Close Open Privacy Scan

bolt Snapshot: commit b855688
science engine v2
schedule 2026-07-02T22:07:57.057621+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code. Dependency data flows are listed separately and do not affect this verdict.

App Privacy Score

97 /100
Low privacy risk

Low risk · 73 finding(s)

Dependency score: 82 (Low risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 1 medium 72 low
First-party packages: 1
Dependency packages: 14
Ecosystem: npm

swap_horiz Application data flows

No application data flows were found. See dependency data flows below.

hub Dependency data flows (1)
medium axios dependency Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:861 pkgs/npm/[email protected]/lib/adapters/http.js:1062

</> First-Party Code

first-party (npm)

npm first-party
expand_more 2 low-confidence finding(s)
low env_fs production #66db106662d58e9e Environment-variable access.
repo/documentation/examples/advanced-creation.js:113
				const secret = options.context.secret ?? process.env.SECRET;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aad974ccbfa26376 Environment-variable access.
repo/documentation/examples/gh-got.js:23
		token: process.env.GITHUB_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

axios

npm dependency
medium pii_flow dependency Excluded from app score #259b6a785443c5be Credentials parsed from the request URL are applied as authorization on the same outbound HTTP request. This is intentional URL authentication, not unexpected data exfiltration.
pkgs/npm/[email protected]/lib/adapters/http.js:1062 · flow /tmp/closeopen-3z5fi4v4/pkgs/npm/[email protected]/lib/adapters/http.js:861 → /tmp/closeopen-3z5fi4v4/pkgs/npm/[email protected]/lib/adapters/http.js:1062
      req = transport.request(options, function handleResponse(res) {
        clearConnectPhaseTimer();

        if (req.destroyed) return;

        const streams = [res];

        const responseLength = utils.toFiniteNumber(res.headers['content-length']);

        if (onDownloadProgress || maxDownloadRate) {
          const transformStream = new AxiosTransformStream({
            maxRate: utils.toFiniteNumber(maxDownloadRate),
          });

          onDownloadProgress &&
            transformStream.on(
              'progress',
              flushOnFinish(
                transformStream,
                progressEventDecorator(
                  responseLength,
                  progressEventReducer(asyncDecorator(onDownloadProgress), true, 3)
                )
              )
            );

          streams.push(transformStream);
        }

        // decompress the response body transparently if required
        let responseStream = res;

        // return the last request in case of redirects
        const lastRequest = res.req || req;

        // if decompress disabled we should not decompress
        if (decompress !== false && res.headers['content-encoding']) {
          // if no content, but headers still say that it is encoded,
          // remove the header not confuse downstream operations
          if (method === 'HEAD' || res.statusCode === 204) {
            delete res.headers['content-encoding'];
          }

          switch ((res.headers['content-encoding'] || '').toLowerCase()) {
            /*eslint default-case:0*/
            case 'gzip':
            case 'x-gzip':
            case 'compress':
            case 'x-compress':
              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'deflate':
              streams.push(new ZlibHeaderTransformStream());

              // add the unzipper to the body stream processing pipeline
              streams.push(zlib.createUnzip(zlibOptions));

              // remove the content-encoding in order to not confuse downstream operations
              delete res.headers['content-encoding'];
              break;
            case 'br':
              if (isBrotliSupported) {
                streams.push(zlib.createBrotliDecompress(brotliOptions));
                delete res.headers['content-encoding'];
              }
              break;
            case 'zstd':
              if (isZstdSupported) {
                streams.push(zlib.createZstdDecompress(zstdOptions));
                delete res.headers['content-encoding'];
              }
              break;
          }
        }

        responseStream = streams.length > 1 ? stream.pipeline(streams, utils.noop) : streams[0];

        const response = {
          status: res.statusCode,
          statusText: res.statusMessage,
          headers: new AxiosHeaders(res.headers),
          config,
          request: lastRequest,
        };

        if (responseType === 'stream') {
          // Enforce maxContentLength on streamed responses; previously this
          // was applied only to buffered responses.
          if (maxContentLength > -1) {
            const limit = maxContentLength;
            const source = responseStream;
            async function* enforceMaxContentLength() {
              let totalResponseBytes = 0;
              for await (const chunk of source) {
                totalResponseBytes += chunk.length;
                if (totalResponseBytes > limit) {
                  throw new AxiosError(
                    'maxContentLength size of ' + limit + ' exceeded',
                    AxiosError.ERR_BAD_RESPONSE,
                    config,
                    lastRequest
                  );
                }
                yield chunk;
              }
            }
            responseStream = stream.Readable.from(enforceMaxContentLength(), {
              objectMode: false,
            });
          }
          response.data = responseStream;
          settle(resolve, reject, response);
        } else {
          const responseBuffer = [];
          let totalResponseBytes = 0;

          responseStream.on('data', function handleStreamData(chunk) {
            responseBuffer.push(chunk);
            totalResponseBytes += chunk.length;

            // make sure the content length is not over the maxContentLength if specified
            if (maxContentLength > -1 && totalResponseBytes > maxContentLength) {
              // stream.destroy() emit aborted event before calling reject() on Node.js v16
              rejected = true;
              responseStream.destroy();
              abort(
                new AxiosError(
                  'maxContentLength size of ' + maxContentLength + ' exceeded',
                  AxiosError.ERR_BAD_RESPONSE,
                  config,
                  lastRequest
                )
              );
            }
          });

          responseStream.on('aborted', function handlerStreamAborted() {
            if (rejected) {
              return;
            }

            const err = new AxiosError(
              'stream has been aborted',
              AxiosError.ERR_BAD_RESPONSE,
              config,
              lastRequest,
              response
            );
            responseStream.destroy(err);
            reject(err);
          });

          responseStream.on('error', function handleStreamError(err) {
            if (rejected) return;
            reject(AxiosError.from(err, null, config, lastRequest, response));
          });

          responseStream.on('end', function handleStreamEnd() {
            try {
              let responseData =
                responseBuffer.length === 1 ? responseBuffer[0] : Buffer.concat(responseBuffer);
              if (responseType !== 'arraybuffer') {
                responseData = responseData.toString(responseEncoding);
                if (!responseEncoding || responseEncoding === 'utf8') {
                  responseData = utils.stripBOM(responseData);
                }
              }
              response.data = responseData;
            } catch (err) {
              return reject(AxiosError.from(err, null, config, response.request, response));
            }
            settle(resolve, reject, response);
          });
        }

        abortEmitter.once('abort', (err) => {
          if (!responseStream.destroyed) {
            responseStream.emit('error', err);
            responseStream.destroy();
          }
        });
      });

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #4d0631630027872b Environment-variable access.
pkgs/npm/[email protected]/lib/helpers/shouldBypassProxy.js:168
  const noProxy = (process.env.no_proxy || process.env.NO_PROXY || '').toLowerCase();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

@types/request

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #4626ee4d23e6992b Filesystem access.
pkgs/npm/@[email protected]/index.d.ts:9
import fs = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ava

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #60ffb50c49b8a9dd Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:297
		if (debug !== null && !process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #441a4787616a0ffe Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:454
	if (process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cc791488099f32c Environment-variable access.
pkgs/npm/[email protected]/lib/cli.js:496
		if (process.env.TEST_AVA) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2de76a290e00efb1 Filesystem access.
pkgs/npm/[email protected]/lib/code-excerpt.js:21
		contents = fs.readFileSync(new URL(file), 'utf8');

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d19e20b4439dc415 Environment-variable access.
pkgs/npm/[email protected]/lib/load-config.js:44
const gitScmFile = process.env.AVA_FAKE_SCM_ROOT ?? '.git';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b281297edfdc6db Filesystem access.
pkgs/npm/[email protected]/lib/scheduler.js:43
			failedTestFiles = JSON.parse(fs.readFileSync(filePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a7403dac274c7a5 Filesystem access.
pkgs/npm/[email protected]/lib/snapshot-manager.js:80
		return fs.readFileSync(file);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0928f82a4e2a92ae Environment-variable access.
pkgs/npm/[email protected]/lib/watcher.js:20
const takeCoverageForSelfTests = process.env.TEST_AVA ? v8.takeCoverage : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d85f33688620bd6 Filesystem access.
pkgs/npm/[email protected]/lib/worker/line-numbers.js:10
	const ast = acorn.parse(fs.readFileSync(file, 'utf8'), {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

bluebird

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #9a6fa5e8f0fb3089 Environment-variable access.
pkgs/npm/[email protected]/js/browser/bluebird.core.js:3812
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfd40da682512370 Environment-variable access.
pkgs/npm/[email protected]/js/browser/bluebird.js:5676
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ddb3f5c03fea178 Environment-variable access.
pkgs/npm/[email protected]/js/release/util.js:322
    return hasEnvVariables ? process.env[key] : undefined;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

c8

npm dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #734de8c69dbd5d44 Environment-variable access.
pkgs/npm/[email protected]/bin/c8.js:27
    process.env.NODE_V8_COVERAGE = argv.tempDirectory

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #923aa188831b1dd4 Environment-variable access.
pkgs/npm/[email protected]/lib/commands/report.js:40
    monocartArgv: (argv.experimentalMonocart || process.env.EXPERIMENTAL_MONOCART) ? argv : null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b11e24576198d849 Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:4
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c103fd99bcd6ffef Filesystem access.
pkgs/npm/[email protected]/lib/parse-args.js:18
        const config = JSON.parse(readFileSync(path))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17625dddbd87a6bc Environment-variable access.
pkgs/npm/[email protected]/lib/parse-args.js:129
      default: process.env.NODE_V8_COVERAGE

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7d8fe12ae8904e5 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:9
  ;({ readFile } = require('fs').promises)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68b0c735ed20b9ac Filesystem access.
pkgs/npm/[email protected]/lib/report.js:11
const { readdirSync, readFileSync, statSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #657e1acdf162e038 Filesystem access.
pkgs/npm/[email protected]/lib/report.js:452
        reports.push(JSON.parse(readFileSync(
          resolve(this.tempDirectory, file),
          'utf8'
        )))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #732186ea38d3d7bc Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:27
const { readFileSync } = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5b81edf7d0d163c Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:40
  const fileBody = readFileSync(filename).toString()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9192997ec40e290c Filesystem access.
pkgs/npm/[email protected]/lib/source-map-from-file.js:71
    const content = readFileSync(fileURLToPath(mapURL), 'utf8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

express

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #23b9d1092a768423 Environment-variable access.
pkgs/npm/[email protected]/lib/application.js:91
  var env = process.env.NODE_ENV || 'development';

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

np

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #dde1f08f5de7163d Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:10
			process.env.GITHUB_ACTIONS

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #460d459694ac95ae Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:11
			&& process.env.ACTIONS_ID_TOKEN_REQUEST_URL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be885d3d5dc05fe9 Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:12
			&& process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6eb12531a1c3f14d Environment-variable access.
pkgs/npm/[email protected]/source/npm/oidc.js:18
		validate: () => process.env.GITLAB_CI && process.env.NPM_ID_TOKEN,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea5d5d3f6dd21f4b Environment-variable access.
pkgs/npm/[email protected]/source/prerequisite-tasks.js:30
			enabled: () => process.env.NODE_ENV !== 'test' && !package_.private,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pem

npm dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #ba47fa71151a34f2 Environment-variable access.
pkgs/npm/[email protected]/lib/debug.js:2
  if (process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #583ea90f555b3f12 Filesystem access.
pkgs/npm/[email protected]/lib/helper.js:4
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32dd2d1d6cbe428f Environment-variable access.
pkgs/npm/[email protected]/lib/helper.js:7
var tempDir = process.env.PEMJS_TMPDIR || osTmpdir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81fbaf71ff4933cd Filesystem access.
pkgs/npm/[email protected]/lib/helper.js:90
    fs.writeFileSync(PasswordFile, options.password)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33bcd242a7dec4d6 Filesystem access.
pkgs/npm/[email protected]/lib/openssl.js:6
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e92c3f75780e0977 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:11
var tempDir = process.env.PEMJS_TMPDIR || osTmpdir()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19836e53541d6538 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:15
if ("CI" in process.env && process.env.CI === 'true') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef604051ab739cd5 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:16
  if ("LIBRARY" in process.env && "VERSION" in process.env && process.env.LIBRARY != "" && process.env.VERSION != "") {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c403d4c8715dcb24 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:17
    const filePathOpenSSL=`./openssl/${process.env.LIBRARY}_v${process.env.VERSION}/bin/openssl`

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3295f2fa5461351 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:19
      process.env.OPENSSL_BIN = filePathOpenSSL

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08f894b949357e8f Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:129
  var pathBin = get('pathOpenSSL') || process.env.OPENSSL_BIN || 'openssl'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79521ad1157421ba Filesystem access.
pkgs/npm/[email protected]/lib/openssl.js:231
    fs.writeFileSync(file.path, file.contents)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4185ade59fad1ec6 Environment-variable access.
pkgs/npm/[email protected]/lib/openssl.js:266
  var pathBin = get('pathOpenSSL') || process.env.OPENSSL_BIN || 'openssl'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

readable-stream

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #6d6ccbc6db042949 Environment-variable access.
pkgs/npm/[email protected]/lib/ours/index.js:4
if (Stream && process.env.READABLE_STREAM === 'disable') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

request

npm dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #2d48cef1f4c412ca Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:45
  var noProxy = process.env.NO_PROXY || process.env.no_proxy || ''

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0703ff4879805923 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:62
    return process.env.HTTP_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1661136b6079b593 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:63
      process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be121ef554429514 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:67
    return process.env.HTTPS_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #faacde822ce5ba9b Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:68
      process.env.https_proxy ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #260a5510e7d888d7 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:69
      process.env.HTTP_PROXY ||

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39561714beb1f520 Environment-variable access.
pkgs/npm/[email protected]/lib/getProxyFromURI.js:70
      process.env.http_proxy || null

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77de556d62a1a438 Filesystem access.
pkgs/npm/[email protected]/lib/har.js:3
var fs = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0759602ca1e0bb1 Environment-variable access.
pkgs/npm/[email protected]/request.js:133
Request.debug = process.env.NODE_DEBUG && /\brequest\b/.test(process.env.NODE_DEBUG)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

slow-stream

npm dependency
expand_more 3 low-confidence finding(s)
low env_fs dependency Excluded from app score #917e04ca8516e432 Filesystem access.
pkgs/npm/[email protected]/test.js:1
var fs               = require('fs')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a039d5cd4828327d Filesystem access.
pkgs/npm/[email protected]/test.js:31
fs.writeFile(testSourceFile, boganData, function (err) {
  assert(!err)

  var startTs = +new Date

  fs.createReadStream(testSourceFile, { bufferSize: chunkSize })
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 3) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 2) }))
    .pipe(new SlowStream({ maxWriteInterval: maxWriteInterval })) // this one is the slowest and should be the bottleneck
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 2) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 3) }))
    .pipe(new SlowStream({ maxWriteInterval: Math.round(maxWriteInterval / 10) }))
    .pipe(fs.createWriteStream(testDestFile))
    .on('close', function () {
      fs.readFile(testDestFile, function (err, data) {
        assert(!err)

        var endTs  = +new Date
          , chunks = Math.ceil(boganData.length / chunkSize)
          , time   = endTs - startTs

        assert.equal(data.toString(), boganData)
        tick('Correctly read, throttled and wrote bogan data')
        fs.unlink(testSourceFile)
        fs.unlink(testDestFile)

        console.log(('Totle time = ' + time + ' ms @ ' + (Math.round((time / chunks) * 100) / 100) + ' ms per chunk, targetted ' + maxWriteInterval + ' ms per chunk').yellow)
      })
    })
    .on('error', console.log)
})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a339c20fd6f89be4 Filesystem access.
pkgs/npm/[email protected]/test.js:45
      fs.readFile(testDestFile, function (err, data) {
        assert(!err)

        var endTs  = +new Date
          , chunks = Math.ceil(boganData.length / chunkSize)
          , time   = endTs - startTs

        assert.equal(data.toString(), boganData)
        tick('Correctly read, throttled and wrote bogan data')
        fs.unlink(testSourceFile)
        fs.unlink(testDestFile)

        console.log(('Totle time = ' + time + ' ms @ ' + (Math.round((time / chunks) * 100) / 100) + ' ms per chunk, targetted ' + maxWriteInterval + ' ms per chunk').yellow)
      })

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tempy

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #dcee56adfd2f940b Filesystem access.
pkgs/npm/[email protected]/index.js:112
	fs.writeFileSync(filename, fileContent);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

then-busboy

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #30c45c41df55b7fc Filesystem access.
pkgs/npm/[email protected]/lib/cjs/listener/onFile.js:7
const fs_1 = require("fs");

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #663cbef3ee339b4c Filesystem access.
pkgs/npm/[email protected]/lib/esm/listener/onFile.js:2
import { createWriteStream } from "fs";

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

typescript

npm dependency
expand_more 10 low-confidence finding(s)
low env_fs dependency Excluded from app score #357d0c5c8b4ad311 Filesystem access.
pkgs/npm/[email protected]/lib/_tsserver.js:51
var import_fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c50784dc0bf4e937 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:309
    const envLogOptions = parseLoggingEnvironmentString(process.env.TSS_LOG);

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #144232198a4903bb Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:535
  const traceDir = commandLineTraceDir ? (0, typescript_exports.stripQuotes)(commandLineTraceDir) : process.env.TSS_TRACE;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5e7b193c40a399e Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:548
        const basePath = process.env.LOCALAPPDATA || process.env.APPDATA || import_os.default.homedir && import_os.default.homedir() || process.env.USERPROFILE || process.env.HOMEDRIVE && process.env.HOMEPATH && (0, typescript_exports.normalizeSlashes)(process.env.HOMEDRIVE + process.env.HOMEPATH) || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72a4fc4bd0ca2918 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:565
    if (process.env.XDG_CACHE_HOME) {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2e6b37b40c3bd9f Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:566
      return process.env.XDG_CACHE_HOME;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8302615916a5e8c9 Environment-variable access.
pkgs/npm/[email protected]/lib/_tsserver.js:569
    const homePath = import_os.default.homedir && import_os.default.homedir() || process.env.HOME || (process.env.LOGNAME || process.env.USER) && `/${usersDir}/${process.env.LOGNAME || process.env.USER}` || import_os.default.tmpdir();

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49b80560417085b8 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:44
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20bb8668a43595b9 Filesystem access.
pkgs/npm/[email protected]/lib/_typingsInstaller.js:88
    const content = JSON.parse(host.readFile(typesRegistryFilePath));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #104d8680e7e61005 Filesystem access.
pkgs/npm/[email protected]/lib/watchGuard.js:42
var fs = __toESM(require("fs"));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • cacheable-request prod — dist-only: no readable source
  • keyv prod — dist-only: no readable source

Development

  • @sindresorhus/tsconfig dev — no javascript source
  • expect-type dev — dist-only: no readable source
  • tough-cookie dev — dist-only: no readable source
  • tsx dev — dist-only: no readable source
  • xo dev — dist-only: no readable source