODE_TLS_REJECT_UNAUTHORIZED;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #634e9ce3c76c9440 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:136
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = defaultNodeTlsRejectUnauthorized;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2081d9c17af58a2d Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:343
  process.env.GLOBAL_AGENT_FORCE_GLOBAL_AGENT = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88f3c98c7c2241cb Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:359
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'null';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6d376777eab102b Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:371
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = 1;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #089b62a9e56973a6 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:385
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = 0;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfbe37a3cc8a9566 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:399
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = true;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d67c6e8212cb2ed Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:411
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = false;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82dafa3284699118 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:422
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'yes';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4ce06cd417e5e76 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:433
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = 'no';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62bb2f87c57c7cfc Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:461
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce38c35e1cbd7086 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:480
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cd2cd8f8095bb1f Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:499
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96ee02e421be323f Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:518
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4d2f40adbaa2ba8 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:538
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36dca726a30ea8ac Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:554
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a5af998b4d3843f Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:586
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61a5ead70dd4c032 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:687
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47338fc05e5d91f4 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:713
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9574fac4814d3a6c Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.test.ts:745
  process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f365e4db99cad8a1 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.ts:70
  proxyController.HTTP_PROXY = process.env[configuration.environmentVariableNamespace + 'HTTP_PROXY'] ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d818d8d4046e946e Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.ts:73
  proxyController.HTTPS_PROXY = process.env[configuration.environmentVariableNamespace + 'HTTPS_PROXY'] ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #928a5ee7ec31d45b Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/factories/createGlobalProxyAgent.ts:76
  proxyController.NO_PROXY = process.env[configuration.environmentVariableNamespace + 'NO_PROXY'] ?? null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

handlebars

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #d9f83d86ea3410a0 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:18
  var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #377966d88150b0b8 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:19
  var templateString = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f92acedc84af8f4 Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:4
import fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20c4515580b2d244 Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:113
          fs.readFile(path, 'utf8', function(err, data) {
            /* istanbul ignore next : Race condition that being too lazy to test */
            if (err) {
              return callback(err);
            }

            if (opts.bom && data.indexOf('\uFEFF') === 0) {
              data = data.substring(1);
            }

            // Clean the template name
            let name = path;
            if (!root) {
              name = basename(name);
            } else if (name.indexOf(root) === 0) {
              name = name.substring(root.length + 1);
            }
            name = name.replace(extension, '');

            ret.push({
              path: path,
              name: name,
              source: data
            });

            callback();
          });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87c1da73c109f556 Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:301
    fs.writeFileSync(opts.map, output.map, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed14012e4fea0e8e Filesystem access.
pkgs/npm/[email protected]/lib/precompiler.js:306
    fs.writeFileSync(opts.output, output, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #1d9b01b0554dadd6 Filesystem access.
pkgs/npm/[email protected]/storage/disk.js:1
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer-azure-blob-storage

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #cbfcb4bc1881b5e1 Environment-variable access.
pkgs/npm/[email protected]/lib/MulterAzureStorage.js:69
        options.connectionString = (options.connectionString || process.env.AZURE_STORAGE_CONNECTION_STRING || null);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee11662887dd6bb3 Environment-variable access.
pkgs/npm/[email protected]/lib/MulterAzureStorage.js:71
            options.accessKey = (options.accessKey || process.env.AZURE_STORAGE_ACCESS_KEY || null);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa51cbdc1ccb1d90 Environment-variable access.
pkgs/npm/[email protected]/lib/MulterAzureStorage.js:72
            options.accountName = (options.accountName || process.env.AZURE_STORAGE_ACCOUNT || null);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

multer-cloud-storage

npm dependency
expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #85d7405a7a0ffdcd Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:118
        const bucket = opts.bucket || process.env.GCS_BUCKET || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #301e6474bb5cac4e Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:119
        const projectId = opts.projectId || process.env.GCLOUD_PROJECT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2bb3745b5cd6a87 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:120
        const keyFilename = opts.keyFilename || process.env.GCS_KEYFILE || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #445307857ac8c97d Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:9
        process.env.GCS_BUCKET = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb9ee43f5cc9fa6c Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:10
        process.env.GCLOUD_PROJECT = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7841e9175cb81c79 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:11
        process.env.GCS_KEYFILE = './test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a39d3719fc37dec0 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:14
        delete process.env.GCS_BUCKET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #449a90d3db7282f0 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:15
        delete process.env.GCLOUD_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d4cf3ad96b08150 Environment-variable access.
pkgs/npm/[email protected]/lib/index.spec.js:16
        delete process.env.GCS_KEYFILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a608494da26403b1 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:12
    process.env.GCS_BUCKET = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a24e46e98be18327 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:13
    process.env.GCLOUD_PROJECT = 'test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25d2a0ff60fb13ad Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:14
    process.env.GCS_KEYFILE = './test';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03479e8499ec1e25 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:19
    delete process.env.GCS_BUCKET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1d9969a1fe53941 Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:20
    delete process.env.GCLOUD_PROJECT;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c30922f8b4a76bc Environment-variable access.
pkgs/npm/[email protected]/src/index.spec.ts:21
    delete process.env.GCS_KEYFILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35fc51fafb3de403 Environment-variable access.
pkgs/npm/[email protected]/src/index.ts:111
		const bucket = opts.bucket || process.env.GCS_BUCKET || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7495eb966fa95785 Environment-variable access.
pkgs/npm/[email protected]/src/index.ts:112
		const projectId = opts.projectId || process.env.GCLOUD_PROJECT || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7606b67126b789ba Environment-variable access.
pkgs/npm/[email protected]/src/index.ts:113
		const keyFilename = opts.keyFilename || process.env.GCS_KEYFILE || null;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mysql2

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #9ea2a545f878d34b Environment-variable access.
pkgs/npm/[email protected]/lib/packets/index.js:60
  if (process.env.NODE_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nanoid

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #7c92efbde4910355 Filesystem access.
pkgs/npm/[email protected]/bin/nanoid.js:18
  let json = readFileSync(join(import.meta.dirname, '..', 'package.json'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

node-cron

npm dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #4412d2c511b2d51c Filesystem access.
pkgs/npm/[email protected]__reposrc/rollup.config.js:5
import { rmSync } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47e0188fa5df4ccc Environment-variable access.
pkgs/npm/[email protected]__reposrc/rollup.config.js:31
    noEmitOnError: process.env.NODE_ENV !== "development",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #274b3d7bbf228047 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:5
    delete process.env.NODE_CRON_RUN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d93755a6c926149 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:6
    delete process.env.CUSTOM_RUN_FLAG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a57183ad192a442e Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:14
    process.env.NODE_CRON_RUN = 'yes';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81ebaee94cad6aaa Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:19
    process.env.NODE_CRON_RUN = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a669a5f306815548 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:25
    process.env.NODE_CRON_RUN = 'false';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6ba6383730ab94e Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:31
    process.env.CUSTOM_RUN_FLAG = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7b8e857c1d941b0 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:37
    process.env.NODE_CRON_RUN = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2135d6ed602cd928 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.test.ts:39
    delete process.env.NODE_CRON_RUN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1549aec1ab01deb4 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/env-var-run-coordinator.ts:25
    const value = process.env[this.envName];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15133d58bf9d23a1 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/run-coordinator.test.ts:123
      delete process.env.NODE_CRON_RUN;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee49d770ddb37793 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/coordinator/run-coordinator.test.ts:147
      process.env.NODE_CRON_RUN = 'true';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c5bbb498520d131 Environment-variable access.
pkgs/npm/[email protected]__reposrc/src/time/dst-fuzz.test.ts:9
const SEED = Number(process.env.FUZZ_SEED) || 0xC0FFEE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

openai

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #8c830dae917dc586 Environment-variable access.
pkgs/npm/[email protected]/azure.js:44
                endpoint = process.env['AZURE_OPENAI_ENDPOINT'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee4d3d4348fe6bdb Environment-variable access.
pkgs/npm/[email protected]/azure.mjs:40
                endpoint = process.env['AZURE_OPENAI_ENDPOINT'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea3629f719a96cf0 Environment-variable access.
pkgs/npm/[email protected]/src/azure.ts:97
        endpoint = process.env['AZURE_OPENAI_ENDPOINT'];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pg

npm dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #fccf78e4efe69529 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:15
    envVar = process.env['PG' + key.toUpperCase()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #924e65d27094d962 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:19
    envVar = process.env[envVar]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ddc13ea1c127e21 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:26
  switch (process.env.PGSSLMODE) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3fba8478c505d31 Environment-variable access.
pkgs/npm/[email protected]/lib/connection-parameters.js:127
      this.connect_timeout = process.env.PGCONNECT_TIMEOUT || 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c2afba1ea3e1ab9 Environment-variable access.
pkgs/npm/[email protected]/lib/defaults.js:5
  user = process.platform === 'win32' ? process.env.USERNAME : process.env.USER

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7062f23428bcea9 Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:41
  forceNative = !!process.env.NODE_PG_FORCE_NATIVE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

prom-client

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #663802acdd714059 Filesystem access.
pkgs/npm/[email protected]/lib/metrics/osMemoryHeapLinux.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #276b432e3b97e9d2 Filesystem access.
pkgs/npm/[email protected]/lib/metrics/osMemoryHeapLinux.js:53
				const stat = fs.readFileSync('/proc/self/status', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a532c30b7a8ec1d Filesystem access.
pkgs/npm/[email protected]/lib/metrics/processMaxFileDescriptors.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ccc449a4a30a967 Filesystem access.
pkgs/npm/[email protected]/lib/metrics/processMaxFileDescriptors.js:14
			const limits = fs.readFileSync('/proc/self/limits', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68561f12542209b5 Filesystem access.
pkgs/npm/[email protected]/lib/metrics/processOpenFileDescriptors.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

s3-streamlogger

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #a56dfa8c29526c14 Environment-variable access.
pkgs/npm/[email protected]/index.js:18
    if(!(options.bucket || process.env.BUCKET_NAME))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67040688472c1600 Environment-variable access.
pkgs/npm/[email protected]/index.js:21
    this.bucket                 = options.bucket || process.env.BUCKET_NAME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sqlite3

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #d2dbfbeb70ca3b77 Filesystem access.
pkgs/npm/[email protected]/deps/extract.js:2
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typeorm

npm dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #e88971d205740e7e Environment-variable access.
pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:5
if ((process.env["NODE_OPTIONS"] ?? "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4bf7e7804cbac54 Environment-variable access.
pkgs/npm/[email protected]/browser/cli-ts-node-esm.js:13
                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a74ace418e27a60 Environment-variable access.
pkgs/npm/[email protected]/browser/driver/oracle/OracleDriver.js:221
            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2febabc8d0890d09 Environment-variable access.
pkgs/npm/[email protected]/browser/driver/postgres/PostgresDriver.js:273
            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fa322e23b81de06 Filesystem access.
pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:66
                    const database = PlatformTools_1.PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc8a6b24813556e1 Filesystem access.
pkgs/npm/[email protected]/browser/driver/sqljs/SqljsDriver.js:135
                await PlatformTools_1.PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #721f2b695e07e10e Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.d.ts:3
export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb3f1094853f263e Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:8
const fs_1 = tslib_1.__importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3679bfba920cc26c Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:13
var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a4ac6921e7d8ad2 Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:137
        return fs_1.default.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bde796cdc6e7c4c Filesystem access.
pkgs/npm/[email protected]/browser/platform/PlatformTools.js:143
        return fs_1.default.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c1a714bc724daaa Filesystem access.
pkgs/npm/[email protected]/browser/util/ImportUtils.js:88
                const parsedPackage = JSON.parse(await promises_1.default.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5efeb46677deb28 Environment-variable access.
pkgs/npm/[email protected]/cli-ts-node-esm.js:5
if ((process.env["NODE_OPTIONS"] ?? "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c7a71b6699acf60 Environment-variable access.
pkgs/npm/[email protected]/cli-ts-node-esm.js:13
                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36a3fd7a6505b800 Filesystem access.
pkgs/npm/[email protected]/commands/CommandUtils.js:71
        await promises_1.default.writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2fc0231d0d7ab05 Filesystem access.
pkgs/npm/[email protected]/commands/CommandUtils.js:79
        const file = await promises_1.default.readFile(filePath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bf886e0e549cf4c Filesystem access.
pkgs/npm/[email protected]/commands/InitCommand.js:79
            const packageJsonContents = await CommandUtils_1.CommandUtils.readFile(basePath + "/package.json");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60f46edf79d55e66 Filesystem access.
pkgs/npm/[email protected]/commands/InitCommand.js:597
        const ourPackageJson = JSON.parse(await CommandUtils_1.CommandUtils.readFile(node_path_1.default.resolve(__dirname, "..", "package.json")));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89e9cfa37649ed52 Environment-variable access.
pkgs/npm/[email protected]/driver/oracle/OracleDriver.js:221
            process.env.ORA_SDTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93fd742bc06609a1 Environment-variable access.
pkgs/npm/[email protected]/driver/postgres/PostgresDriver.js:273
            process.env.PGTZ = "UTC";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cc7c2a0eb94b153 Filesystem access.
pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:66
                    const database = PlatformTools_1.PlatformTools.readFileSync(fileNameOrLocalStorageOrData);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22b4011b6ad62214 Filesystem access.
pkgs/npm/[email protected]/driver/sqljs/SqljsDriver.js:135
                await PlatformTools_1.PlatformTools.writeFile(path, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #742679fc7cbe37bb Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.d.ts:3
export { ReadStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d70b28d19404763c Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:8
const fs_1 = tslib_1.__importDefault(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1022093204c9e3b3 Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:13
var fs_2 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbf1904b07429571 Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:137
        return fs_1.default.readFileSync(filename);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0913c60c8c06030 Filesystem access.
pkgs/npm/[email protected]/platform/PlatformTools.js:143
        return fs_1.default.promises.writeFile(path, data);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e859b249b85c6f43 Filesystem access.
pkgs/npm/[email protected]/util/ImportUtils.js:88
                const parsedPackage = JSON.parse(await promises_1.default.readFile(potentialPackageJson, "utf8"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

winston-azure-blob

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs tooling Excluded from app score unknown #a492d740a0b0ce10 Environment-variable access.
pkgs/npm/[email protected]__reposrc/examples/index.ts:18
                host: process.env.HOST || "host",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unknown #30beb9eacfc0169e Environment-variable access.
pkgs/npm/[email protected]__reposrc/examples/index.ts:19
                sasToken: process.env.SAS_TOKEN || "sasToken",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

winston-daily-rotate-file

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #38914a0139bd388d Filesystem access.
pkgs/npm/[email protected]/daily-rotate-file.js:1
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @keyv/redis prod — dist-only: no readable source
  • @types/bcryptjs prod — no javascript source
  • cache-manager prod — dist-only: no readable source
  • geoip-lite prod — tarball exceeds byte cap
  • @langchain/anthropic prod — scan budget exceeded
  • @langchain/aws prod — scan budget exceeded
  • @langchain/baidu-qianfan prod — scan budget exceeded
  • @langchain/classic prod — scan budget exceeded
  • @langchain/cloudflare prod — scan budget exceeded
  • @langchain/cohere prod — scan budget exceeded
  • @langchain/community prod — scan budget exceeded
  • @langchain/core prod — scan budget exceeded
  • @langchain/deepseek prod — scan budget exceeded
  • @langchain/exa prod — scan budget exceeded
  • @langchain/google-genai prod — scan budget exceeded
  • @langchain/google-vertexai prod — scan budget exceeded
  • @langchain/groq prod — scan budget exceeded
  • @langchain/langgraph prod — scan budget exceeded
  • @langchain/mistralai prod — scan budget exceeded
  • @langchain/mongodb prod — scan budget exceeded
  • @langchain/ollama prod — scan budget exceeded
  • @langchain/openai prod — scan budget exceeded
  • @langchain/pinecone prod — scan budget exceeded
  • @langchain/qdrant prod — scan budget exceeded
  • @langchain/redis prod — scan budget exceeded
  • @langchain/tavily prod — scan budget exceeded
  • @langchain/textsplitters prod — scan budget exceeded
  • @langchain/weaviate prod — scan budget exceeded
  • @langchain/xai prod — scan budget exceeded
  • @mem0/community prod — scan budget exceeded
  • @mendable/firecrawl-js prod — scan budget exceeded
  • @mistralai/mistralai prod — scan budget exceeded
  • @modelcontextprotocol/server-postgres prod — scan budget exceeded
  • @modelcontextprotocol/server-sequential-thinking prod — scan budget exceeded
  • @modelcontextprotocol/server-slack prod — scan budget exceeded
  • @notionhq/client prod — scan budget exceeded
  • @opensearch-project/opensearch prod — scan budget exceeded
  • @pinecone-database/pinecone prod — scan budget exceeded
  • @qdrant/js-client-rest prod — scan budget exceeded
  • @stripe/agent-toolkit prod — scan budget exceeded
  • @supabase/supabase-js prod — scan budget exceeded
  • @types/js-yaml prod — scan budget exceeded
  • @types/jsdom prod — scan budget exceeded
  • @upstash/redis prod — scan budget exceeded
  • @upstash/vector prod — scan budget exceeded
  • @zilliz/milvus2-sdk-node prod — scan budget exceeded
  • apify-client prod — scan budget exceeded
  • assemblyai prod — scan budget exceeded
  • cheerio prod — scan budget exceeded
  • chromadb prod — scan budget exceeded
  • cohere-ai prod — scan budget exceeded
  • composio-core prod — scan budget exceeded
  • couchbase prod — scan budget exceeded
  • css-what prod — scan budget exceeded
  • d3-dsv prod — scan budget exceeded
  • epub2 prod — scan budget exceeded
  • exa-js prod — scan budget exceeded
  • faiss-node prod — scan budget exceeded
  • fast-json-patch prod — scan budget exceeded
  • form-data prod — scan budget exceeded
  • google-auth-library prod — scan budget exceeded
  • graphql prod — scan budget exceeded
  • groq-sdk prod — scan budget exceeded
  • html-to-text prod — scan budget exceeded
  • ioredis prod — scan budget exceeded
  • ipaddr.js prod — scan budget exceeded
  • jsdom prod — scan budget exceeded
  • json5 prod — scan budget exceeded
  • jsonpointer prod — scan budget exceeded
  • jsonrepair prod — scan budget exceeded
  • langchain prod — scan budget exceeded
  • langfuse prod — scan budget exceeded
  • langfuse-langchain prod — scan budget exceeded
  • langsmith prod — scan budget exceeded
  • langwatch prod — scan budget exceeded
  • linkifyjs prod — scan budget exceeded
  • llamaindex prod — scan budget exceeded
  • lunary prod — scan budget exceeded
  • mammoth prod — scan budget exceeded
  • meilisearch prod — scan budget exceeded
  • mongodb prod — scan budget exceeded
  • neo4j-driver prod — scan budget exceeded
  • node-fetch prod — scan budget exceeded
  • node-html-markdown prod — scan budget exceeded
  • notion-to-md prod — scan budget exceeded