Close Open Privacy Scan

bolt Snapshot: commit 30f9fc7
science engine v3
schedule 2026-07-07T12:07:15.311763+00:00

verified_user No application data leak found

No high-confidence exfiltration was found in application code.

App Privacy Score

97 /100
Low privacy risk

Low risk · 32 finding(s)

Dependency score: 97 (Low risk)

bar_chart Score Breakdown

env_fs −3

list Scan Summary

0 high 0 medium 32 low
First-party packages: 1
Dependency packages: 3
Ecosystem: npm

swap_horiz External domains

day.js.org

</> First-Party Code

first-party (npm)

npm first-party
expand_more 24 low-confidence finding(s)
low env_fs production #d2e86aab0852b90f Environment-variable access.
repo/docs/docusaurus.config.ts:37
        process.env.NODE_ENV === "production"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97e363ee8b44040d Filesystem access.
repo/gulpfile.ts:2
import fs from "fs/promises"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7709ed036a247b0 Filesystem access.
repo/gulpfile.ts:88
    await fs.writeFile(`${buildDir}/index.mjs`, indexMjsContent, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73918587b381d159 Filesystem access.
repo/gulpfile.ts:96
    const pkg = JSON.parse(await fs.readFile("./package.json", "utf8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7ef06ab4dd00c32 Filesystem access.
repo/gulpfile.ts:110
    await fs.writeFile(
        "./build/package/package.json",
        JSON.stringify(pkg, null, 2) + "\n",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #765adaf03654306f Filesystem access.
repo/packages/codemod/src/dependencies/upgrade.ts:169
        raw = fs.readFileSync(filePath, "utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b20e0c8dcc1554d Filesystem access.
repo/packages/codemod/src/dependencies/upgrade.ts:189
            fs.writeFileSync(
                filePath,
                JSON.stringify(pkg, null, indent) + "\n",
                "utf8",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b0bcd08cef045f26 Environment-variable access.
repo/src/cli-ts-node-esm.ts:4
if ((process.env["NODE_OPTIONS"] ?? "").includes("--loader ts-node"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f125250c305fffe9 Environment-variable access.
repo/src/cli-ts-node-esm.ts:12
                process.env["NODE_OPTIONS"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ad8b0b21196c706 Filesystem access.
repo/src/commands/CommandUtils.ts:1
import fs from "fs/promises"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ceda97f4c40ec31 Filesystem access.
repo/src/commands/CommandUtils.ts:90
        await fs.writeFile(filePath, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6f9d79c122a0c465 Filesystem access.
repo/src/commands/CommandUtils.ts:99
        const file = await fs.readFile(filePath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #039d5b91be37754f Filesystem access.
repo/src/commands/InitCommand.ts:116
            const packageJsonContents = await CommandUtils.readFile(
                basePath + "/package.json",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51e7cfec60aebfe6 Filesystem access.
repo/src/commands/InitCommand.ts:717
            await CommandUtils.readFile(
                path.resolve(__dirname, "..", "package.json"),
            ),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb513e70dffff1ff Environment-variable access.
repo/src/driver/oracle/OracleDriver.ts:302
            process.env.ORA_SDTZ = "UTC"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06609d24f2bcc38c Environment-variable access.
repo/src/driver/postgres/PostgresDriver.ts:367
            process.env.PGTZ = "UTC"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3735a73675afa3bd Filesystem access.
repo/src/driver/sqljs/SqljsDriver.ts:94
                    const database = PlatformTools.readFileSync(
                        fileNameOrLocalStorageOrData,
                    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36fcfb9c8570cf02 Filesystem access.
repo/src/driver/sqljs/SqljsDriver.ts:176
                await PlatformTools.writeFile(path, content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86a37e262b43c930 Filesystem access.
repo/src/platform/PlatformTools.ts:5
import fs from "fs"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e356aae306a66e89 Filesystem access.
repo/src/platform/PlatformTools.ts:11
export { ReadStream } from "fs"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0190f8a3b57a2612 Filesystem access.
repo/src/platform/PlatformTools.ts:147
        return fs.readFileSync(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bb3965c44fbdbdf Filesystem access.
repo/src/platform/PlatformTools.ts:155
        return fs.promises.writeFile(path, data)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b9b6dd5513b79323 Filesystem access.
repo/src/util/ImportUtils.ts:1
import fs from "fs/promises"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0fba9a6a3920e9a8 Filesystem access.
repo/src/util/ImportUtils.ts:99
                    await fs.readFile(potentialPackageJson, "utf8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

</> Dependencies

dayjs

npm dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #a8d105d424775ee9 Environment-variable access.
pkgs/npm/[email protected]/esm/plugin/devHelper/index.js:4
  if (!process || process.env.NODE_ENV !== 'production') {

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63cb3e82e7b7c644 Environment-variable access.
pkgs/npm/[email protected]/plugin/devHelper.js:1
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).dayjs_plugin_devHelper=t()}(this,(function(){"use strict";return function(e,t,s){if(!process||"production"!==process.env.NODE_ENV){var o=t.prototype,n=o.parse;o.parse=function(e){var t=e.date;return"string"==typeof t&&13===t.length&&console.warn("To parse a Unix timestamp like "+t+", you should pass it as a Number. https://day.js.org/docs/en/parse/unix-timestamp-milliseconds"),"number"==typeof t&&4===String(t).length&&console.warn("Guessing you may want to parse the Year "+t+", you should pass it as a String "+t+", not a Number. Otherwise, "+t+" will be treated as a Unix timestamp"),e.args.length>=2&&!s.p.customParseFormat&&console.warn("To parse a date-time string like "+t+" using the given format, you should enable customParseFormat plugin first. https://day.js.org/docs/en/parse/string-format"),n.bind(this)(e)};var a=s.locale;s.locale=function(e,t,o){return void 0===t&&"string"==typeof e&&(s.Ls[e]||console.warn("Guessing you may want to use locale "+e+", you have to load it before using it. https://day.js.org/docs/en/i18n/loading-into-nodejs")),a(e,t,o)};var i=o.diff;o.diff=function(e,t,o){return(!e||!s(e).isValid())&&console.warn("Invalid usage: diff() requires a valid comparison date as the first argument. https://day.js.org/docs/en/display/difference"),i.call(this,e,t,o)}}}}));

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

debug

npm dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #538efcbb2a1197c7 Environment-variable access.
pkgs/npm/[email protected]/src/browser.js:230
		r = process.env.DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30e79ff976dc188c Environment-variable access.
pkgs/npm/[email protected]/src/node.js:136
	let val = process.env[key];

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ade3470559dea62 Environment-variable access.
pkgs/npm/[email protected]/src/node.js:205
		process.env.DEBUG = namespaces;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8239096165b5f0b9 Environment-variable access.
pkgs/npm/[email protected]/src/node.js:209
		delete process.env.DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a511f6e9096170d9 Environment-variable access.
pkgs/npm/[email protected]/src/node.js:221
	return process.env.DEBUG;

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

yargs

npm dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #e59e134493ef4c37 Environment-variable access.
pkgs/npm/[email protected]/lib/platform-shims/esm.mjs:29
    return process.env[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • tinyglobby prod — dist-only: no readable source