Close Open Privacy Scan

bolt Snapshot: commit e653b37
science engine v2
schedule 2026-07-05T00:08:23.236308+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

87 /100
Low privacy risk

Low risk · 182 finding(s)

Dependency score: 87 (Low risk)

bar_chart Score Breakdown

egress −10
env_fs −3

list Scan Summary

0 high 0 medium 182 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz External domains

opencollective.com

</> First-Party Code

first-party (npm)

npm first-party
expand_more 40 low-confidence finding(s)
low env_fs test-only #9a8ad7043194f06e Environment-variable access.
repo/benchmarks/createDeepNestedDocArray.js:23
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #7e9e92c94988d4e6 Environment-variable access.
repo/benchmarks/findOneAndUpdateSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #63cb9ad2688f8746 Environment-variable access.
repo/benchmarks/findOneWithCast.js:38
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #853f4a73b9c4be4a Environment-variable access.
repo/benchmarks/insertManySimple.js:15
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #195b60080cf1d073 Environment-variable access.
repo/benchmarks/nestedArrayLarge.js:28
    if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #41f4554d4b830199 Environment-variable access.
repo/benchmarks/recursiveToObject.js:28
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs test-only #faf0a482d95de2c5 Environment-variable access.
repo/benchmarks/saveSimple.js:34
  if (!process.env.MONGOOSE_BENCHMARK_SKIP_SETUP) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #75b0ed7661ba3c4c Hardcoded external endpoint. Review what data is sent to this destination.
repo/docs/js/ask-ai.js:85
      const response = await fetch(endpoint, {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          model: 'mongodb-chat-latest',
          stream: true,
          store: true,
          input: question
        })
      });

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #56ba7441974330ab Filesystem access.
repo/docs/source/api.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #816e6a056fe1f34f Filesystem access.
repo/docs/source/api.js:361
    const comments = dox.parseComments(fs.readFileSync(file, 'utf8'), { raw: true });

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee18eabcbfcf371f Filesystem access.
repo/docs/source/utils.js:2
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5de544302d2fee72 Filesystem access.
repo/docs/source/utils.js:20
    const content = fs.readFileSync(`${dirName}/${filename}`, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ba8f4efd0cf3aa3 Environment-variable access.
repo/lib/helpers/printJestWarning.js:5
if (typeof jest !== 'undefined' && !process.env.SUPPRESS_JEST_WARNINGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26e72404fc1db689 Filesystem access.
repo/scripts/generateLLMsTXT.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b34b7d29cbf7a08a Filesystem access.
repo/scripts/generateLLMsTXT.js:153
  await fs.promises.writeFile(llmsTxtPath, `${lines.join('\n').trim()}\n`);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbab60f96d8f1498 Filesystem access.
repo/scripts/generateSearch.js:7
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #adaf11c3fa3d6b03 Filesystem access.
repo/scripts/generateSearch.js:54
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8097dcfe7e0bc9e4 Filesystem access.
repo/scripts/generateSearch.js:90
      let text = fs.readFileSync(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f61c75739fe48791 Filesystem access.
repo/scripts/loadSponsorData.js:13
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #454b7108d00d003e Filesystem access.
repo/scripts/loadSponsorData.js:77
  fs.writeFileSync(`${docsDir}/data/sponsors.json`, JSON.stringify(subscribers, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f0ca1ae9afd2e9b Filesystem access.
repo/scripts/loadSponsorData.js:80
  fs.writeFileSync(`${docsDir}/data/jobs.json`, JSON.stringify(jobs, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #91aaaf3be1634fe5 Hardcoded external endpoint. Review what data is sent to this destination.
repo/scripts/loadSponsorData.js:82
  const opencollectiveSponsors = await fetch('https://opencollective.com/mongoose/members.json')

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #23e523d9f2022bdf Filesystem access.
repo/scripts/loadSponsorData.js:106
    fs.writeFileSync(`${docsDir}/data/opencollective.json`, JSON.stringify(opencollectiveSponsors, null, '  '));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2fdaecd9725f7b9d Filesystem access.
repo/scripts/setup-encryption-tests.js:14
  await writeFile('fle-cluster-config.json', JSON.stringify(configuration, null, 2));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03cc463f480fd7fd Environment-variable access.
repo/scripts/static.js:8
const port = process.env.PORT

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd8db0c325d8b536 Environment-variable access.
repo/scripts/static.js:9
  ? parseInt(process.env.PORT, 10)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #37e4ee74e87d0d8b Filesystem access.
repo/scripts/tsc-diagnostics-check.js:3
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ef023cfbf19253f Filesystem access.
repo/scripts/tsc-diagnostics-check.js:5
const stdin = fs.readFileSync(0).toString('utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f736976e821187d Filesystem access.
repo/scripts/update-mongodb-links.js:77
    const promise = fs.readFile(fullPath, { encoding: 'utf8' }).then(text => fs.writeFile(fullPath, mapURLsMongoDb(text)));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c3f6078491f34a5 Filesystem access.
repo/scripts/website.js:6
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44b7870848922fa7 Filesystem access.
repo/scripts/website.js:116
      retArray.push(acquit.parse(fs.readFileSync(file).toString()));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9f8da9a081a0891 Environment-variable access.
repo/scripts/website.js:333
  const versionedDeploy = process.env.DOCS_DEPLOY ? !(base.currentVersion.listed === base.latestVersion.listed) : false;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc7b68cc3bc30d5f Filesystem access.
repo/scripts/website.js:503
      await fs.promises.writeFile(versionedMarkdownPath, str);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b92b1014fca87053 Filesystem access.
repo/scripts/website.js:508
    await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a80ee01aa86aac2c Filesystem access.
repo/scripts/website.js:517
  let contents = fs.readFileSync(path.resolve(cwd, inputFile)).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cabcacd517053269 Filesystem access.
repo/scripts/website.js:530
      fs.writeFileSync(path.resolve(cwd, inputFile), contents);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63252aaf70ccbc79 Filesystem access.
repo/scripts/website.js:587
  await fs.promises.writeFile(newfile, str).catch((err) => {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d3305df50d3aa19 Filesystem access.
repo/scripts/website.js:596
    await fs.promises.writeFile(versionedMarkdownPath, markdownSource);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e84d6d40293e9a4b Environment-variable access.
repo/scripts/website.js:700
    if (process.env.GENERATE_SEARCH) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7e40c4067fb21cd Environment-variable access.
repo/scripts/website.js:715
    if (!!process.env.DOCS_DEPLOY && !!versionObj.versionedPath) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

@ark/attest

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #3a78f427f88fbb56 Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:131
    let fileText = readFile(path);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c88c5b550a176b3 Filesystem access.
pkgs/npm/@[email protected]/out/cache/snapshots.js:142
    writeFile(path, fileText);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43e1a57439a5c566 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:29
            const contents = readFile(path).trim();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df5ef08cfdca08ba Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:45
        const contents = this.virtualEnv.sys.readFile(tsPath);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77503db72dfb97b8 Filesystem access.
pkgs/npm/@[email protected]/out/cache/ts.js:107
    const configFileText = readFileSync(path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4745d90fda7cdccd Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:133
        writeFile(summaryPath, outputCapture.getBuffer());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aa3f9cb1c54c82f Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:151
    writeFile(summaryPath, summaryContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5c2533741492d04 Filesystem access.
pkgs/npm/@[email protected]/out/cli/trace.js:552
    writeFile(filePath, content);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #311a49071b2b5aa8 Environment-variable access.
pkgs/npm/@[email protected]/out/fixtures.js:12
    process.env.ATTEST_CONFIG = JSON.stringify(config);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-ignore

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #452025543dd4bb00 Filesystem access.
pkgs/npm/[email protected]/docs.js:4
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa8a275c9713263e Filesystem access.
pkgs/npm/[email protected]/docs.js:6
let md = fs.readFileSync('./HEADER.md');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12a2bcf6d78edfdb Filesystem access.
pkgs/npm/[email protected]/docs.js:9
const blocks = acquit.parse(fs.readFileSync('./test/examples.test.js').toString());

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b524987c9bccd1ef Filesystem access.
pkgs/npm/[email protected]/docs.js:26
require('fs').writeFileSync('./README.md', md);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

acquit-require

npm dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #d1e1dfc6af855ae6 Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:8
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddacb3d892369ac7 Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:20
const text = fs.readFileSync(commander.path).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df7f2a8baa156ff4 Filesystem access.
pkgs/npm/[email protected]/bin/acquit-require.js:21
const tests = fs.readFileSync(commander.test).toString();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b92e45564a5c5f1 Filesystem access.
pkgs/npm/[email protected]/docs.js:1
const fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29373956128f0c83 Filesystem access.
pkgs/npm/[email protected]/docs.js:3
let readme = fs.readFileSync('./README.md', 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbf21e8c3e36e71f Filesystem access.
pkgs/npm/[email protected]/docs.js:5
const md = fs.readFileSync('./test/data/article.md').

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cf47bdbc4411257 Filesystem access.
pkgs/npm/[email protected]/docs.js:11
readme = readme.replace('[code]', fs.readFileSync('./test/data/simple.js'));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b00cdd10a17b4f4 Filesystem access.
pkgs/npm/[email protected]/docs.js:13
fs.writeFileSync('./README.md', readme);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #cd7db69544c563c0 Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c4311e1a5a6d7ea Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c06aaef62e8197c Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f94757e22d8207c Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f2b7ab8ce6ce17d Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e836e35c800e04c Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #478780cdc973f503 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f7e5dd6c1fd740a Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70b5afb1bd68b9bb Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #647ab8369301acea Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58c2697419034f61 Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

eslint

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #ef05d04f39ba6d8f Filesystem access.
pkgs/npm/[email protected]/lib/cli-engine/lint-result-cache.js:129
			results.source = fs.readFileSync(filePath, "utf-8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c4ec6a1f587131d Filesystem access.
pkgs/npm/[email protected]/lib/cli.js:133
			await writeFile(filePath, output);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #620b8120faf01eec Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1281
		const text = await fsp.readFile(filePath, {
			encoding: "utf8",
			signal: controller?.signal,
		});

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd7fb8d506637ead Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1326
	if (!process.env.ESLINT_FLAGS) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #781ee0255e0384d7 Environment-variable access.
pkgs/npm/[email protected]/lib/eslint/eslint-helpers.js:1330
	const envFlags = process.env.ESLINT_FLAGS.trim().split(/\s*,\s*/gu);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82ed7420448fe3a9 Filesystem access.
pkgs/npm/[email protected]/lib/eslint/eslint.js:825
					retrier.retry(() => fs.writeFile(r.filePath, r.output)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1562ae0fd548bf57 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:44
const enabled = !!process.env.TIMING;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #467fb81deb16834d Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:56
	if (typeof process.env.TIMING !== "string") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6ab61e5fc4a4f25 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:60
	if (process.env.TIMING.toLowerCase() === "all") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07ad23f2265ecdd0 Environment-variable access.
pkgs/npm/[email protected]/lib/linter/timing.js:64
	const TIMING_ENV_VAR_AS_INTEGER = Number.parseInt(process.env.TIMING, 10);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6848d770e753c57 Filesystem access.
pkgs/npm/[email protected]/lib/rule-tester/rule-tester.js:697
				let content = readFileSync(sourceFile, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad8219fa8b1d8d68 Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:217
			const data = await fs.promises.readFile(this.filePath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e672df56c344ffef Filesystem access.
pkgs/npm/[email protected]/lib/services/suppressions-service.js:240
		return fs.promises.writeFile(
			this.filePath,
			stringify(suppressions, { space: 2 }),
		);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #16a2d136948bd735 Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fs-extra

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #8b69bb80684ee447 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:24
      await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e9081fdb049c7b9 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:32
    await fs.writeFile(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #221fb5d57f39f2c0 Filesystem access.
pkgs/npm/[email protected]/lib/ensure/file.js:60
  fs.writeFileSync(file, '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2898a731c6c3001f Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:16
  return fs.writeFile(file, data, encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0a10f0f8a4850db Filesystem access.
pkgs/npm/[email protected]/lib/output-file/index.js:25
  fs.writeFileSync(file, ...args)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

markdownlint-cli2

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #ace1a09c9065706f Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:38
const readJsonc = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(jsoncParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb77cc435d533ad2 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:41
const readToml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(tomlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12518d790f640812 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:44
const readYaml = (/** @type {string} */ file, /** @type {FsLike} */ fs) => fs.promises.readFile(file, utf8).then(yamlParse);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa6cc428df57b6a9 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:762
            subTasks.push(fs.promises.readFile(fileName, utf8).

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4beb68765d355e7 Filesystem access.
pkgs/npm/[email protected]/markdownlint-cli2.mjs:765
                return fs.promises.writeFile(fileName, fixed, utf8);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mocha

npm dependency
expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #2cb69b225e8dafc1 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:40
    require("js-yaml").load(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08c488f4c8fa3775 Filesystem access.
pkgs/npm/[email protected]/lib/cli/config.js:56
      require("strip-json-comments").default(fs.readFileSync(filepath, "utf8")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8234afd76897e5f8 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:27
  const css = fs.readFileSync(path.join(srcdir, "mocha.css"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e694048c1f5c314 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:28
  const js = fs.readFileSync(path.join(srcdir, "mocha.js"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c3e0f6189a53801 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:29
  const tmpl = fs.readFileSync(
    path.join(srcdir, "lib", "browser", "template.html"),
  );

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9b7233f9fef3be0 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:32
  fs.writeFileSync(path.join(destdir, "mocha.css"), css);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49f70b2bb2acf4e0 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:33
  fs.writeFileSync(path.join(destdir, "mocha.js"), js);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #276badd48e6ef388 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:34
  fs.writeFileSync(path.join(destdir, "tests.spec.js"), "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d720a9096545d50 Filesystem access.
pkgs/npm/[email protected]/lib/cli/init.js:35
  fs.writeFileSync(path.join(destdir, "index.html"), tmpl);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e1bed4bb88e5853 Filesystem access.
pkgs/npm/[email protected]/lib/cli/options.js:240
      configData = fs.readFileSync(filepath, "utf8");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88c2c8e2974cd6d0 Environment-variable access.
pkgs/npm/[email protected]/lib/cli/options.js:302
  const envConfig = parse(process.env.MOCHA_OPTIONS || "");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54c2034a3b9b007b Environment-variable access.
pkgs/npm/[email protected]/lib/reporters/base.js:57
  (supportsColor.stdout || process.env.MOCHA_COLORS !== undefined);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e6b5e1e90b296bd Filesystem access.
pkgs/npm/[email protected]/lib/reporters/json.js:90
        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de3ca3d6b01d73e6 Environment-variable access.
pkgs/npm/[email protected]/lib/utils.js:714
  return !!process.env.CI;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c89b23cf2610b7f Filesystem access.
pkgs/npm/[email protected]/mocha.js:14462
			        fs.writeFileSync(output, json);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mongodb

npm dependency
expand_more 52 low-confidence finding(s)
low env_fs dependency Excluded from app score #d3b89cfe6d20b309 Filesystem access.
pkgs/npm/[email protected]/etc/prepare.js:3
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4d3c760ae42681d Environment-variable access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:57
    if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b0e7a2619799265f Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:339
            const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #838a800e49f789bc Filesystem access.
pkgs/npm/[email protected]/lib/client-side-encryption/state_machine.js:343
            options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #b1970bd5aee0de8c Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/gcp_machine_workflow.js:29
    const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #10dcc6759214967e Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:19
    if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b956fa5fe1abd463 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:20
        filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #912f5510f3276a64 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:22
    else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4151876d809136b Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js:23
        filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #103db2f464fab517 Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:4
const fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05f9e38e3c871c62 Environment-variable access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:15
    const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbecd15a4a61c9df Filesystem access.
pkgs/npm/[email protected]/lib/cmap/auth/mongodb_oidc/token_machine_workflow.js:19
    const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #648597e147a52da4 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:390
        MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0de06701a928a007 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:391
        MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1850eaafddd3d661 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:392
        MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9e4b0695fc4b9f0 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:393
        MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59e050e3d2c74ed7 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:394
        MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1372dbb6552516df Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:395
        MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6457f8c37fd1da1 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:396
        MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa54334f7c61c977 Environment-variable access.
pkgs/npm/[email protected]/lib/connection_string.js:397
        MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b76bd4f268bc7316 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:4
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2f71165e723b507 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:216
                options.ca ??= await fs_1.promises.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c028d7504f42e78 Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:219
                options.crl ??= await fs_1.promises.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f2f7feb9443912a Filesystem access.
pkgs/npm/[email protected]/lib/mongo_client.js:223
                    const contents = await fs_1.promises.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11b1701c1f29d401 Filesystem access.
pkgs/npm/[email protected]/lib/utils.js:53
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9ee097e003552e6 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:1
import * as fs from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e72481ef881fc28 Environment-variable access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:80
  if (process.env.MONGODB_CRYPT_DEBUG) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e94045e41c4b5317 Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:530
      const cert = await fs.readFile(tlsOptions.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c984dd243826fda Filesystem access.
pkgs/npm/[email protected]/src/client-side-encryption/state_machine.ts:534
      options.ca = await fs.readFile(tlsOptions.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #a06d2a58bb52da9b Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/gcp_machine_workflow.ts:35
  const url = new URL(GCP_BASE_URL);

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #79734a90f120e8d5 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:1
import { readFile } from 'fs/promises';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92723cff6ca42a39 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:22
  if (process.env[AZURE_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24dec43ed3e3faa9 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:23
    filename = process.env[AZURE_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb24030105ac911c Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:24
  } else if (process.env[AWS_FILENAME]) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82047ce23dcd25a4 Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:25
    filename = process.env[AWS_FILENAME];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ed889eabee3ddb2 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts:29
  const token = await readFile(filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03c14e785b50ef78 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:1
import * as fs from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ccb7ca29536d8ab Environment-variable access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:16
  const tokenFile = process.env.OIDC_TOKEN_FILE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99c66a8e3297da81 Filesystem access.
pkgs/npm/[email protected]/src/cmap/auth/mongodb_oidc/token_machine_workflow.ts:20
  const token = await fs.promises.readFile(tokenFile, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ba7823ec9a895f5 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:530
      MONGODB_LOG_COMMAND: process.env.MONGODB_LOG_COMMAND,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #739d971119415fab Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:531
      MONGODB_LOG_TOPOLOGY: process.env.MONGODB_LOG_TOPOLOGY,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb9190802ebfbda2 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:532
      MONGODB_LOG_SERVER_SELECTION: process.env.MONGODB_LOG_SERVER_SELECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ed973de738c8d30 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:533
      MONGODB_LOG_CONNECTION: process.env.MONGODB_LOG_CONNECTION,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3b7ad85bfc249f1 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:534
      MONGODB_LOG_CLIENT: process.env.MONGODB_LOG_CLIENT,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3edd9b3ceea58d4f Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:535
      MONGODB_LOG_ALL: process.env.MONGODB_LOG_ALL,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a265ff789bcb17a Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:536
      MONGODB_LOG_MAX_DOCUMENT_LENGTH: process.env.MONGODB_LOG_MAX_DOCUMENT_LENGTH,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5395422ced551319 Environment-variable access.
pkgs/npm/[email protected]/src/connection_string.ts:537
      MONGODB_LOG_PATH: process.env.MONGODB_LOG_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bde50d98fafc98b Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:1
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7a1c950c582fa49 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:628
        options.ca ??= await fs.readFile(options.tlsCAFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2375c14513e7024 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:631
        options.crl ??= await fs.readFile(options.tlsCRLFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ea91e255727bd34 Filesystem access.
pkgs/npm/[email protected]/src/mongo_client.ts:635
          const contents = await fs.readFile(options.tlsCertificateKeyFile);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24fd47592924275e Filesystem access.
pkgs/npm/[email protected]/src/utils.ts:3
import { promises as fs } from 'fs';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ncp

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #f18cc88d1e4a59ea Filesystem access.
pkgs/npm/[email protected]/lib/ncp.js:1
var fs = require('fs'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pug

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #63e3ed893f4c261d Filesystem access.
pkgs/npm/[email protected]/lib/index.js:13
var fs = require('fs');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a4843732ffb95c7 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:241
    if (str === undefined) str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #224d66bdc453ed02 Filesystem access.
pkgs/npm/[email protected]/lib/index.js:476
  var str = fs.readFileSync(options.filename, 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f658f40af316f4c Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:489
    process.env.NODE_ENV === 'production'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sift

npm dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #c507b45dfdbc78cf Environment-variable access.
pkgs/npm/[email protected]/es/index.js:585
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2355cb0589c86a4 Environment-variable access.
pkgs/npm/[email protected]/es5m/index.js:694
    else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2dbc7350839f837e Environment-variable access.
pkgs/npm/[email protected]/lib/index.js:700
        else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e6e67a273ea9bf7 Environment-variable access.
pkgs/npm/[email protected]/src/operations.ts:413
  } else if (!process.env.CSP_ENABLED) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #954ab9c8a76b757c Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60e196faebdfcf02 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ade2ffcc86f1c83f Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5e4dfcc101a729d Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42609b4f86fe79f1 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e5cb2d02980580f Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #625100d39a09bcc2 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0060a4d4a32fa2c5 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a261666ab0410408 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7db69fd9ecd90c8 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @standard-schema/spec prod — dist-only: no readable source

Development

  • @mongodb-js/mongodb-downloader dev — dist-only: no readable source
  • glob dev — dist-only: no readable source
  • mkdirp dev — dist-only: no readable source
  • tstyche dev — dist-only: no readable source
  • typescript-eslint dev — dist-only: no readable source